Skip to content

No HTTPS traffic scanned #17

Open
Open
No HTTPS traffic scanned#17
@UbaidAhmed2803

Description

@UbaidAhmed2803
UbaidAhmed2803
opened on Oct 21, 2022

I have configured the carbonator and I am running the following command

java -jar -Xmx2g -Djava.awt.headless=true /home/webscanner/BurpSuitePro/burpsuite_pro.jar https example.com 443 / --user-config-file=Config/userNew.json --project-file=Projects/test31.burp --unpause-spider-and-scanner

The scan runs without any issue, however, the results which I get seem to be incorrect. The following are the reasons for this assumption:

  1. When I open this project file on UI, I notice that https://example.com is automatically added to the "Exclude from Scope" under Target>Scope.
  2. Under Target>Sitemap only http://example.com is listed.

Following are the extensions added to the userNew.json:

"extensions":[
                {
                    "errors":"console",
                    "extension_file":"/home/webscanner/.BurpSuite/bapps/3123d5b5f25c4128894d97ea1acc4976/activeScan++.py",
                    "extension_type":"python",
                    "loaded":true,
                    "name":"activeScan++",
                    "output":"console"
                },
                {
                    "errors":"console",
                    "extension_file":"/home/webscanner/.BurpSuite/bapps/9cff8c55432a45808432e26dbb2b41d8/build/libs/backslash-powered-scanner-all.jar",
                    "extension_type":"java",
                    "loaded":true,
                    "name":"Backlash Powered Scanner",
                    "output":"console"
                },
                {
                    "errors":"console",
                    "extension_file":"/home/webscanner/.BurpSuite/bapps/f078b9254eab40dc8c562177de3d3b2d/aws.py",
                    "extension_type":"python",
                    "loaded":true,
                    "name":"AWS Security Checks",
                    "output":"console"
                },
                {
                    "errors":"console",
                    "extension_file":"/home/webscanner/.BurpSuite/bapps/47027b96525d4353aea5844781894fb1/burp/target/attacksurfacedetector-release-1.13-jar-with-dependencies.jar",
                    "extension_type":"java",
                    "loaded":true,
                    "name":"Attack Surface Detector",
                    "output":"console"
                },
                {
                    "bapp_serial_version":7,
                    "bapp_uuid":"c9fb79369b56407792a7104e3c4352fb",
                    "errors":"console",
                    "extension_file":"bapps/c9fb79369b56407792a7104e3c4352fb/target/burp-vulners-scanner-1.2.jar",
                    "extension_type":"java",
                    "loaded":true,
                    "name":"Software Vulnerability Scanner",
                    "output":"console"
                },
                {
                    "errors":"console",
                    "extension_file":"/home/webscanner/burp_automation/carbonator//carbonator.py",
                    "extension_type":"python",
                    "loaded":true,
                    "name":"Carbonator",
                    "output":"console"
                }
            
            ]

I raised the same issue with Portswigger and they suggested I raise an issue here.
https://forum.portswigger.net/thread/carbonator-no-https-traffic-4ff0800c

Am I missing something? Why https://example.com is not scanned?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions