Skip to main content
Burp Suite Connector

how to connect and use Burp Suite integration

Updated over 7 months ago

Pre-requisite

Start Scans application role with API authorization access. In order to create the application, follow the instructions:

  1. Log to Burp Suite Enterprise Console

  2. Navigate to Team -> Add a new user

  3. Fill in the details for: First name, Last name, Username, Email

  4. Choose API Key Login type

  5. Choose Scan viewers group

  6. Click the v icon to save

  7. From the API popup copy the API Key and keep it somewhere safe.

API Key popup

Configuring Burp Suite Enterprise Connector

  1. In the Connectors page, click on Add a Connector

  2. Click on the Burp Suite connector

  3. Fill in the credentials and server details

  • URL - Add the Burp Suite Enterprise server URL. Example: https://myserver:8080/

Note: If using the Copy API link button don't forget to remove the url details after the port number

  • API key - Paste the API Key obtained earlier

4. Click Test Connectivity to verify access and credentials

5. Click Create to complete

Note: If the Burp Suite server is installed on a local network not accessible externally, you may need to connect using Vulcan Gateway; read here how to configure.

Mapping Burp Suite severity score to vulcan risk

Burp Suite severity levels are mapped to a numerical score in Vulcan, ranging from 0 to 10, with 10 representing the highest risk.

This is preconfigured with values that can be changed at any time by the user. After changing the mapping, give time for the connector to sync to update the score.

Viewing data in Vulcan

Vulcan provides the option to remediate vulnerabilities from 2 different angels:

  • Assets

  • Vulnerabilities

Assets
The data will be displayed under Websites - This tab gathers all data that was pulled from dynamic scans. To filter only Burb Suite data, simply use the Search Bar

The Site Name will match the Website field in vulcan

The last Scan column will indicate the last completed scan dynamic scan time in Fortify.

The scanned Pages column will indicate the number of unique pages scanned in this Application.
The top Risk column will indicate the highest risk value from all risks that exist in a project.
The vulnerability column will indicate the number of issues instances. For example:
If Fortify indicates the following issues, Vulcan will display their total number under Vulnerabilities.

Tags are created for each folder in Burp Suite

Clicking on each website will open its Asset Card, where you can view the website's data, including all related vulnerabilities, the number of vulnerabilities associated with each page, and correlated data from other sources.

The pages tab will indicate the exact location of the vulnerabilities:

Vulnerabilities
Vulnerabilities are grouped similarly to issues, including details and remediation.

Threat tags are created in Vulcan for OWASP's top 10 threats.

FAQ

How to mark a vulnerability as a false positive?

When using "Mark as false positive" in Burp Suite the vulnerability with change the status to Acknowledged in Vulcan with the reason False Positive.

Vulnerabilities can also be set as False Positive directly in Vulcan by using the Ignore function.

Is Burp Suite Professional supported?

Unfortunately, there is no viable API to ingest data from the professional version but reports can be uploaded using Vulcan Report connector

API

API endpoint in use

your-web-server-url/graphql/v1

with the following query parameters

GetSiteTree, GetScan, GetScans, getIssue

More about this API

Did this answer your question?