Integrating Burp Suite with HP WebInspect

Users of both Burp and WebInspect can use the WebInspect Connecter from the BApp store to integrate the two products. The plugin allows users of HP WebInspect to transfer vulnerability details back and forth between Burp and their WebInspect instance via the WebInspect API. This will empower users currently using Burp and WebInspect as a part of their analysis process with a more efficient workflow.

To use the integration, follow the instructions below.

First install the WebInspect Connector extension from the BApp Store.

 

It is important to ensure that the WebInspect API is running and logged in using the same credentials as the WebInspect application.

Open HP Fortify Monitor from the HP WebInspect folder (C:\ProgramFiles\HP\HP WebInspect).

The values are set the first time Fortify Monitor is run and are based on the current user.

 

Use the Fortify Monitor icon in the system tray to configure and start the Web Inspect API.

 

 

Configure the API port and Host and click start for the API to listen for connections.

Alternatively, click "Start Web Inspect API" from the system tray menu.

 

The credentials can also be configured manually.

Open your services manager on your system.

 

Find the "WebInspect API" service and double click it to open the "WebInspect API Properties" window.

 

Go to the "Log On" tab and ensure the credentials match accordingly.

In this example ".\user".

 

You can visit the API in your browser to check that it is running (for example: http://localhost:8083/webinspect).

 

Return to Burp and go to the "WebInspect" tab.

Enter the appropriate details in to the "Host" and "Proxy" settings.

Click the "Connect" button.

 

An updated list of scans should now be presented in the table below.

You can refresh the scans at any time using the "Refresh Scans" button.

Double click on one of the scans to bring up a specific scan tab.

 

You can send items from WebInspect to Burp by selecting one or multiple vulnerabilities in the WebInspect scan tab, and use the context menu to perform the following actions:

  • Send to Spider
  • Send to Intruder
  • Send to Repeater
  • Create issue - this will add the vulnerability to Burp Target's site map.
 

Issues created in Burp's results are tagged with "[WebInspect]".

 

You can send items from Burp to WebInspect as follows:

Select one or multiple issues in the Burp Site map "Issues" section.

Right click on the issue to bring up the context menu.

Go to "Send to WebInspect".

Select an open WebInspect scan.

 

This will create the issue in WebInspect, and will also create a crawling session based on the selected base request.