Integrating Burp Suite Enterprise into Jenkins CI/CD Pipeline
Last year, Portswigger, the company behind Burp Suite, the world’s most widely used web application security testing software, released a new product separate from Burp Suite Pro called Burp Suite Enterprise Edition. This new offering is a scalable automation and CI integration product. One of the advantages of using the Enterprise edition was the ability to have a running server. This meant 24/7 access to Burp’s Scanner which allows you to trigger scans per commit or within your deployment pipelines. Burp Enterprise supports REST API to trigger scans and monitor the scanning, this can all be setup by navigating to Burp API generator page.
Integrating Burp Enterprise into Jenkins
Burp Enterprise can be integrated into CI/CD by running a cURL shell script to the REST API server. The example below is a pipeline project that will trigger a scan for an application. The cURL command can be generated from Burp Enterprise API generator page: http://Burp-IP:8080/api/API-KEY/v0.1/
curl -X POST 'http://API_URL:8080/api//v0.1/scan' -d '{"name":"Application Scan","scan_configurations":[],"urls":["http://URL"]}Start Scanning
Once the cURL command is generated from the API generator you can convert it to a sh script using Jenkins built-in pipeline snippet generator.
pipeline {
agent none
stages {
stage('Running Burp Scanner') {
steps {
echo 'Running Burp Scanner...'
sh label: '', script: '''curl -X POST \'http://API_URL:8080/api//v0.1/scan\' -d \'{"name":"Application Scan","scan_configurations":[],"urls":["http://URL"]}\'
}
}
}
}The above pipeline script will execute and trigger a scan in Burp Enterprise which is visible in Burp Enterprise UI Dashboard under Scans. The REST API also supports multiple named configurations such as Minimize false negatives, Audit checks — medium active and Crawl limit ( 10/20/30min ). The full list of named configurations is in Burp Enterprise UI Dashboard.
Scan Results
Once the scanning is complete, the results are shown in the Dashboard, but for CI/CD you don’t really want to log into the Dashboard each time to view results, you can fetch the results from Burp Enterprise using cURL and retrieve the JSON data which will detail the scan results. To fetch the data you can call the following URL: http://Burp-URL:8080/api/API-KEY/v0.1/scan/ID
The ID at the end of the URL is the scan ID generated by Burp Enterprise server. This ID is contained in the HTTP response of the very first cURL command that was issued to trigger the scan. The Location header will contain the ID which you can use later to pull down the JSON data. cURL has a dump header parameter which can be used to grep the Location header and store the scan ID for later.
Knowing when to pull down the JSON data at the right time was tricky within CI/CD as you might pull down an incomplete JSON data as the scan may still be continuing, luckily Burp Enterprise has a few status variable in the JSON data, two useful variables called “succeeded” and “failed”. Looping the status message you can wait until the status changes to succeeded and then pull the JSON data, you then will end up with having a completed scan result.
while not "scan_status":"succeeded" ;do curl -s -X GET "http://API-URL:8080/api/API-KEY/v0.1/scan/ID" > burp_result.jsondone
Once the scan is complete, you will have a JSON file which will detail all the issues of the scan. This JSON can be parsed using Python and I used online JSON formatter (jsonviewer) to view the breakdown of the results. This was useful as I could cherry pick what details I wanted in my report. All this was formatted to a custom HTML/PDF report.
Conclusion
Burp Suite Enterprise is a good product to introduce security into your CI/CD pipeline. The lack of generating reports from the REST API was disappointing, the product does generate the report from the web UI dashboard, but my opinion is that this report would not suffice developers. Creating your own custom report from the JSON data is by far the better option as it gives more granular detail for the results. Using Python, you can easily parse the JSON data to suit your needs.
Authentication is a problem and a problem for other DAST products for that matter in that they have difficulty authenticating onto applications. With standard username/password logins, Burp Enterprise had no major issues but for 2FA logins or complex logins, Burp Enterprise failed. Burp Suite Pro has options for session handling rules using macros and these work perfect if using Pro but the configurations are not supported in Burp Enterprise ( feature request submitted ). By supporting these configurations within Enterprise it would have little problems logging in and would provide stable session for the authenticated pages.
The REST API makes this very CI/CD friendly as it should be supported by other CI/CD products, not just Jenkins. The REST API generating page is a useful feature to help create the cURL command to trigger a scan. You can also execute this cURL command within that page so you don’t need to execute it in Jenkins or command-line.
I would rate it 3/5 for this product. Authentication is key and should have better support. Generating more detailed reports from the API would be useful as this is an important aspect of CI/CD. The rest is all positive, with a little initial setup, you get Burp Suite’s world-class Scanner triggered via cURL for your CI/CD work.
References
https://portswigger.net/blog/burp-suite-enterprise-edition
