Learner_7 Respected Contributor.
Respected Contributor.
4558 views

HP WebInspect And Burp Suite Integration

Hi 

 

I need a step by step instruction set for integrating WI and Burp suite. 

 

Another query is what benefit we get by this integration ? Is it because Burp has better crawling efficiency ? 

Labels (1)
0 Likes
1 Reply
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: HP WebInspect And Burp Suite Integration

The integration of BURP and WebInspect is well documented inside the WebInspect Help Guide.  There are two step-by-step articles within.

  • "About the Burp API Extension"
  • "Using the Burp API Extension"

 

You may also find the announcement articles from October 2014 useful.

 

 

There are actually three use cases between BURP and WebInspect.

 

 

1.  BURP captures can be imported to feed a WebInspect scan's Discovery:

 

When configuring a Workflow-driven scan in WebInspect, the Import Workflow/Macro field recognizes the file formats from the included Workflow Macro Recorder (*.webmacro), the included Web Proxy (*.PSF), BURP captures (no extension), and even HP UFT (provided the UFT client is installed on the WebInspect machine).  The Workflow-driven scan defaults to an Audit-Only method, but the user can switch that to Crawl-and-Audit if they are seeking to augment the WebInspect Crawler (Discovery) engine with known sessions.

 

 

2. User may extract an issue from WebInspect for manual review in BURP:

 

This can be done with any version of BURP.  The user would follow the Help instructions to add the WebInspect Extension (JAR) to BURP, and to also enable the WebInspect API service.  Once connected, the BURP UI would be able to list the existing WebInspect scans, and drill in to grab one or more of the Vulnerabile sessions to transfer into BURP.  The BURP user could then futher manipulate the session(s), perform additional tests or spidering from that point.

 

 

3. User may transfer a BURP finding into a WebInspect scan:

 

This appears to require the use of BURP Pro, since the "push" option comes from the Scanner tab of BURP, and that only shows for the paid version of BURP.  This integration requires that the user has applied the same BURP Extension as for #2 above, and that the WebInspect API is currently enabled.

 

 

No, BURP's Crawler is not better.  Instead, this integration is a tip-of-the-hat from HP to BURP, recognizing that BURP is a very popular tool used by web app pentesters.  In fact, many of the secondary tools that come with WebInspect perform similar tasks to the parts of the BURP Suite, as well as other freeware suites used in the field.  At the expert level, these users often use multiple tools, and frequently prefer their own manual testing over automated scanners.  We are offering them the best of both worlds;  the ability to exhaustively review gigantic amounts of web space with WebInspect while giving them the access needed to investigate select areas in-depth with BURP as they prefer.

 

 

One use case in particular for BURP that I can think of is poor login error messaging, e.g. when the Password is wrong but the Username is correct, et al.  WebInspect expects to have a valid logon, and then to review the entire site.  It may try the logon page with and without session state, including fuzzing the parameters, but it will not tell you that the on-screen messaging is insecure and could be used for data mining the logins.  That is not its focus, and it frequently requires a human to notice those on-screen nuances.  The user could have used their browser, or our Web Proxy, or our Web Brute tool.  However, we understand that BURP is very popular and now those users have a way to incorporate their manual findings into the automated scan so they can benefit with centralized storage of the findings and can generate one set of (WebInspect) reports for their client rather than ones from separate products.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.