Is there a demo somewhere?¶
How to start using Burp-UI?¶
How does Burp-UI work?¶
The answer depends whether you are using burp 1.x or burp 2.x. Basically, Burp-UI tries to provide a consistent API between the Frontend (the UI) and the burp server. To do so, it implements two Backends: burp-1 and burp-2. You can select either of these with the version flag in your configuration.
You can also refer to the Architecture page of the documentation to know more about those backends.
How to configure my firewall?¶
The Burp-UI agents listen on port 10000 by default.
Of course those are configurable.
What are the default credentials?¶
The default login / password is admin / admin with the basic authentication backend.
How does the online restoration feature work?¶
The online restoration feature works the same way as if you were running the burp client yourself. It means Burp-UI runs the following command:
burp -a r -b <number> -C <client name> -r <regex> -d /tmp/XXX -c <bconfcli>
It then generates an archive based on the restored files.
Because of this workflow, and especially the use of the
-C flag you need to
tell your burp-server the client used by Burp-UI can perform a restoration
for a different client.
You can refer to the restoration section of
this documentation along with the version
section for more details.
What does the server-initiated restoration feature do and how to make it work?¶
This feature asks the server to perform a restoration on the client the next time it sees it.
In order for this feature to work, your client MUST allows the server to do
that. You have to set
server_can_restore = 1 (which is the default value) in
your client configuration file (usually /etc/burp/burp.conf).
How can I start Burp-UI as a daemon?¶
There are several init scripts provided by some users available here.
I do not (and cannot) support these scripts. Only the Gunicorn way is supported.
How to setup a reverse-proxy in front of Burp-UI?¶
Why don’t I see all my clients using the burp-2 backend?¶
Starting with burp 2, you cannot see all the client through the status port unless you tell burp a particular client can see other clients statistics. See the general instructions for more details.
I cannot find the
bui-agent command anymore, where is it?¶
Since v0.5.0, the bui-agent has it’s own package in order
to reduce requirements. The agent does not need the Flask requirements and so
on. You can now install it with the
pip install burp-ui-agent command.
Alternatively, there is now a
bui-agent-legacy provided by the
See the upgrading section for more details.
Why using redis?¶
Redis may be used for several things:
store the sessions server side (by default sessions are stored client side in a secure cookie)
cache some data
monitor API usage for the rate limiter
All of these features are totally optional. Redis is also used by celery to interact between Burp-UI and the asynchronous worker.
Why using SQL?¶
The SQL database is currently used to keep a track of several meta-data. Since v0.5.0, the SQL database is able to store user preferences. Again, it is totally optional to use it.
Why using Celery?¶
Celery is used to run some asynchronous jobs such as reports computations or online restorations.
Computing reports asynchronously allows faster answer especially when you manage several dozens of clients.
Burp-UI does not seem to understand the bind and port options anymore, what should I do?¶
Since v0.4.0, the new Flask development server is used when running in
single mode. The bind and port options are not read anymore.
You can either run Burp-UI with the
-- -h x.x.x.x -p yyyy flags or use
the legacy launcher
python -m burpui -m legacy [--help].
See the upgrading page for details.
Burp-UI does not work anymore since I upgraded it, what can I do?¶
Make sure you read the upgrading page in case some breaking changes occurred.
I am getting errors while restoring large files (>3GB), what should I do?¶
The default zip module does not support large files by default. You can either
enable large file support by setting
zip64 = true in the
Alternatively, you can choose an other compression module by selecting an other
extension while proceeding the restoration.
I see a lot of cannot spawn burp process errors, what can I do?¶
This error means Burp-UI is not able to communicate with the burp server.
You should check your logs (both Burp-UI’s and burp server’s) to understand
what is wrong.
If you are using Gunicorn, it is possible you reached the limit of status
children. You can safely increase the
max_status_children setting in your
burp-server.conf file to 15 (the default is 5).
You can also check your status port is open and/or accessible by your client.
To do so, you can run the
burp -a m command.