By Matt Flick | October 29, 2020
Burp Suite has been my favorite web app testing tool for a while and seems like it keeps getting better with age & updates. Typically, I have avoided using other tools to parse the Burp output (xml) because most of what we report comes from manual testing. Somewhat recently, I started using extensions to add the manual testing results to Burp and thus it made sense to write a script to parse Burp xml output. Say hello to “breathmint”.
In a similar fashion to nepali, breathmint parses one or more .xml files and produces a spreadsheet (Excel format) as output. Some of the functions in nepali were extracted, modified, and expanded into their own python scripts that breathmint uses: “excelsify.py” and “make_me_pretty.py”. See code for details, including a few comments discussing possible customizations. By default, there are two worksheets in the workbook output file:
- Burp Issues - results from the Burp xml file(s). One instance per row, which can get lengthy when many apps or paths are identified as vulnerable (ymmv).
- Burp Issues Charts - risk rating listed by ID number (issue #) in column format, which is used as input data to generate a bar chart.
Execution Options
The script runs with python 3. It takes the following options:
-d : Location of the directory in which the Burp issues XML files are stored (all .xml files opened).
-f : Name of the single Burp file you want to parse. Ignored if '-d' option is used.
-e : ('-e <comma,separated,list>') List of risk ratings to exclude from output.
-i : ('-i <comma,separated,list>') List of severity ratings to include in output.
-o : Base name of output file(s) to which you want the parsed results to be written.
A few notes of the “-e” and “-i” options:
- There are five risk ratings: Critical, High, Medium, Low, Informational
- Not case-sensitive and partial starting characters are accepted, meaning “Info”, “i”, and “iNfOrMaTiOnAl” will each be treated as “Informational”
- No whitespace allowed
- If the “-i” option is not used, all ratings will be included (except any ratings used with the “-e” option)
- Excluded ratings supersede included ratings
Required Python Modules
breathmint, excelsify, and make_me_pretty use the following Python modules that are not typically included with the base installation:
- argparse
- xlsxwriter
- bs4
- lxml (required by the bs4 module)
Usage Examples
python breathmint.py -d . -o combined_output
Parse all burp files in the current working directory,
include all risk ratings,
produce an output file named “combined_output–parsed–(YYYYMMDD_HHMM).xlsx”
python breathmint.py -d ~/Documents/burp/output/ -e info,Low
Parse all burp files in the ~/Documents/burp/output/ directory,
include only Critical, High, and Medium rated issues (exclude Low and Informational issues),
produce an output file named “burp-output–parsed–(YYYYMMDD_HHMM).xlsx”
python breathmint.py -d . -o just_critical_high_medium -i high,MED,cRiTiCaL
Parse all burp files in the current working directory,
include only Critical, High, and Medium rated issues (exclude Low and Informational issues),
produce an output file named “just_critical_high_medium–parsed–(YYYYMMDD_HHMM).xlsx”
python breathmint.py -f some_burp_file.xml -e Informational,Low,Medium -i Critical,High,Medium
Parse the file named “some_burp_file.xml” in the current working directory,
include only Critical and High rated issues (exclude Medium, Low, and Informational issues),
produce an output file named “some_burp_file–parsed–(YYYYMMDD_HHMM).xlsx”.
When breathmint is executed with a single file input and no -o option, it will use the input filename as the base output filename (same as using the -d option but only one Burp xml file is found).
breathmint will always append the string “–parsed–(YYYYMMDD_HHMM).xlsx” to every output file name (set in the code, so change it there if you want something else), which is defined the the main function. The timestamp (“YYYYMMDD_HHSS”) is also generated in the main function.