Product
LET’S SCALE YOUR APPLICATION SECURITY BY AUTOMATING REPETITIVE, BUT NECESSARY TASKS

Our platform helps you run an effective application security pipeline without compromising on development speed.

View the Uleska Product

Pricing
GET STARTED WITH THE ULESKA PLATFORM TODAY FOR FREE.

Let’s start optimising your DevSecOps journey.

View Uleska Pricing

Resources
In-Depth Resources

View Uleska downloads and Case studies to understand how we have helped others

View Uleska Resources

BROWSE OUR BLOG

Browse our range of useful blogs and articles.

View Uleska Blog

Docs
Uleska Docs

All the information you need to know for Uleska documentation

View Uleska Docs

Search the Uleska site

    Sign in

    Open Mobile Menu Close Mobile Menu
    Product
    LET’S SCALE YOUR APPLICATION SECURITY BY AUTOMATING REPETITIVE, BUT NECESSARY TASKS

    Our platform helps you run an effective application security pipeline without compromising on development speed.

    View the Uleska Product

    Pricing
    GET STARTED WITH THE ULESKA PLATFORM TODAY FOR FREE.

    Let’s start optimising your DevSecOps journey.

    View Uleska Pricing

    Resources
    In-Depth Resources

    View Uleska downloads and Case studies to understand how we have helped others

    View Uleska Resources

    BROWSE OUR BLOG

    Browse our range of useful blogs and articles.

    View Uleska Blog

    Docs
    Uleska Docs

    All the information you need to know for Uleska documentation

    View Uleska Docs

    Burpsuite

    What is Burpsuite?

    Burpsuite is one of the most popular security tools used by security teams to find issues in a running website or system. Burpsuite has an effective proxy mode allowing requests between a browser and a site to be intercepted and modified to exploit various types of flaws. Burpsuite also has a great spider and scanner which is what the Uleska Platform interacts with to automate dynamic scanning in the pipeline.

    The Burpsuite product comes in three forms; a community edition which is free (but does not include the scanner), a professional edition, and an enterprise (scalable) edition. Both the professional and enterprise editions include the spider and scanner to automatically find flaws dynamically.

    As Burpsuite is a commercial tool, you will need to have your own licenses for the tool, and then allow the Uleska Platform to interact with its API.

    Security Stage DAST (Dynamic Analysis)
    Type Commercial (for scanning)
    Frameworks Multiple Platforms
    Site https://portswigger.net/burp

     

    Pre-requisite

    1 You'll need a license for BurpSuite and machine to host it on
    2 You'll need to setup a 'Connection' object for Burpsuite

     

    How do I set up?

    To add Burpsuite into the Uleska Platform, there are 3 main steps:

    1. Setup the API and key on your Burpsuite instance
    2. Configure a connection in the Uleska Platform to interact with your Burpsuite instance
    3. Add the Burpsuite tool into your application and version toolkit

    Setup the API and key on your Burpsuite instance

    For the first step, given you wish to run Burpsuite as part of your pipeline, you will have Burpsuite running on a server you control. This instance will have network access to the running systems you wish to test. It will also be accessible to the Uleska Platform so it can send instructions and retrieve results from the API, as follows:

    • If you have the Uleska Platform installed on-site, you can configure your network security as relevant.
    • If you are using a dedicated cloud tenant provided by Uleska, then we will have communicated the relevant IP addresses to you during setup.
    • If you are using the cloud version of the Uleska Platform, you can allocate the Uleska cloud IP addresses.  Contact Uleska to obtain the IP address for your account.

    On your Burpsuite installation, you will then setup an API key for Uleska to communicate. The source PortSwigger blog for this can be found at https://portswigger.net/blog/burps-new-rest-api , however the steps are as follows:

    • Open BurpSuite
    • Open a New Project
    • Navigate to User options and then Misc
    • Navigate to the REST API section
    • Enable the 'Service running' option
    • Change the Service URL to bind to all interfaces, or a specific interface on the host that will be accessible
    • Scroll down to the API Keys section and select 'New' to add a new key
    • Call the key 'Uleska' (for tracking purposes) and copy the API key value to your clipboard. Keep it so you can add it to the Uleska Platform.

    BurpSetup

     

    Configure a connection in the Uleska Platform to interact with your Burpsuite instance

    Now that you have your BurpSuite running with API enabled, let's get the Uleska Platform to talk to it.

    • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
    • Click on 'Add Connection'
    • From the drop down list, select 'BurpSuite'
    • Add the URL of your BurpSuite instance, which will likely be the IP address (or hostname if configured) of the server hosting BurpSuite, and port 1337 (or other value if you changed it)
    • For the API key, add the copied key you took when setting up the API key above.
    • Click 'Save'

    Add the Burpsuite tool into your application and version toolkit

    Now the Uleska Platform is setup to allow any project to be dynamically tested with your BurpSuite tool. Let's show you how to setup your applications and versions to run this.

    Your version configuration will be setup for dynamic testing. Go to the dynamic documentation page to see how to set this up for any dynamic testing.

    To enable the BurpSuite tool for the stage scanning,

    • Go to the 'Test Tools' tab and click 'Add Tool' for the 'BurpSuite' tool.

    BurpAdded

    • Click Save.

    Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the BurpSuite tool will be included in the test run which will start a spider and security scan of the Uri for the configured version. Any results added to your vulnerabilities list.

    Notes

    None