Then you might think:
“But is it possible to improve it and perhaps even customize it for our needs and demands?”
The answer to that question is yes. After all, PortSwigger allows extensions to be developed for it, making it more versatile and unique, as you can customize it with your style, and each extension can perform a certain function and thereby supply one or more needs, whether they are very particular or not. For example: searching for a particular category of vulnerability, vulnerable components in an application. The limit for extensions is your creativity and what you can implement.
AppSec Flow Extension
Over time and some analyzes at Conviso, mainly in the PTaaS (Pentest As a Service) team, we identified the need to help our analysts to report the vulnerabilities identified to our customers more quickly, because one of our differentials is that our client is able to monitor each of their analyzes according to their progress through AppSec Flow, that is, as soon as a vulnerability has been identified, it will be reported and made available to the client in the shortest possible time.
AppSec Flow is a Software as a Service (SaaS) platform created by Conviso that supports the entire security cycle in software development. It was created based on the Software Assurance Maturity Model (SAMM) – a project in the portfolio of the Open Web Application Security Project (OWASP) that defines a series of practices with the objective of improving software security.
A curiosity about AppSec Flow is that it was born to supply an internal demand from Conviso. When it was implemented, it was so successful in its purpose that we saw in it the potential to optimize the routine of other companies and decided to commercialize it.
If you want to know more about AppSec Flow, we have a detailed blogpost about it.
In view of our vulnerability submission process and this internal demand, we decided to develop an extension for the Burp Suite in order to reduce the submission time, as there is information that we already have in the Burp Suite and there is no need to be replicated in any manual way for our platform, that is, we are removing the need for the analyst to use his ctrl + c and ctrl + v always in the same fields.
In this way, we use such information available for the automatic filling of some fields during the process of submitting a new vulnerability / notification, saving time and making the focus be on what really matters: the analysis and the result delivered to the client.
The extension is available on Github, as an open-source.
Through the extension it is possible to send a request from Burp Suite to AppSec Flow, automatically filling in the fields of Method, Protocol, URI, Parameters (if you have one), Request and Response of the submission form for a new vulnerability / notification:
Just as in situations where an issue happens in more than one URI, or when more than one URI is needed to describe it better, it is possible to select and send them as evidence automatically, as the application will create temporary text files containing the request and the server’s response to such previously selected requests:
With the points highlighted here about the extension integrated to AppSec Flow, the benefits added to the analyzes are clear, since all the parties involved gain advantages with its use, for example, the Pentest team or Red Team operation will have its time vulnerability submission reduced, making them able to dedicate themselves more to the identification / exploitation process, as well as who will receive the final report, because with a professional dedicating himself more to each particularity of the application, there is a better chance of points identification and, consequently, a higher quality in the identified points.
We would like any team/group to use it, be it our PTaaS team from Conviso, your AppSec team and/or Red Team, and even your suppliers team – as there are two things that must be shared: knowledge and tools.
Article By Heitor Gouvêa e Rangel Junior