How to integrate Burp Suite for security automation in Microsoft Azure DevOps and Microsoft TFS

0
1957

I need to be honest, not so much information around about how to integrate Burp Suite with Microsoft DevOps or TFS, this is why I am writing this article.

Burp suite is a top platform for penetration testing, we can use it for a lot of different scopes, for people working in cybersecurity Burp Suite is a must to have.

Burp Suite offers three versions, Free, Professional and Enterprise, Burp Suite also provides integration for automation testing with Selenium and Jenkins, check below

https://www.securify.nl/blog/SFY20160901/burp-suite-security-automation-with-selenium-and-jenkins.html

What about Microsoft stack, the last version of Burp Suite offer the possibility to expose some API to trigger some events like scanning and retrieve information.
Below how to do that.

First, we need to install Burp Suite Professional edition from here

https://portswigger.net/

Form users option enable the API and select the bind address, in this case I selected all interfaces, in this way I can test using my machine name as well.

Open a browser and navigate to

http://servername:1337/v0.1/

Below a quick example about how to trigger the Burp Suite API using C#
I put the picture as a quick reference, nothing complicates with that, just an HTTP call, you can download the example below

https://drive.google.com/file/d/10ZaNNCh0VZQs7H6q1Tqpk0MNzoYUByvS/view?usp=sharing

The code below returns the scan status and the task number in the HTTP header (not sure why it is named Location)

We can trigger these actions from any type of code or scripting, this is why I think this is the best solution to use for Microsoft Platform.

There is also the option to use, like the login parameters, configuration name or the scope we want to use, so I think pretty cool stuff to use.

About the Burp Suite installation, we can use a dedicated VM in Azure or a Docker image with Kali and Burp Suite.

If you decide on the Docker way you can use the steps below:

Install Docker, if you use Windows download from her

https://docs.docker.com/docker-for-windows/

If you use Linux from apt-get as below

apt-get install docker.io

docker run hello-world

Create the Docker container, if you like Ubuntu use below

docker run -ti –name burprestapi -h burpapi -p 8090:8090 -p 8080:8080 ubuntu:latest /bin/bash

if you like Kali use below

docker run -ti –name burprestapi -h burpapi -p 8090:8090 -p 8080:8080 kalilinux/kali-linux-docker /bin/bash

Download the Burp Suite installation for Linux x64 from here

https://portswigger.net/

In the Docker container enter in the opt folder

Copy the .sh installation file, from the container execute the command below

docker cp burpsuite_pro_linux_v2_0_15beta.sh burprestapi:/opt/

And install Burp Suite as below

bash burpsuite_pro_linux_v2_0_15beta.sh

Enter in the Burp Suite folder

root@burpapi:/opt# cd BurpSuitePro/

Execute the installation

root@burpapi:/opt/BurpSuitePro# ./BurpSuitePro

Accept the license, enter the key and you now have a Burp Suite instance running in a Docker container.

This is very interesting for the automation testing scenario, because we are much more dynamic and scalable.
The Docker option is also convenient, we can execute the container everywhere.

I am always happy and available for questions and chat, feel free to contact me by email or other social channels.

LEAVE A REPLY

Please enter your comment!
Please enter your name here