Burp Suite is a set of tools for assessing web application security. It's available in a free and commercial versions. We highly recommend its use when developing or assessing any web applications.
The Burp tool must only be used to evaluate the security of your
web application that resides outside of Force.com (e.g. www.partnersite.com). For applications residing completely on Force.com (e.g. partner-visual.force.com, appxpartner.force.com. etc.), please use the Force.com Source Source Scanner
Please note that you are not permitted to run this tool against any servers owned and operated by salesforce.com, without prior written approval.
A 15 minute training video on using the Burp Suite Professional tool can be found here
By launching the tool and setting a web browser to use this as its proxy server, all web traffic can be intercepted, inspected, modified and analyzed to identify a range of security vulnerabilities.
Burp Suite Professional contains the following tools:
- an intercepting HTTP/S proxy server which operates as a man-in-the-middle between the end browser and the target web application, allowing you to intercept, inspect and modify the raw traffic passing in both directions.
- an intelligent application-aware web spider which allows complete enumeration of an application's content and functionality.
- an advanced tool for performing automated discovery of security vulnerabilities in web applications.
- a highly configurable tool for automating customized attacks against web applications, such as enumerating identifiers, harvesting useful data, and fuzzing for common vulnerabilities.
- a tool for manually manipulating and re-issuing individual HTTP requests, and analyzing the application's responses.
- a tool for analyzing the quality of randomness in an application's session tokens or other important data items which are intended to be unpredictable.
- a tool for performing manual or intelligent decoding and encoding of application data.
- a utility for performing a visual "diff" between any two items of data, normally pairs of related requests and responses.
Use the above links to read the detailed help specific to each of the individual Burp Suite tools. For additional help and details, please visit the Burp Suite Professional website
Effectively Scanning Applications Using Burp
In order to obtain effective results from the Burp Scanner, it is recommended that you do the following:
• Turn “Intercept” (Proxy->Intercept) off within Burp. Do not change other default configurations
• Configure your browser to use Burp as a proxy (Default port is 8080)
• Login to your web-application with the highest privileged account to ensure no features are hidden, and run through typical use cases (simulate customer usage). Your goal is to access all application pages
• Right click on the Target URL (Target->site map) and click on “spider this host”
• Once spidering completes, Right click on the Target URL and click on “actively scan this host”. The scan progress can be monitored under the “Scanner” tab
Accuracy of Results
While black-box testing tools can be of great assistance in uncovering major security vulnerabilities, it is important to understand that no tool can identify all vulnerabilities. Additionally, since these tools lack insight into the context of the application, false positives can be produced. The output of this tool should not be considered a comprehensive security assessment of your application; rather it should complement a thorough manual review. The OWASP testing guide
can be a valuable asset in determining your application’s security testing plan.
A false negative occurs when a tool is not able to identify an existing bug. Some vulnerabilities that Burp Suite may not identify are:
• Stored Cross-Site Scripting
• Cross-Site Request Forgery
• Session Hijacking/Fixation
• Weak Access Control Policy
A false positive occurs when a bug is flagged as being legitimate, which a tool misinterprets as being an actual issue. This can occur for multiple reasons, but often times it occurs due to not understanding the full context of an application. Here are two of the common places where you will see false positives in the output from Burp:
• SQL Injection - SQL Injection consists of insertion of a SQL query via the input data from a user to the application. Burp looks for database error messages in the HTTP response, and may incorrectly classify an error message as being output from the database.
• XML Injection – XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. Burp looks for exceptions thrown during XML parsing. However, at times a response containing the term “XML” could get flagged as an exception.