Versions Compared

Old Version 1

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version Current

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space FUNCTDEV and version SVC2023.2

...

The Parasoft Burp Suite Extensions package enables you to perform security and penetration testing against APIs and browser-based web applications using SOAtest test scenarios with the Burp Suite web application security assessment tool. The package contains a "Burp Extender" that is installed into Burp Suite, as well as two tools that are used within SOAtest:  

  • Burp Suite Analysis Tool: Sends data to Burp Suite for security analysis and reports Burp Suite findings within the SOAtest user interface.  
  • Burp Suite Reporter: Generates a Burp Suite report capturing security analysis findings. 

...

  • SOAtest 9.10 or later  
  • A SOAtest .tst with at least one Browser Playback tool or test client (e.g.for example, SOAP, REST, EDI, or Messaging Client)  
  • Burp Suite Professional 1.7.03 or later 

...

The SOAtest tools are packaged into the soatestburpsuitetools.jar file, which can be installed from the UI or command line. 

UI Installation  

  1. Go to Parasoft > Preferences and click System Properties.
  2. Click Add JARs and choose soatestburpsuitetools.jar file.
  3. Click Apply.
  4. Restart SOAtest
  5. Choose Parasoft> Preferences.  
  6. In the System Properties preferences page, click Add JARs.  
  7. Browse to and choose the soatestburpsuitetools.jar file to add it to the SOAtest classpath.

Command Line Installation 

Add the soatestburpsuitetools.jar file to the system.properties.classpath property in your settings properties file.For  For example: 

system.properties.classpath=<path to jar><PATH_TO_JAR>/soatestburpsuitetools.jar 

...

Install the Parasoft SOAtest Burp Extender (burpsuiteextender.jar) following the standard Burp Extenders installation process.

  1. Launch the Burp Suite UI. 
  2. In the Extender> Extensions tab, click Add.

     
  3. Under Extension Details, ensure that Extension type is set to Java, then browse to the burpextender.jar file for the Extension file (.jar) field. 

     
  4. Click Next. You should see a message that says “Parasoft SOAtest Burp Extender” in the Output tab.

     
  5. Verify that no errors are reported in the Errors tab, then click Close 

...

Because Burp Suite analysis can impact the behavior of functional test scenarios and takes much longer to run than typical test scenarios, we strongly recommend that you maintain two difference copies of your test scenarios: one that is used for your functional test runs, and another that is used for your security test runs. Whenever you want to perform security tests on your application, make a copy of the latest version of your functional test scenarios, then add Burp Suite tools to the copy. This way, your original tests can still be used for functional testing—without testing without any behavior or performance impact. 

The general workflow for enabling this is:  

  1. Identify the test scenarios that you want to use for security testing and copy them. You can continue executing the original test scenarios for functional testing as normal.
  2. Add the Burp Suite tools to the copied test scenarios, then execute them as security tests.  
  3. As the application changes, update only the functional test scenarios. Whenever you are ready to run the corresponding security test scenarios, repeat the above process of copying from the latest set of functional tests and then configuring the copy for security testing. 

...

  1. Attach a Burp Suite Analysis tool attached as an output tool to every Browser Playback tool or test client (e.g.for example, SOAP ClientREST Client, EDI Client, or Messaging Client) in the test scenario. For test clients, be sure to attach it as a Traffic Object output (see Adding Test Outputs). 

    Tip
    titleAdding Multiple Outputs

    The fastest way to add outputs to all tools in a test scenario is to right-click the top node of the test scenario, choose Add Multiple Outputs, then select one of the following:

    • For test clients, select Both> choose Both > Traffic Object on the left , then and Burp Suite Analysis Tool on the right. 

    • For Browser Playback tools, select choose Browser Contents on the left (for test clients) , then and Burp Suite Analysis Tool on the right. 
  2. Add one Burp Suite Reporter tool as a regular (not output) tool at any point in the scenario where you want a report generated. When this tool is executed, a Burp Suite report will be created to include the security analysis results that were reported since either the start of execution (if this was the first Burp Suite Reporter tool) or since the previous Burp Suite Reporter tool was executed. 

    For example, assume you have a .tst with 3 three test scenarios. If you want 1 wanted one report with the security analysis results for all 3 three test scenarios, you would add 1 one Burp Suite Reporter tool at the end of the third test scenario. However, if you wanted a separate report for each test scenario, you would add 1 one Burp Suite Reporter tool at the end of each test scenario—a scenario for a total of 3 three Burp Suite Reporter tools. 

    If you want to generate a single report after running all the .tsts in a given project or directory, you might want to create a .tst file that contains only the Burp Suite Reporter tool, and name it in such a way that it is the final .tst file that is executed (for example, “zzz_reporting.tst”, since .tst files get run in alphabetical order). 
     
  3. Configure the Burp Suite Reporter tool's Report Location option to indicate where the Burp Suite HTML report should be saved. If this field is empty, the report will be saved to [${BurpSuiteWorkingDirectory}/SOAtestBurpExtender/report_YYYY-MM-DD_HH-MM-SS.html] 

Executing Tests

You can perform security testing after you've configured a test scenario for Burp Suite.  

  1. Launch Burp Suite.  
  2. Enter a URL pattern(s) in the Target> Target > Scope configuration page in Burp Suite to define the Target Scope, otherwise SOAtest analysis requests will be ignored.  
  3. Execute the SOAtest test scenarios that are configured for Burp Suite testing and reporting. 

...

By default, the Burp Suite Analysis Tool expects the Burp Suite extension to expose its simple HTTP server at localhost port 9898—and 9898. Burp Suite and SOAtest are expected to be on the same machine. If you're using a different port, you need to reconfigure the host/port in both the Burp Suite extension as well as the Burp Suite Analysis Tool that is run within SOAtest.

Configuring the Burp Suite Extension's Port  Port 

Pass the following argument when starting up Burp Suite:

java -Dburpsuite.extension.port=<new value> <NEW_VALUE> -jar burpsuite_pro_v-1.7.03

...

soatest.exe -J-Dburpsuite.extension.port=<new value><NEW_VALUE> 

Adjusting the Timeout Settings 

...

soatest.exe -J-Dburpsuite.extension.timeout=<value><VALUE> 

The value is in minutes. A value of -1 indicates that no timeout should be applied. 

...

-J-Dburpsuite.extension.severity.filter=<severity> <SEVERITY>

The following security levels can be set:

...