Portswigger has recently developed an enterprise version of their well-regarded Burp web vulnerability assessment tool, and along with this a REST API for integrating with the scanning engine. This article explores some of the new features for both these releases and provides practical examples you can use for your next project.
Enterprise edition first thoughts
When I saw the email come out about the new release I was so excited that I had to go and grab myself a copy. You can too and you'll be eligible for a 60 day trial period for the enterprise version.
The installation requires a database connection which you can point Burp at, or alternatively you can select the "embedded version" for evaluation purposes which is what I've done. Several docker images of vulnerable web applications are available online, and I've chosen Wackopicko for the evaluation.
Once you have things up and running its time to log in to the portal.
You'll then need to configure your agent with the enterprise license you received via the Portswigger website, and have that entered in like so:
Running a scan
Running a scan is as simple as clicking the scan button and providing the form an entrypoint URL. One of the cool features of the enterprise edition is the ability to schedule scans and perform reoccurring scans.
From here we can monitor the scan details on the scans page.
This is pretty neat as it gives us a high-level overview on what's running or scheduled, the current issues detected and perhaps the ability to perform a delta on the previous scan results.
The information provided in the web portal is what you'd expect if you had been using Burp Suite's professional edition in the past. It
- gives you a nice breakdown of vulnerabilities detected
- provides evidence and confidence metrics of the issues found
- provides raw HTTP request and response snippets for easy inspection and vulnerability reproduction
One of the things I was unable to find was the reporting feature. Previous versions of the professional edition had the ability to export scan results to HTML. I'm currently using Burp Suite enterprise v1.0.01 and professional v2.0.02 and have been unable to find this as an option.
The agents/ workers
The agent feature is awesome. I say this because now users can have as many agents as required for running parallel tasks across their enterprise. This is a massive step forward by Portswigger which aims to transform the tool from a simple standalone executable, to something that can be distributed and scaled across an enterprise where needed.
This also allows for the programmatic approach that is often lacking in a CI/CD deployment pipeline -- the ability to schedule and perform scans on code-push, and have the build break if the findings exceed a particular threshold (e.g., a high or critical vulnerability was detected with high confidence).
One of the drawbacks I found with Enterprise was the agent failing and giving no information as to why. This is a shame because on the same target host, when running the professional edition, no such issues exist. My hope is that this will be addressed in new iterations.
Final thoughts on Burp Enterprise
I believe they are on the right track with their objectives in making the tool more CI/CD friendly with the introduction of the API and agent-based workers. It feels like the project is in its infancy when compared with other enterprise offerings, but the groundwork has been laid for what could be a game changing move from Portswigger. I'll continue to use the professional edition in my work given the breadth of features which are obviously lacking in the enterprise version, and the stability provided by the standalone tool. It'll be interesting to see new features rolled out in Enterprise over the next few months so watch this space for another write-up!
Burp's new REST API
On August 20 2018 Burp released an article for its eagerly awaited REST API, and I couldn't be more happier! Burp is up there with the best when it comes to vulnerability assessment and penetration testing tools and one of the things that always irked me was its lack of API support, particularly around initiating scans and report consumption.
This always had to be done via the standalone tool which isn't fit for purpose in an enterprise environment where vulnerability results need to be consumed, evaluated and reported on in a programmatic fashion. Moreover when it comes to the shift-left mentality of security in a devsecops capacity, the standalone tool does not lend itself to this model with its lack of integration from an API scripting perspective.
An overview of its features
The API is new; it's in beta and has very limited functionality. What's available to us at this point in time are the following:
- The ability to start a scan (this doesn't include stopping one)
- The ability to read the status of a current scan including current metrics and issues detected
- The ability to query the knowledge base (i.e, gather information about known vulnerabilities)
These features are available via the following endpoints:
Feature | Endpoint | Method --- | --- | --- scan | /scan | POST status | /scan/<taskid>/ | GET knowledge-base | /knowledge_base/issue_definitions | GET
Practical examples using python
I've written an open-source python tool that interfaces with the REST API with the aforementioned features and you can grab yourself a copy here. The original version of my tool was written in ruby and developed by pentestgeek (have a look at his article on some of the new features).
git clone https://github.com/evo4ce/burpcommander burpcommander
pip3 install -r requirements.txt
Querying the knowledge base
To find out about a particular vulnerability you need only ask the tool by running:
./commander.py --name "<vuln name here>"
So a practical example might be
./commander.py --name "command injection" which will yield information pertaining to command injection. See my previous post as to the implications of injection vulnerabilities.
Initiating a scan
To launch a scan all you need is the URL. If you wanted to scan a machine on your local machine running on port 8081 you may do the following:
./commander.py --scanurl http://localhost:8081
Getting the status of a scan
Scan data can be obtained using the
--taskid flag, and optional
--metrics flag. An example for a taskid of 18 would be:
./commander.py --taskid 18 --metrics
taskid: The id of the initiated scan. This value is provided to you after you run commander with the
metrics: This gives you a high level overview of the current scan status without overloading you with the complete scan info. This flag is optional and without it you'll receive the complete status along with any issues found, their description, and all other attributes associated with a vulnerability scan.
Final thoughts on the REST API
I love it and I cannot wait to see what Portswigger comes up with over the next few months. The beauty of having this information available via API is that now we can programmatically initiate scans, gather report information in JSON format so we can visualise the data in our own tools and services, and have full integration with existing CI/CD pipelines. Look out for more practical examples from me in python as the Burp team releases more endpoints over the next few months.