Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How to Map or generate Burp suite result with OWASP 10 and WASC (Web Application Security Consortium )

Krishnamoorthy | Last updated: Apr 24, 2020 10:11AM UTC

We have one requirement of how to map or generate Burpsuite report with below items 1.Owasp 10 top and 2.WASC (Web Application Security Consortium) 3.Common Weakness Enumeration – Top 25 Software Errors guide;

Uthman, PortSwigger Agent | Last updated: Apr 24, 2020 10:39AM UTC

Hi Krishna, Please refer to my latest email. The generated report is based on the findings of the scanner (i.e. the list of vulnerabilities it has found based on: https://portswigger.net/kb/issues). We do not map this against any security standard (e.g. OWASP top 10, WASC, CVSS scores, ASVS). If you review the latest OWASP top 10, you can see that the scanner does take into account the majority of the issues reported. You may find this article helpful on using Burp to test for the OWASP top 10: https://portswigger.net/support/using-burp-to-test-for-the-owasp-top-ten. I appreciate it is slightly out of date but does cover the majority of the current top 10. All the issue definitions used by the scanner have vulnerability classifications and links to the appropriate CWE resource. E.g. https://portswigger.net/kb/issues/00100280_asp-net-tracing-enabled makes note of CWE-10: ASP.NET Environment Issues and CWE-11: ASP.NET Misconfiguration: Creating Debug Binary. If you would like me to raise a feature request to add compliance reporting against the OWASP top 10 or WASC, please let me know.

ARPIT | Last updated: Mar 02, 2022 10:12AM UTC

Hi, Does Burpsuite now support the compliance reporting against the OWASP Top 10? Regards, Arpit Lahoti

Uthman, PortSwigger Agent | Last updated: Mar 03, 2022 09:48AM UTC

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.