Pre-requisite
Start Scans application role with API authorization access. In order to create the application, follow the instructions:
Log to BurpSuite Enterprise console
Navigate to Team -> Add a new user
Fill in the details for: First name, Last name, Username, Email
Choose API Key Login type
Choose Scan viewers group
Click the v icon to save
From the API popup copy the API Key and keep it somewhere safe.
API Key popup
Configuring BurpSuite Enterprise Connector
In the Connectors page, click on Add a Connector
Click on the BurpSuite connector
Fill in the credentials and server details
URL - Add the BurpSuite Enterprise server URL. Example: https://myserver:8080/
Note: If using the Copy API link button don't forget to remove the url details after the port number
API key - Paste the API Key obtained earlier
4. Click Test Connectivity to verify access and credentials
5. Click Create to complete
Note: If burpSuite server is installed on a local network not accessible externally you may need to connect using Vulcan Gateway, read here how to configure.
Mapping BurpSuite severity score to vulcan risk
BurpSuite severity levels are mapped to a numerical score in vulcan from 0 to 10. 10 representing the highest risk.
this is preconfigured with values that can be changed at anytime by the user. after changing the mapping give time for the connector to sync to update the score.
Viewing data in Vulcan
Vulcan provides the option to remediate vulnerabilities from 2 different angels:
Assets
Vulnerabilities
Assets
The data will be displayed under Websites - This tab gathers all data that was pulled from dynamic scans. To filter only Burbsuite data, simply use the Search Bar
The Site Name will match the Website field in vulcan
Last Scan column will indicate the last completed scan dynamic scan time in Fortify.
Scanned Pages column will indicate the number of unique pages scanned in this Application.
Top Risk column will indicate the highest risk-value from all risks that exists in a project.
Vulnerabilities column will indicate the number of issues instances. For example:
If Fortify indicates the following issues, Vulcan will display their total number under Vulnerabilities.
Tags are created for each folder in BurpSuite
Clicking on each website will open its Asset Card where you can view in website's data, including - All related vulnerabilities, number of vulnerabilities associated with each page and correlated data from other sources.
Pages tab will indicate the exact location of the vulnerabilities:
Vulnerabilities
Vulnerabilities are grouped similar to issues, includes details and remediation.
Threat tags are created in vulcan for OWASP top 10 threats.
FAQ
How to mark a vulnerability as a false positive?
When using "Mark as false positive" in BurpSuite the vulnerability with change the status to Acknowledged in Vulcan with the reason False Positive.
Vulnerabilities can also be set as False Positive directly in Vulcan by using the Ignore function.
Is Burp Suite Professional supported?
Unfortunately, there is no viable API to ingest data from the professional version but reports can be uploaded using Vulcan Report connector
API
API endpoint in use
your-web-server-url/graphql/v1
with the following query parameters
GetSiteTree, GetScan, GetScans, getIssue
More about this API