Burp Suite with Jenkins

Install Burp Suite

There are multiple releases for Burp Suite to choose from - https://portswigger.net/burp/releases

• ALL EDITIONS
• PROFESSIONAL
• COMMUNITY
• ENTERPRISE
• CI/CD DRIVER
• DASTARDLY

For this exercise, we are choosing the Burp Suite Enterprise Edition (Trial version)

Minimum Requirements:

• 8 vCPU
• 24 GB RAM
• 100 GB HDD These details are for a minimum scan possibility. For performing a full-fledged production deployment, including configuring an external database and scanning machines the requirements are different.

Maximum Requirements:

Download and Setup

• Navigate to https://portswigger.net/burp/releases
• Select Enterprise Edition 2023.11.1
• Select your OS type (Windows/Linux)
• Eg. https://portswigger-cdn.net/burp/releases/download?product=enterprise&version=2023.12.1&type=Linux
• Windows: Extract the installer burpsuite_enterprise_windows-x64_v2023_12_1.exe from the installer zip file. Right-click the installer file and select Run as administrator.
• Linux: Extract the installer burpsuite_enterprise_linux_v2023_12_1.sh from the installer zip file. From the command line, run sudo sh burpsuite_enterprise_linux_v2023_12_1.sh -c.
• In the installation wizard, keep clicking Next to accept the default options until you are prompted to choose a port for the web server. By default, port 8080 is used, but you may need to select a different one if this isn't available on your machine.
• Keep clicking Next to accept the default for all remaining options until the installation process begins. Please note that this may take a few minutes. If prompted, allow Java to accept incoming connections.
• There are potential security implications to leaving Burp Suite Enterprise Edition in an unconfigured state.
• Once you have installed Burp Suite Enterprise Edition, you will need to perform some additional configuration in the app itself. To access the configuration page, visit http://localhost:8080 in your browser.
• When you first access Burp Suite Enterprise Edition, you're prompted to create an initial admin user. Enter your email address and a secure password. The Username is automatically set to administrator, and cannot be changed.
• Keep a note of these credentials. You need them to complete the initial setup and they are not easily recovered if you lose them.
• Click Finish & login to complete the configuration process and open the Sign in page.
• Log in using the administrator user that you just created.

License Activation

• Activate your license on the Upload your license key page. Sign up for a free trial at https://portswigger.net/burp/enterprise/trial
• You need one license for each server instance of Burp Suite Enterprise Edition that you intend to run.
• Follow the instructions in your registration email to download your license key.
• When prompted, click Upload license key and select your key from the dialog. = Once your license is activated, click Continue to begin the onboarding wizard. This wizard guides you through the process of running your first scan.

Run Scan

The first step of the wizard prompts you to select whether you want to scan your target app or a test site - https://www.debug.school/suyash.
Select an option to display the Add a Site page.
To scan your site and get "real world" results straight away, click Scan your site.
To use the test site and see how Burp Suite Enterprise Edition displays vulnerabilities of varying severity, click Set up and scan.
The next step of the onboarding wizard prompts you to add your first site.
Start by entering a Site name. This can be anything you like. If you are scanning the test site this field is already populated with Vulnerable Test Site.
Next, enter a Start URL. This is the URL from which all scans of the site start. Any sub-paths of the URL are included in the scope of the scan by default. If you are scanning the test site this field is already populated with https://www.debug.school/suyash/.
Using Burp Scanner may have unexpected effects on some applications. Until you are fully familiar with its functionality and settings, you should only run scans against non-production systems. Do not run scans against third-party websites unless you have been authorized to do so by the owner.
For the scan configuration, you can choose from four preset modes that enable you to adjust the balance of speed and coverage. For this first scan, select Lightweight. The lightweight mode completes within 15 minutes.
Leave all the other options as their defaults and click Next: Set up scan to display the Schedule scan page.

Scan Scheduling

By default, scans start immediately and repeat weekly. You can use the Start scan and Scan schedule options to change the scan's start time and frequency if required.
Click Create Scan and finish to start the scan and open the Timeline tab.
You can click on the individual scan to view more details. On the Timeline tab, you can monitor the scan progress, and see an estimate of the time remaining. You can also see issues as they're discovered in real-time. Use the Issues tab to see more details about an issue, we'll look closer at this tab in the next tutorial once the scan has finished.

Result Analysis

Use the dashboards and analytics features to interpret the results of your scan and begin taking steps to resolve any issues.

• Results Summary: Select your scan and go to the Overview tab. This tab contains various charts that give you a quick snapshot of the scan's results. If your scan is still running, these are updated in real-time as more vulnerabilities are detected.
• Issues Identified: Go to the Issues tab to see a list of all security issues that have been identified by the scan so far. These are color-coded based on the estimated severity of the issue. Issues are grouped by type. You can expand each issue type to see all of the URLs where it was detected.
• Filters: When faced with a large number of issues, you'll want to prioritize. The buttons at the top of the list enable you to select issue severity and confidence levels to display. The confidence level is determined by the inherent accuracy of the techniques used to detect each type of issue. We strongly recommend that you confirm all reported issues manually.
• Additional Details: Select one of the URLs where a vulnerability was detected. The Advisory tab provides information to help you understand what the problem is and what actions you can take to resolve the issue. In some cases, you'll find links to the Web Security Academy, where you can practice exploiting the issue yourself on a series of deliberately vulnerable websites.
• Evidence examination: The Request and Response tabs display the evidence that Burp Scanner has found for the issue. The kind of evidence available depends on the issue type.
• False Positives: After manually reviewing a reported issue, you may decide that it is a false positive. To mark an issue as a false positive, select it and then click Mark as false positive. You are prompted to apply this change to similar issues found elsewhere on the site, but for now, just accept the default setting.
• Reporting: You'll often want to report the results of your scan to other stakeholders who don't have access to Burp Suite Enterprise Edition. For example, you need to pass details of any findings to your development teams so that they can work on a fix. Go back to the scan and open the Reporting tab. From here you can select the type of report you want to download and which severities should be included.

Jenkins Integration

Use Burp Scanner to run web vulnerability scans as a stage in your existing CI/CD pipeline, and fail builds if vulnerability thresholds are met.
You configure the scan by defining a set of simple parameters in a YAML file.

• Save the configuration for your no-dashboard scan as a YAML file.
• You will need your Jenkins server or build node to have Docker installed.
• No plugins beyond the Jenkins defaults are required to run a no-dashboard scan in a Jenkins CI/CD pipeline.

Steps

1. From the Jenkins Dashboard, click New Item.
2. Enter an item name for your pipeline, click Pipeline, then click OK.
3. You can give your pipeline a Description.
4. From the side menu, click Pipeline.
5. From the Definition drop down, select Pipeline script from SCM.
6. Configure the Pipeline section to point to the relevant Jenkinsfile in your code repository. You must include any credentials used to access the repository.
7. Click Save.

• Save your configuration file as burp_config.yml in the root of your application.
• Create a Jenkinsfile in the corresponding location in your code repository. Add the following content to the file:

// Jenkinsfile for integration of a Burp Suite Enterprise Edition CI-driven scan with no dashboard.

pipeline {
  agent any
  stages {
    stage ("Docker Run Example Scan") {
      steps {
        sh '''
            docker run --rm --pull=always \
            -u $(id -u) -v ${WORKSPACE}:${WORKSPACE}:rw -w ${WORKSPACE} \
            -e BURP_CONFIG_FILE_PATH=${WORKSPACE}/burp_config.yml \
            public.ecr.aws/portswigger/enterprise-scan-container:latest
        '''
      }
    }
  }
  post {
    always {
      junit testResults: 'burp_junit_report.xml', skipPublishingChecks: true, skipMarkingBuildUnstable: true, allowEmptyResults: true
        cleanWs()
    }
  }
}

• View the results by accessing the scan results by clicking the most recent build under Build History.
• Click Test Result. Here you can see any failed tests. See more details of a failed test by clicking it.
• You can see remediation advice for security issues that Burp Scanner finds under Stacktrace.
• This includes links to relevant sections of the free Web Security Academy resource, which provide further detail on web security vulnerabilities.
• You can see evidence for security issues that Burp Scanner finds under Stacktrace.
• This evidence includes the request sent by Burp Scanner to produce the issue, as well as the response sent by the application.

Ref: https://portswigger.net/burp/documentation/enterprise/