Product
Pricing
Resources
Docs
Product
Pricing
Resources
Docs

Burpsuite

What is Burpsuite?

Burpsuite is one of the most popular security tools used by security teams to find issues in a running website or system. Burpsuite has an effective proxy mode allowing requests between a browser and a site to be intercepted and modified to exploit various types of flaws. Burpsuite also has a great spider and scanner which is what the Uleska Platform interacts with to automate dynamic scanning in the pipeline.

The Burpsuite product comes in three forms; a community edition which is free (but does not include the scanner), a professional edition, and an enterprise (scalable) edition. Both the professional and enterprise editions include the spider and scanner to automatically find flaws dynamically.

As Burpsuite is a commercial tool, you will need to have your own licenses for the tool, and then allow the Uleska Platform to interact with its API.

Security Stage DAST (Dynamic Analysis)
Type Commercial (for scanning)
Frameworks Multiple Platforms
Site https://portswigger.net/burp

 

Pre-requisite

1 You'll need a license for BurpSuite and machine to host it on
2 You'll need to setup a 'Connection' object for Burpsuite

 

How do I set up?

To add Burpsuite into the Uleska Platform, there are 3 main steps:

  1. Setup the API and key on your Burpsuite instance
  2. Configure a connection in the Uleska Platform to interact with your Burpsuite instance
  3. Add the Burpsuite tool into your application and version toolkit

Setup the API and key on your Burpsuite instance

For the first step, given you wish to run Burpsuite as part of your pipeline, you will have Burpsuite running on a server you control. This instance will have network access to the running systems you wish to test. It will also be accessible to the Uleska Platform so it can send instructions and retrieve results from the API, as follows:

  • If you have the Uleska Platform installed on-site, you can configure your network security as relevant.
  • If you are using a dedicated cloud tenant provided by Uleska, then we will have communicated the relevant IP addresses to you during setup.
  • If you are using the cloud version of the Uleska Platform, you can allocate the Uleska cloud IP addresses.  Contact Uleska to obtain the IP address for your account.

On your Burpsuite installation, you will then setup an API key for Uleska to communicate. The source PortSwigger blog for this can be found at https://portswigger.net/blog/burps-new-rest-api , however the steps are as follows:

  • Open BurpSuite
  • Open a New Project
  • Navigate to User options and then Misc
  • Navigate to the REST API section
  • Enable the 'Service running' option
  • Change the Service URL to bind to all interfaces, or a specific interface on the host that will be accessible
  • Scroll down to the API Keys section and select 'New' to add a new key
  • Call the key 'Uleska' (for tracking purposes) and copy the API key value to your clipboard. Keep it so you can add it to the Uleska Platform.

BurpSetup

 

Configure a connection in the Uleska Platform to interact with your Burpsuite instance

Now that you have your BurpSuite running with API enabled, let's get the Uleska Platform to talk to it.

  • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
  • Click on 'Add Connection'
  • From the drop down list, select 'BurpSuite'
  • Add the URL of your BurpSuite instance, which will likely be the IP address (or hostname if configured) of the server hosting BurpSuite, and port 1337 (or other value if you changed it)
  • For the API key, add the copied key you took when setting up the API key above.
  • Click 'Save'

Add the Burpsuite tool into your application and version toolkit

Now the Uleska Platform is setup to allow any project to be dynamically tested with your BurpSuite tool. Let's show you how to setup your applications and versions to run this.

Your version configuration will be setup for dynamic testing. Go to the dynamic documentation page to see how to set this up for any dynamic testing.

To enable the BurpSuite tool for the stage scanning,

  • Go to the 'Test Tools' tab and click 'Add Tool' for the 'BurpSuite' tool.

BurpAdded

  • Click Save.

Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the BurpSuite tool will be included in the test run which will start a spider and security scan of the Uri for the configured version. Any results added to your vulnerabilities list.

Notes

None