How to activate Burp Suite inside Docker image?

A lot of folks use Burp Suite Pro in their DevSecOps pipelines. Thanks to its fantastic web app crawler and scanner, REST APIs to manage scans, and extensions that enable headless scanning - this makes Burp Suite Pro an excellent tool to have on your pipeline.

So, setting up and configuring Burp in a docker container / GUI-less VM has become common.

Whatever deployment technique - docker container or VM, the first issue you face is activating Burp Suite Pro.

You can install Burp Suite, install VNC, and then log in to the container/VM to activate Burp Suite. It’s possible. But this process is cumbersome and makes the docker container’s/VM’s size bigger.

Instead, you can also activate Burp Suite Pro through its CLI. There are two methods in general.

NOTE: You can use both methods even if you are activating Burp within a VM.

Method 1 - If you already have activated Burp Suite on your system

Burp Suite Pro saves all the activation details, settings, and user preferences at ~/.java/.userPrefs/burp/prefs.xml file. If you already have activated Burp Pro on your system, you can copy the file to the Docker image and build the docker image.

  1. Save the following Dockerfile:

    FROM openjdk:15.0.2-slim-buster
    WORKDIR /root
    RUN apt-get -qq update && apt-get install -y wget
    RUN wget -q -O burpsuite.jar "" && \
    mkdir -p ~/.java/.userPrefs/burp/
    COPY prefs.xml /root/.java/.userPrefs/burp/
    RUN echo "o" | java -Djava.awt.headless=true -jar burpsuite.jar
  2. Copy the Burp pref.xml file to the directory where the Dockerfile is present.

    cp ~/.java/.userPrefs/burp/prefs.xml .
  3. Then build the docker image:

    docker build -t burpsuite .

Method 2 - If you are activating Burp Suite using a different license

When you want to use a separate license for Burp running inside the container or activating Burp for the first time directly within the docker image, the above method will not work for you.

The activation looks similar to the above. Instead of copying the prefs.xml file, you copy the license key and use an expect script to activate Burp Suite Pro.

  1. Make sure you copy Burp license file to license.txt.

  2. Save the following expect script as activate

    set licensefile [open "license.txt"]
    set license [ read $licensefile ]
    close $licensefile
    spawn java -Djava.awt.headless=true -jar burpsuite.jar
    expect "*Do you accept the license agreement*?" { send -- "y\r" }
    expect "*paste your license key below*" { send -- "$license\r" }
    expect "*Enter preferred activation method*" { send -- "o\r" }
    expect eof

    Note: By using this expect script to activate Burp, you accept PortSwigger’s license agreement.

  3. Save the following Dockerfile:

    FROM openjdk:15.0.2-slim-buster
    WORKDIR /root
    RUN apt-get -qq update && apt-get install -y wget expect
    RUN wget -q -O burpsuite.jar ""
    COPY license.txt /root/license.txt
    COPY activate /root/activate
    RUN expect activate
  4. Then build the docker image

    docker build -t burpsuite .

I have used an expect script instead of a Python script. This helps keep the docker image size smaller. If you want, feel free to use PajSwigger’s python version of the script.

If there’s an issue, check if the license file ends with a newline (\n). The original license file downloaded from the PortSwigger portal doesn’t end with a newline.

Few things to keep in mind!

  • You can activate the same license key a few times. It could be on another laptop, VM, or docker image. However, there is an undocumented limit to the number of activations possible for a license key, after which activation just doesn’t happen. You will get the error No more activations allowed for this license.
  • Activate Burp Pro when building a docker image. Once it’s activated, you can create as many containers as required. On the other hand, if you activate Burp Pro when you start the container, it will stop working once Burp’s activation servers deny the license key.
  • The docker image may require changes down the line. For example, update Burp Suite JAR file, modify default config files, expose ports, etc. In such cases, use the above docker image with activated Burp Suite as the base image. It allows you to enhance the already activated Burp Suite features instead of reactivating and reaching the activation limit.