Searching BurpSuite request and responses with elasticsearch and kibana

Making ElasticBurp run

ElasticBurp depends on ancient versions of elasticsearch and kibana which you may find as docker images. Be warned this configuration is a RAM monster.

docker pull docker.elastic.co/elasticsearch/elasticsearch:5.1.0-1106bba6

docker run -p 9200:9200 -p 9300:9300 docker.elastic.co/elasticsearch/elasticsearch:5.1.0-1106bba6

Now for later use we need elasticsearch docker container id. You can get it with the command

docker ps

Let’s get kibana docker image

docker pull docker.elastic.co/kibana/kibana:5.1.1

With the container id which you noted down before(without quotes)

docker run –link “es_container_id”:elasticsearch -p 5601:5601 docker.elastic.co/kibana/kibana:5.1.1

docker run --link 5d2b8da5db2c:elasticsearch -p 5601:5601 docker.elastic.co/kibana/kibana:5.1.1

Install ElasticBurp from Bapp Store

Find ElasticBurp.py in ~/.BurpSuite/bapps/ and edit ES_host value as -> ES_host = “elastic:changeme@localhost”

From BurpSuite -> Extender -> Extenstions -> Find ElasticBurp and first disable and then enable it back.

Go to your browser http://localhost:5601 for kibana -> username:elastic password:changeme

Create an index pattern -> wase-burp

Search for all POST requests that don’t contain a CSRF token by issuing the following query:

request.method:POST -request.parameternames.raw:”csrftoken”

Check out this post and this one for more advanced queries.