In this article you will find:
- How to configure the connector
- How to view data in Vulcan
- API calls
Start Scans application role with API authorization access. In order to create the application, follow the instructions:
- Log to BurpSuite Enterprise console
- Navigate to Team -> Add a new user
- Fill in the details for: First name, Last name, Username, Email
- Choose API Key Login type
- Choose Scan viewers group
- Click the v icon to save
- From the API popup copy the API Key and keep it somewhere safe.
API Key popup
2. Configuring BurpSuite Enterprise Connector
- In the Connectors page, click on Add a Connector
- Click on the BurpSuite connector
- Fill in the credentials and server details
- URL - Add the BurpSuite Enterprise server URL. Example: https://myserver:8080/
- API key - Paste the API Key obtained earlier
4. Click Test Connectivity to verify access and credentials
5. Click Create to complete
Note: If burpSuite server is installed on a local network not accessible externally you may need to connect using Vulcan Gateway, read here how to configure.
Mapping BurpSuite severity score to vulcan risk
BurpSuite severity levels are mapped to a numerical score in vulcan from 0 to 10. 10 representing the highest risk.
this is preconfigured with values that can be changed at anytime by the user. after changing the mapping give time for the connector to sync to update the score.
3. Viewing data in Vulcan
Vulcan provides the option to remediate vulnerabilities from 2 different angels:
The data will be displayed under Websites - This tab gathers all data that was pulled from dynamic scans. To filter only Fortify DAST data, simply use the Search Bar
The Site Name will match the Website field in vulcan
Last Scan column will indicate the last completed scan dynamic scan time in Fortify.
Scanned Pages column will indicate the number of unique pages scanned in this Application.
Top Risk column will indicate the highest risk-value from all risks that exists in a project.
Vulnerabilities column will indicate the number of issues instances. For example:
If Fortify indicates the following issues, Vulcan will display their total number under Vulnerabilities.
Tags are created for each folder in BurpSuite
Clicking on each website will open its Asset Card where you can view in website's data, including - All related vulnerabilities, number of vulnerabilities associated with each page and correlated data from other sources.
Pages tab will indicate the exact location of the vulnerabilities:
Vulnerabilities are grouped similar to issues, includes details and remediation.
Threat tags are created in vulcan for OWASP top 10 threats.
How to mark a vulnerability as false positive ?
When using "Mark as false positive" in BurpSuite the vulnerability with change the status to Ignored in vulcan with reason False Positive.
Vulnerabilities can also be set as False Positive directly in Vulcan by using the Ignore function.
Is Burp Suite Professional supported ?
Unfortunately there is no viable API to ingest data from the professional version but reports can be uploaded using Vulcan Report connector
API endpoint in use
with the following query parameters
GetSiteTree, GetScan, GetScans, getIssue
More about this API