Taking Dirbuster Output into Burp Suite

Seeing as DirBuster is my brute forcer of choice, and Burp is my interception proxy of choice, bridging the gap between these 2 tools and getting the output from DirBuster into Burp for further analysis is crucial. As you can see below, one bash command, about 140 characters long, does the trick. It takes the report file from DirBuster and plays it back against your interception proxy. In my case, Burp.

[plain]cat report.txt | grep ‘^\/’ | grep -v ‘:’ | while read line; do curl -s http://[target of scan]$line –proxy 127.0.0.1:8080 -o /dev/null; done[/plain]

Here’s a breakdown of the command:
1. pass the report file to stdout
2. grep out all of the directory, file, and internal error results
3. un-grep all of the internal errors
4. loop through all of the results
5. use curl to craft web requests to each iteration of the results
6. configure curl to use a proxy
7. dump the curl output to /dev/null to suppress stdout (optional)

All of your DirBuster results are now available for analysis in your interception proxy and tools like Burp will have passively scanned and spidered the results in the process. There’s nothing like some command line kung fu goodness to solve a common problem with such simplicity and elegance. Enjoy!

 

 

This can be extended to many tools, thanks Tim!

One thought on “Taking Dirbuster Output into Burp Suite

  1. Hey,

    This was very useful, Thank you very much. I did little bit of cleanup on the script though;

    cat DirBusterReport[domain].com-80.txt | grep ‘^/’ | grep -v ‘:’ | while read line; do curl -s http://[domain].com$line –proxy 127.0.0.1:8080 -o /dev/null; done

    Cheers.

    Xaosec

Leave a Reply

Your email address will not be published. Required fields are marked *