Tech

AppSec Flow Extension for Burp Suite

That PortSwigger has fantastic products, we were already aware. One of these products is the Burp Suite: a software developed to support/assist in security tests in Web applications. Given the resources that the Burp Suite makes available to us and its purpose as a tool, it is widely used in analyzes involving HTTP (S) requests, either exclusively through Web applications, or scenarios involving API’s, such as in testing mobile applications, frontends with JavaScript frameworks, among others.

Then you might think:

“But is it possible to improve it and perhaps even customize it for our needs and demands?”

The answer to that question is yes. After all, PortSwigger allows extensions to be developed for it, making it more versatile and unique, as you can customize it with your style, and each extension can perform a certain function and thereby supply one or more needs, whether they are very particular or not. For example: searching for a particular category of vulnerability, vulnerable components in an application. The limit for extensions is your creativity and what you can implement.

AppSec Flow Extension

Over time and some analyzes at Conviso, mainly in the PTaaS (Pentest As a Service) team, we identified the need to help our analysts to report the vulnerabilities identified to our customers more quickly, because one of our differentials is that our client is able to monitor each of their analyzes according to their progress through AppSec Flow, that is, as soon as a vulnerability has been identified, it will be reported and made available to the client in the shortest possible time.

AppSec Flow is a Software as a Service (SaaS) platform created by Conviso that supports the entire security cycle in software development. It was created based on the Software Assurance Maturity Model (SAMM) – a project in the portfolio of the Open Web Application Security Project (OWASP) that defines a series of practices with the objective of improving software security.

A curiosity about AppSec Flow is that it was born to supply an internal demand from Conviso. When it was implemented, it was so successful in its purpose that we saw in it the potential to optimize the routine of other companies and decided to commercialize it.

If you want to know more about AppSec Flow, we have a detailed blogpost about it.

In view of our vulnerability submission process and this internal demand, we decided to develop an extension for the Burp Suite in order to reduce the submission time, as there is information that we already have in the Burp Suite and there is no need to be replicated in any manual way for our platform, that is, we are removing the need for the analyst to use his ctrl + c and ctrl + v always in the same fields.

In this way, we use such information available for the automatic filling of some fields during the process of submitting a new vulnerability / notification, saving time and making the focus be on what really matters: the analysis and the result delivered to the client.

The extension is available on Github, as an open-source.

Resources

Through the extension it is possible to send a request from Burp Suite to AppSec Flow, automatically filling in the fields of Method, Protocol, URI, Parameters (if you have one), Request and Response of the submission form for a new vulnerability / notification:

Just as in situations where an issue happens in more than one URI, or when more than one URI is needed to describe it better, it is possible to select and send them as evidence automatically, as the application will create temporary text files containing the request and the server’s response to such previously selected requests:

Conclusion

With the points highlighted here about the extension integrated to AppSec Flow, the benefits added to the analyzes are clear, since all the parties involved gain advantages with its use, for example, the Pentest team or Red Team operation will have its time vulnerability submission reduced, making them able to dedicate themselves more to the identification / exploitation process, as well as who will receive the final report, because with a professional dedicating himself more to each particularity of the application, there is a better chance of points identification and, consequently, a higher quality in the identified points.

Subscribe and don’t miss any updates about AppSecFlow

We would like any team/group to use it, be it our PTaaS team from Conviso, your AppSec team and/or Red Team, and even your suppliers team – as there are two things that must be shared: knowledge and tools.

References

https://portswigger.net/burp

https://portswigger.net/burp/extender

https://portswigger.net/burp/documentation/desktop/tools/extender

https://portswigger.net/about

https://github.com/convisoappsec/Burp-AppSecFlow

Article By Heitor Gouvêa e Rangel Junior

About author

Articles

A team of professionals, highly connected on news, techniques and information about application security
Related posts
Application SecurityTech

Why APIs can be a high risk for companies

When we look at the development world and its evolution in the last few years, we can say that one…
Read more
Tech

Webinar: Software Security Architecture

Often underestimated by professionals inserted in the DevSecOps culture, the Security Architecture…
Read more

Deixe um comentário