Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

ASVS v4 coverage

Lea | Last updated: Feb 26, 2020 03:25PM UTC

In many ways Burp is a black box for the user. It does scan for a lot of issues, but the user does not know exactly what is scanned and how, unless one enables a lot of request logging. Now, OWASP ASVS v4 has a list of very exact requirements for Level 1, and scanning for those could be automated. Is there a statement from Portswigger how well Burp matches those requirements, i.e. what of those ASVS v4 L1 requirement Burp currently scans and what it does not. And if some non-default settings or BApps need to be enabled for coverage. Why I'm asking this is that ASVS has changed a lot between v3 and v4. For example, in many cases it's not enough to test that certain inputs are rejected, it's necessary to determine whether the rejection is done by blacklist or whitelist (ASVS v4 5.1.3 and 5.2.6 for example). This requires some specific test cases and I don't know whether Burp has those. I'd like that info so that I can focus my efforts on issues that Burp does not cover.

Uthman, PortSwigger Agent | Last updated: Feb 27, 2020 01:52PM UTC

Hi Lea, I am looking through the ASVS v4 (Level 1) and collating a spreadsheet with a full breakdown of what Burp does and does not scan for. Can you please email us on support@portswigger.net? In the meantime, you may find this link helpful too: - https://portswigger.net/support/using-burp-to-test-for-the-owasp-top-ten

Lea | Last updated: Feb 27, 2020 03:58PM UTC

Thanks, I will email.

NA | Last updated: Feb 15, 2022 06:09PM UTC

Good Afternoon, I saw that this was posted over a 2 years ago, but I did not ever see a response. As Portswigger completed creating a list of ASVS Lv1 checks that Burp suite does and does not scan for? Thanks Rich

Uthman, PortSwigger Agent | Last updated: Feb 16, 2022 09:20AM UTC

Hi,

I emailed Lea directly with the spreadsheet I created. It is a very basic mapping and wasn't posted here because it was not created by our development team.

I can see that you've reached out via email so will send the spreadsheet to you too :).

Jacek | Last updated: Mar 16, 2022 10:58PM UTC

Can I see this sheet too ?

Uthman, PortSwigger Agent | Last updated: Mar 17, 2022 06:25AM UTC

Hi Jacek,

Please email support@portswigger.net and we'll get back to you as soon as possible.

Uthman | Last updated: Mar 30, 2022 01:23PM UTC

Hi Everyone, You can download the PDF with an overview of ASVS v4 coverage here: - https://www.file.io/9s8U/download/9IM7RSxWU9Lc

Prashanan | Last updated: Jun 02, 2022 04:32AM UTC

Hello Uthman, The link is no longer working. Could you please provide an updated link?

Liam, PortSwigger Agent | Last updated: Jun 02, 2022 05:31AM UTC

Hi Prashanan. We've sent the file via email. Please let us know if you need any further assistance.

Subeir | Last updated: Jul 07, 2022 09:05AM UTC

Hi Liam, Can you please send me the file in email or provide a working link? Thanks.

Liam, PortSwigger Agent | Last updated: Jul 07, 2022 01:19PM UTC

Hi Subeer. Sent via email. Please let us know if you need any further assistance.

Bhanu | Last updated: Oct 12, 2022 09:20PM UTC

Hi Liam, Can you please share the excel to me as well to bhanu.mudigonda@spglobal.com... Thanks in Advance. Regards, Bhanu M

Liam, PortSwigger Agent | Last updated: Oct 13, 2022 09:16AM UTC

Sent via email, Bhanu.

Dariusz | Last updated: May 15, 2023 06:52AM UTC

Can you send me a working link or email me with ASVS v4 coverage?

Ben, PortSwigger Agent | Last updated: May 15, 2023 07:56AM UTC

Hi Dariusz, I have just responded to the email that you have also sent us about this.

Marc | Last updated: May 15, 2023 03:34PM UTC

Can you send me a working link or email me with ASVS v4 coverage? ASVS coverage is the main reason I downloaded BurpSuite. I need to be familiar with ASVS testing for my CISSP certification exam. Thanks

Ben, PortSwigger Agent | Last updated: May 16, 2023 10:11AM UTC

Hi Marc, I have followed up with you on email.

Dennis | Last updated: May 22, 2023 11:48AM UTC

Hi Ben, Could you send me a working link as well? Thanks!

Ben, PortSwigger Agent | Last updated: May 22, 2023 01:19PM UTC

Hi Dennis, I have followed up with you via email.

Gotsman | Last updated: Jul 13, 2023 09:44AM UTC

Greetings Ben. can you share the link with me? Thanks.

Ben, PortSwigger Agent | Last updated: Jul 13, 2023 10:35AM UTC

Hi Gotsman, I have followed this up via email.

Wojciech | Last updated: Apr 16, 2024 06:49PM UTC

Hello Ben. Could you send me a link too? Thank you.

Ben, PortSwigger Agent | Last updated: Apr 17, 2024 07:38AM UTC

Hi Wojciech, I have followed up via email.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.