In this section:
The Parasoft Burp Suite Extensions package enables you to perform security and penetration testing against APIs and browser-based web applications using SOAtest test scenarios with the Burp Suite web application security assessment tool. The package contains a "Burp Extender" that is installed into Burp Suite, as well as two tools that are used within SOAtest:
The SOAtest tools are packaged into the soatestburpsuitetools.jar file, which can be installed from the UI or command line.
Add the soatestburpsuitetools.jar file to the system.properties.classpath property in your localsettings properties file.
system.properties.classpath=<path to jar>/soatestburpsuitetools.jar
Install the Parasoft SOAtest Burp Extender (burpsuiteextender.jar) following the standard Burp Extenders installation process.
On the Burp Suite side, the Parasoft SOAtest Burp Extender extends Burp Suite with a simple HTTP server that enables Burp Suite to communicate with the SOAtest Burp Suite Analysis tools. On the SOAtest side, Burp Suite Analysis Tools are added throughout each SOAtest API/browser test scenario that you want to test with Burp Suite.
Upon execution, each test with an attached Burp Suite Analysis Tool interacts with the AUT as normal (see #1 below), then sends data to Burp Suite for security analysis (see #2 below). Burp Suite interacts with the AUT to perform its analysis.
As each test is executed, results are sent to SOAtest's Quality Tasks view (see #3 below). These results can be saved as an XML report, then uploaded to Parasoft DTP (see Connecting to Parasoft Development Testing Platform).
At any point where a Burp Suite Reporter tool is executed, a Burp Suite HTML report with advanced security details is generated (see #4 below).
Because Burp Suite analysis can impact the behavior of functional test scenarios and takes much longer to run than typical test scenarios, we strongly recommend that you maintain two difference copies of your test scenarios: one that is used for your functional test runs, and another that is used for your security test runs. Whenever you want to perform security tests on your application, make a copy of the latest version of your functional test scenarios, then add Burp Suite tools to the copy. This way, your original tests can still be used for functional testing—without any behavior or performance impact.
The general workflow for enabling this is:
Attach a Burp Suite Analysis tool attached as an output tool to every Browser Playback tool or test client (e.g., SOAP Client, REST Client, EDI Client, or Messaging Client) in the test scenario. For test clients, be sure to attach it as a Traffic Object output (see Adding Test Outputs).
The fastest way to add outputs to all tools in a test scenario is to right-click the top node of the test scenario, choose Add Multiple Outputs, then select one of the following:
You can perform security testing after you've configured a test scenario for Burp Suite.
When test execution completes, the associated Burp Suite report(s) will be saved in the specified report directory.
The SOAtest quality tasks view, and any reports generated from SOAtest, may show more issues than the report generated directly from Burp Suite using the Reporter tool shows. This is because SOAtest shows an unfiltered list of issues found, some of which may be duplicates. Burp Suite, however, only shows issues that it considers unique, while combining issues it considers to be duplicates.
By default, the Burp Suite Analysis Tool expects the Burp Suite extension to expose its simple HTTP server at localhost port 9898—and Burp Suite and SOAtest are expected to be on the same machine. If you're using a different port, you need to reconfigure the host/port in both the Burp Suite extension as well as the Burp Suite Analysis Tool that is run within SOAtest.
Pass the following argument when starting up Burp Suite:
java -Dburpsuite.extension.port=<new value> -jar burpsuite_pro_v-1.7.03
Pass the following argument when starting up SOAtest:
soatest.exe -J-Dburpsuite.extension.port=<new value>
In an automation scenario, you might need to configure the timeout settings to handle cases where Burp Suite takes a long time to complete analysis or becomes unresponsive. This will allow your SOAtest test scenarios to continue even if Burp Suite has not completed its analysis. If you do not configure the timeout, no timeout is set and the Burp Suite Analysis Tool will not finish until it receives all results from Burp Suite.
Pass the following argument when starting up SOAtest to configure a timeout:
The value is in minutes. A value of
-1 indicates that no timeout should be applied.
By default, the log level for both Burp Suite tools is warn. If you prefer a higher or lower level of details logged to the console and the Event Monitoring view, you can adjust the tool's Log Level setting.
You can configure the minimum severity level reported by the Burp Suite analysis tool. By default, the minimum severity level reported is low. As a result, all low, medium, and high violations are reported. You can change the default by passing the following argument when starting SOAtest:
The following security levels can be set:
Configuring a higher-level severity means that less severe errors will be ignored. The severity level is not case sensitive.
This extension includes items that have been sourced from third parties as outlined below.
Additional license details are available in this plugin's licenses folder.