Burp Suite User Forum

[Burp Enterprise] Configure scan_callback from the web UI

Javier | Last updated: Nov 21, 2019 08:36AM UTC

Hi, We would find useful being able to set the scan_callback property allowed by the API when manually configuring scans from the web UI. Is it possible / is it on the roadmap? Thanks, Javi

Michelle, PortSwigger Agent | Last updated: Nov 21, 2019 08:38AM UTC

Can I just check we’re understanding your request properly so we can discuss this with the Enterprise team? Are you wanting to know if there are plans to include additional options on the New Scan web page ( to configure call-back server settings or are you referring to the options available within the REST API web page? Under the REST API web page configurations such as these can be created, is this the kind of thing you need? { "urls":["http://test.example.com:81/static/oneissue.html"], "scan_type":"crawl_and_audit", "scope": {"type":"SimpleScope","include":[],"exclude":[]}, "application_logins":[], "scan_configurations":[ {name: "Add all links to site map", "type": "NamedConfiguration"}, {name: "Audit coverage - thorough", "type": "NamedConfiguration"} ], "scan_callback":{"url":"http://localhost:9999/mycallback"} } The callback endpoint also needs to be configured to accept PUT.

Burp User | Last updated: Nov 21, 2019 12:33PM UTC

Hi, Hi, My use case would be creating recurring scans which have a scan_callback. Using the web UI, I can create recurring scans, but I cannot set a scan_callback. Using the API, I can create scans which have a scan_callback, but I cannot set them to repeat every often (as fas as I have understood the documentation). I would find useful if I could do both things (configure recurrence and scan_callback) from either the web UI or the API. Please let me know if it is still not clear. Thanks!

Michelle, PortSwigger Agent | Last updated: Nov 21, 2019 01:26PM UTC

This functionality isn't available yet, but there is a possible workaround. We could trigger the Jenkins Plugin with a callback every two minutes using a Jenkins Job with a CRON based build trigger. We used wiremock standalone as the callback endpoint (running on http://localhost:9999) and a scan configuration in the Jenkins plugin as shown below. JENKINS PERIODIC BUILD TRIGGER: */2 * * * * SCAN CONFIGURATION: { "scope": {"type":"SimpleScope","include":[],"exclude":[]}, "application_logins":[], "scan_configurations":[ {name: "Add all links to site map", "type": "NamedConfiguration"}, {name: "Audit coverage - thorough", "type": "NamedConfiguration"} ], "scan_callback":{"url":"http://localhost:9999/callback"} } Please let us know if this would be useful for you as an immediate option.

Michelle, PortSwigger Agent | Last updated: Nov 21, 2019 04:39PM UTC

Hi We’ve added a feature request for the ability to schedule scans via the API. Another suggestion that may be easier to set up as a work-around in the meantime is to write a script that schedules your curl command.

Burp User | Last updated: Nov 22, 2019 10:04AM UTC

I'm not sure I understood how would that work. Let me rephrase how we'd like our workflow to be: - We would configure sites and scans using the web UI. Those scans should run automatically once a month, so the recurrence option comes handy. - We use a custom system to do vulnerability management. It has an API, so we can dump the results from vulnerability scanners there We were exploring our options with BE, and the callback seemed to be exactly what we needed: we could just receive vulnerabilities as they were found and then send them to our vuln management platform using our code. I've been reviewing the CI plugins docs, but they are not very detailed. If this kind of workflow is possible using any of them, it would also be fine. Thanks!

Burp User | Last updated: Nov 26, 2019 09:31AM UTC

Hi, We appreciate it. If you could request the ability to configure callbacks in the web UI, it would be awesome. Thanks!

You need to Log in to post a reply. Or register here, for free.