Making ElasticBurp run

ElasticBurp depends on ancient versions of elasticsearch and kibana which you may find as docker images. Be warned this configuration is a RAM monster.

docker pull docker.elastic.co/elasticsearch/elasticsearch:5.1.0-1106bba6
docker run -p 9200:9200 -p 9300:9300 docker.elastic.co/elasticsearch/elasticsearch:5.1.0-1106bba6

Now for later use we need elasticsearch docker container id. You can get it with the command

docker ps

Let’s get kibana docker image

docker pull docker.elastic.co/kibana/kibana:5.1.1

With the container id which you noted down before(without quotes)

docker run –link “es_container_id”:elasticsearch -p 5601:5601 docker.elastic.co/kibana/kibana:5.1.1

docker run --link 5d2b8da5db2c:elasticsearch -p 5601:5601 docker.elastic.co/kibana/kibana:5.1.1

Install ElasticBurp from Bapp Store

Find ElasticBurp.py in ~/.BurpSuite/bapps/ and edit ES_host value as -> ES_host = “elastic:changeme@localhost”

From BurpSuite -> Extender -> Extenstions -> Find ElasticBurp and first disable and then enable it back.

Go to your browser http://localhost:5601 for kibana -> username:elastic password:changeme

Create an index pattern -> wase-burp

Search for all POST requests that don’t contain a CSRF token by issuing the following query:

request.method:POST -request.parameternames.raw:”csrftoken”

Check out this post and this one for more advanced queries.