Licensing
Q. Does the licensing model of Burp Enterprise relate to the number of domains or FQDNs?
A. The subscription model is not based on the number of domains, FQDNs or URLs. Targets are unlimited with no extra cost. Subscriptions are based on concurrent scans (the number of scans you want to run at the same time.
Q. Is there a limit or cost associated with the number of users?
A. No, users are unlimited, and this applies to all Burp Enterprise subscriptions. CI/CD Integration
Q. Can CI-driven scans be integrated with TeamCity & Azure DevOps?
A. Yes, CI-driven scans can be integration into any CI platform supporting the use of Docker containers for CI agent nodes. For TeamCity, we provide an example pipeline script build step in our documentation. For Azure DevOps, we can share an example with you. Please get in touch with our Technical Support team at support@logon-int.com.
Q. For CI-driven scans, is it possible to define which branch you would like a scan to run and specify a scan configuration?
A. Yes. Defining the branch is part of the CI platform pipeline script configuration and is platform-specific. Scan configuration can be specified as part of configuring the Burp CI-driven scan using a YAML file.
Q. Is it possible to export CI-driven scan results to GitHub Advanced Security (using SARIF format. for reporting?
Q. Can you integrate Burp Suite Professional into CI/CD pipelines?
A. No. As Burp Suite Professional is licensed to a specific named individual user, integrating into CI pipelines is not possible under the license agreement. For CI integration, Burp Suite Enterprise Edition would be used.
Q. Can Burp Suite Professional scan configurations be exported to Burp Suite Enterprise Edition for CI-driven scans?
Self-hosted to Cloud Migration
Q. We are currently using the self-hosted version of Burp Suite Enterprise Edition. How do we migrate to the Cloud-hosted version? Can we migrate all existing assets and scan history? Is there a change in license costs?
A. We provide a migration tool to transfer data from your self-hosted version of Burp Suite Enterprise Edition to the cloud version. The initial version of this tool supports sites, folders, site configurations, scan configurations, scan schedules, BChecks, extensions, user groups and roles. Scan history is not included. There is separate pricing for the cloud version. Please contact sales@logon-int.com for more details on pricing.
Burp Scanner
Q. Are dynamic tokens supported for authenticated scanning? E.g. JWT tokens with a 90-minute expiry and OAuth 2.0 OIDC via SSO?
A. Dynamic JWT tokens with an expiry limit as a custom header are not currently supported. A static token must be used. OAuth 2.0 OIDC via SSO is supported using our recorded login sequence, provided there is a front-end login form. We are currently developing further support for dynamic authentication for API scanning, including JWT.
Q. Is Burp Scanner safe to use against production targets? What if a CI build connects to production data? Is it safe to run a CI-driven scan and still find state-modifying issues like SQL injection?
A. Burp Scanner is designed to test for security flaws and any DAST scanner can damage target applications or their data due to the nature of its functionality. Scans can be configured to disable intrusive checks and run a more passive scan, which reduces but does not eliminate this risk completely. Some issues, such as SQL injection, require intrusive scan checks. If you are concerned about damaging a production application, we suggest scanning a replica or staging version of the application.
Q. Have you got any plans to integrate AI into Burp Suite?
A. We are reviewing how AI may integrate with Burp Suite. We do not have any specific plans to share at this time.
Q. Can Burp Suite Enterprise Edition scan an imported collection of HTTP requests?
A. This is not currently supported, but we may look at features such as a Postman collection import in future.
Q. Is multi-factor authentication supported for authenticated scanning?
A. Multi-factor authentication is not currently supported, as scans run in the background without user input to complete CAPTCHA or enter an OTP code. We suggest creating a dedicated scanning user account within the target application and disabling MFA.
Q. Is OIDC authentication supported for authenticated scanning?
Q. Can Burp Scanner scan WebSocket requests?
A. Testing WebSockets is available in Burp Suite Professional using the proxy and repeater tools. However, it is not currently supported by the automated scanner.
Q. Is it possible to scan a single-page application protected with anti-CSRF tokens on every page?
A. Yes, Burp Scanner can handle this scenario.
Q. How are false positives managed?
A. There are a number of configurable options to manage false positives. Please see the documentation here.
Q. How does Burp Scanner handle more complicated flows where the crawl isn't discovering all of the attack surface?
A. If you are experiencing issues with coverage, please get in touch with our Technical Support team at support@portswigger.net, who are happy to help. There may be recommendations we can offer specific to your target application.
Burp Suite Enterprise Edition Features
Q. Is SSO integration available for the Burp Suite Enterprise Edition cloud version?
Q. With the cloud version, is it possible to scan internal applications that don't have internet access?
A. Yes, you can install a self-hosted scanning agent within your own environment to scan internal applications. This sends the results back to the cloud server using an outbound connection.
Q. Is tagging available for sites/folders and findings?
A. Tagging is not currently available, but you can use custom names for sites & folders. Issues can be viewed globally across all sites, at the site level or at the individual scan level, and several filter views are available.
Q. Does Burp Suite Enterprise Edition support allowable scan time windows?
Q. Does the cloud version of Burp Suite Enterprise Edition have the same features as the self-hosted version?
A. Yes, apart from LDAP integration for user management (which is only available with the self-hosted version, SAML is available with the cloud version. and integration with on-premise instances of Jira & GitLab for issue tracking (only cloud versions of these are supported for integration.
Q. Can scan results be exported and/or integrated with other tools?
A. Yes, native issue-tracking integrations are available for Jira, GitLab and Trello. For the export of issues to vulnerability management, EASM or other tools, data can be exported via the Burp Enterprise GraphQL API in XML format.
Q. Do you have a Kubernetes version of the self-hosted scanning agent to connect to the Burp Suite Enterprise Edition cloud server?
A. We have initially provided a self-hosted scanning agent installer for Windows and Linux. In the future, we may look at a container-based agent that could be used in a Kubernetes environment.
Q. Does Burp Suite Enterprise Edition cloud have any manual testing tools like Repeater or Intruder?
A. Burp Suite Enterprise Edition is an automated DAST tool. It does not include any manual testing features. For this, you would use Burp Suite Professional.
Q. For the cloud version, please can you explain the difference between PortSwigger-hosted scanning and self-hosted scanning?
A. PortSwigger-hosted scans are performed by agents within PortSwigger's secure cloud environment. We provide the source IPs to add to the allowlist for your target applications. Self-hosted scans are performed by agents installed in your environment, and the results are sent back to the cloud server using an outbound connection. This option enables you to scan internal applications that can't be reached from outside the environment.
Q. How are issues tracked issues across scans? How does the tool know how to avoid duplicating issues or reporting issues previously marked as false positives?
A. Burp Suite Enterprise Edition has a mechanism to track an issue across scans and features statuses for "New, Regressed and Resolved" as well as reporting issue trends over time. Issues marked as a false positive are also remembered for future scans, and configuration is available to define this as only this issue, all issues of the same type or by issue type and URL.
Q. Which integrations are available for alerts and notifications?
Q. Is the Jira integration for issue tracking bi-directional? If I update the status of an issue in Jira, does that also update in Burp Enterprise?
A. The Jira integration enables Jira tickets to be created when issues are found from Burp Enterprise scans. The integration is one-way, and updates made in Jira do not sync back to Burp Enterprise.
Q. When an issue is identified, do the results include any hints on how to fix it?
A. Yes, results include issue details, description, background, request & response information, remediation advice, classifications and reference links.
Q. Can I run scans without interacting with a user interface?
A. Yes, scans can be run via the Burp Enterprise GraphQL API and from CI platforms as part of a pipeline build step.
Q. Can I have multiple custom scan configurations for various scans?
A. Yes, you can create as many custom scan configurations as you need, and these are stored in a central library. You can also import scan configurations from Burp Suite Professional.
Q. Is there a way to share scan reports with a pre-defined list of email address recipients?
A. Yes, you can set up automatic email scan report summaries at the site level. Alternatively, you can use the Burp Enterprise GraphQL API to automate the retrieval of full scan reports and integrate with your own workflow.
Q. Can we lock down the cloud instance to only be accessible by certain IP addresses?
A. You will be provided with a unique access URL for your dedicated cloud instance. There isn't an option to restrict access by IP address, but only the login page will be accessible without valid credentials. We will also soon provide the option to enable multi-factor authentication.
Support
Q. What does support for this look like if we encounter an issue with scanning?
A. Technical Support is included with a Burp Enterprise subscription at no extra cost. Our team are happy to help if you encounter any scanning issues. Contact us at support@logon-int.com.
Q. Do you have a particular support team to solve bugs?
A. Bug requests can be logged with our Technical Support team and we have a process for managing these to be passed to our development team for remediation.