Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

[Burp Enterprise] Configure scan_callback from the web UI

Javier Gil Nov 21, 2019 08:36AM UTC

Hi,

We would find useful being able to set the scan_callback property allowed by the API when manually configuring scans from the web UI.

Is it possible / is it on the roadmap?

Thanks,
Javi


Michelle Gillian Nov 21, 2019 11:56AM UTC Support Center agent

Can I just check we’re understanding your request properly so we can discuss this with the Enterprise team?

Are you wanting to know if there are plans to include additional options on the New Scan web page (http://127.0.0.1:8080/scans/create) to configure call-back server settings or are you referring to the options available within the REST API web page?

Under the REST API web page configurations such as these can be created, is this the kind of thing you need?
{
“urls”:[“http://test.example.com:81/static/oneissue.html”],
“scan_type”:“crawl_and_audit”,
“scope”: {"type":“SimpleScope”,“include”:[],“exclude”:[]},
“application_logins”:[],
“scan_configurations”:[
{name: “Add all links to site map”, “type”: "NamedConfiguration"},
{name: “Audit coverage – thorough”, “type”: "NamedConfiguration"}
],
“scan_callback”:{"url":“http://localhost:9999/mycallback”}
}

The callback endpoint also needs to be configured to accept PUT.


Javier Gil Nov 21, 2019 12:33PM UTC
Hi,

Hi,

My use case would be creating recurring scans which have a scan_callback.

Using the web UI, I can create recurring scans, but I cannot set a scan_callback.

Using the API, I can create scans which have a scan_callback, but I cannot set them to repeat every often (as fas as I have understood the documentation).

I would find useful if I could do both things (configure recurrence and scan_callback) from either the web UI or the API.

Please let me know if it is still not clear. Thanks!

Michelle Gillian Nov 21, 2019 04:20PM UTC Support Center agent

This functionality isn’t available yet, but there is a possible workaround.

We could trigger the Jenkins Plugin with a callback every two minutes using a Jenkins Job with a CRON based build trigger. We used wiremock standalone as the callback endpoint (running on http://localhost:9999) and a scan configuration in the Jenkins plugin as shown below.
JENKINS PERIODIC BUILD TRIGGER:
*/2 * * * *
SCAN CONFIGURATION:
{
“scope”: {"type":“SimpleScope”,“include”:[],“exclude”:[]},
“application_logins”:[],
“scan_configurations”:[
{name: “Add all links to site map”, “type”: "NamedConfiguration"},
{name: “Audit coverage – thorough”, “type”: "NamedConfiguration"}
],
“scan_callback”:{"url":“http://localhost:9999/callback”}
}

Please let us know if this would be useful for you as an immediate option.


Javier Gil Nov 22, 2019 10:04AM UTC
I'm not sure I understood how would that work. Let me rephrase how we'd like our workflow to be:

- We would configure sites and scans using the web UI. Those scans should run automatically once a month, so the recurrence option comes handy.
- We use a custom system to do vulnerability management. It has an API, so we can dump the results from vulnerability scanners there

We were exploring our options with BE, and the callback seemed to be exactly what we needed: we could just receive vulnerabilities as they were found and then send them to our vuln management platform using our code.

I've been reviewing the CI plugins docs, but they are not very detailed. If this kind of workflow is possible using any of them, it would also be fine.

Thanks!

Michelle Gillian Nov 22, 2019 03:48PM UTC Support Center agent

Hi

We’ve added a feature request for the ability to schedule scans via the API.

Another suggestion that may be easier to set up as a work-around in the meantime is to write a script that schedules your curl command.


Javier Gil Nov 26, 2019 09:31AM UTC
Hi,

We appreciate it. If you could request the ability to configure callbacks in the web UI, it would be awesome.

Thanks!

Post Your public answer

Your name
Your email address
Answer