What is Burpsuite?
Burpsuite is one of the most popular security tools used by security teams to find issues in a running website or system. Burpsuite has an effective proxy mode allowing requests between a browser and a site to be intercepted and modified to exploit various types of flaws. Burpsuite also has a great spider and scanner which is what the Uleska Platform interacts with to automate dynamic scanning in the pipeline.
The Burpsuite product comes in three forms; a community edition which is free (but does not include the scanner), a professional edition, and an enterprise (scalable) edition. Both the professional and enterprise editions include the spider and scanner to automatically find flaws dynamically.
As Burpsuite is a commercial tool, you will need to have your own licenses for the tool, and then allow the Uleska Platform to interact with its API.
|Security Stage||DAST (Dynamic Analysis)|
|Type||Commercial (for scanning)|
|1||You'll need a license for BurpSuite and machine to host it on|
|2||You'll need to setup a 'Connection' object for Burpsuite|
How do I set up?
To add Burpsuite into the Uleska Platform, there are 3 main steps:
Setup the API and key on your Burpsuite instance
For the first step, given you wish to run Burpsuite as part of your pipeline, you will have Burpsuite running on a server you control. This instance will have network access to the running systems you wish to test. It will also be accessible to the Uleska Platform so it can send instructions and retrieve results from the API, as follows:
On your Burpsuite installation, you will then setup an API key for Uleska to communicate. The source PortSwigger blog for this can be found at https://portswigger.net/blog/burps-new-rest-api , however the steps are as follows:
Configure a connection in the Uleska Platform to interact with your Burpsuite instance
Now that you have your BurpSuite running with API enabled, let's get the Uleska Platform to talk to it.
Add the Burpsuite tool into your application and version toolkit
Now the Uleska Platform is setup to allow any project to be dynamically tested with your BurpSuite tool. Let's show you how to setup your applications and versions to run this.
Your version configuration will be setup for dynamic testing. Go to the dynamic documentation page to see how to set this up for any dynamic testing.
To enable the BurpSuite tool for the stage scanning,
Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the BurpSuite tool will be included in the test run which will start a spider and security scan of the Uri for the configured version. Any results added to your vulnerabilities list.