Seltzer

Are you planning to automate Burp Suite for your DevSecOps / bug bounty pipeline? Then, Seltzer is the tool you will need.

Extension Availability Source Code Dependencies
Professional https://github.com/10goto20/seltzer -

Seltzer is a Burp Suite Pro extension that allows you to launch scans from the command line. It’s like the Carbonator extension for Burp 2.0. However, since Carbonator is no longer maintained and Burp 2.0 had massive updates, Carbonator cannot be used these days. But don’t worry, Seltzer is here.

This extension is a wrapper around Burp’s minimalistic REST API and has no dependencies like Jython.

How to configure this extension

  1. Clone the repository using git clone https://github.com/10goto20/seltzer --depth 1. Create few directories required using mkdir log scans

  2. The targets directory contains a sample CSV file to launch a scan. The format for the CSV is as follows:

    TargetURL,ProjectName,BurpReportName,username,password,BurpConfigToUse
    
  3. The conf directory contains the default user and project options. The user config has hardcoded paths (like /home/coalfire/temp) of the developer’s machine and REST API port as 4444. Update the location of seltzer.jar and change the API port from 4444 to 1337 in the useroptions.json file. You cannot run the tool unless you change the config.

    As Seltzer is added to the config file, you need not explicitly add the extension to Burp Suite in the extender tab.

  4. Once you set up the config, create a CSV file that contains the information about the target web app and execute the following command:

    chmod +x ./bin/seltzer.sh
    BURPHOME=/home/badshah/BurpSuitePro ./bin/seltzer.sh -t targets/sample.csv
    

    (Add the exact location of the Burp Suite directory in the BURPHOME env variable.)

  5. Once the crawling and auditing are complete, Seltzer will create an HTML & XML report file in the /scans directory along with the Burp Project file.

When to use this extension?

This extension comes in handy when integrating Burp Suite in your DevSecOps pipeline or just automating your bug bounty scans for web apps.