Burp Suite User Forum

Login to post

Import Burp Professional scan into Burp Enterprise

Justin | Last updated: Jan 26, 2021 04:26PM UTC

I would like to be able to import a burp scan (pro) into Enterprise, to use the tracking metrics and reporting features of Enterprise. Is this possible already?

Ben, PortSwigger Agent | Last updated: Jan 27, 2021 10:13AM UTC

Hi Justin, This is currently not possible. Can you clarify what you mean by tracking metrics and what reporting features currently in Enterprise you would like to take advantage of?

Justin | Last updated: Jan 27, 2021 07:39PM UTC

Currently Burp Suite Pro is a one-off, or you do one scan and you get one report; and Burp Suite Enterprise is historical, you scan the same site multiple times, and it tracks the FPs, mitigations, regressions, and the like. I would like to be able to combine our scans that happen manually(PRO) with the ones that are created automatically (Enterprise). So that we can have all of our scans in one historical view.

Ben, PortSwigger Agent | Last updated: Jan 28, 2021 12:09PM UTC

Hi Justin, Thank you for the clarification. Is the reason for performing manual work in Professional due to issues with the coverage provided by the automated scanner or for another reason?

Justin | Last updated: Jan 28, 2021 04:42PM UTC

Short answer, YES. The Automated scanner is limited in its ability to login to SSO websites using the Navigation Recorder since the Navigation recorder can't be manually tested like selenium. We have paid for the Enterprise version of Burp and are not able to utilize it as we expected. So to continue with Enterprise, (which has a lot of features that we like.) I am trying to find a half step to give us benefits of Enterprise while still having to do the manual efforts of PRO.

Michelle, PortSwigger Agent | Last updated: Jan 29, 2021 05:00PM UTC

Hi Justin Thanks for the update. I hope you don't mind me checking some details but from reading through all the posts it sounds like there could be a couple of things that are worth us running past the wider team and the developers so I want to be sure I've understood everything correctly and present your use case properly. As I understand it, you have a number of scans that you're performing in Pro currently because the automated Scanner isn't handling the SSO well and so you're needing to manually crawl the site and you'd like to be able to tie the results from these into Enterprise so you can compare results from scans over time. - Are you picturing importing the results from the manual crawl and subsequent audit from Pro or importing the details that have been manually crawled in Pro and then asking Enterprise to perform the audit? - When you test using Pro are you using Selenium with all the sites where you can't scan using Enterprise? - What kind of issues were you encountering with SSO when using recorded login sequences? (If any of this is information you would rather share directly rather than on the forum, please feel free to send it to support@portswigger.net)

Justin | Last updated: Jan 30, 2021 12:53AM UTC

Q- Are you picturing importing the results from the manual crawl and subsequent audit from Pro or importing the details that have been manually crawled in Pro and then asking Enterprise to perform the audit? A-Initially I was only thinking about the first option a full crawl and audit from PRO imported into Enterprise,the second is a good option for moving forward but would leave out having historical scans on the Home Page metrics. Q- When you test using Pro are you using Selenium with all the sites where you can't scan using Enterprise? A- No we running scans in Pro I am manually logging in and prepopulating the target with URLs. I then select the Domains manually adding the right ones to the scope and then start the scan process. However, I have done browser automation scripting with selenium that is very slick and easy to troubleshoot. Q- What kind of issues were you encountering with SSO when using recorded login sequences? A- Very limited results from the scanner. It may log in okay... not really sure. Mainly the problem is that the scan results aren't matching up with PRO. seems like we aren't getting nearly the number of URLs scanned like PRO does.

Ben, PortSwigger Agent | Last updated: Feb 02, 2021 08:16AM UTC

Hi Justin, Thank you again for the clarification. We have had a few users request the ability to import populated site maps from Professional into Enterprise with a view to be able to perform an audit only scan of the generated requests so we already have this feature noted in our development system. Ican, potentially, refine this feature request and add your request to be able to import all of the associated information into Enterprise. The scanner component (and recorded login functionality) are shared between the Professional and Enterprise editions so, all things being equal, you should see the same results between the two editions.

Justin | Last updated: Feb 08, 2021 02:30PM UTC

Ben, It would make sense as an upgrade path to be able to import historical scans from Burp Pro, to be seen on the home page tab. Then moving forward to take the scan info from those historical scans and create a site that burp Enterprise can use to create new scans. Your low hanging fruit for new clients in Enterprise is your current user-base in professional. Making the path from Professional to Enterprise an easy transition, would be my top priority.

Ben, PortSwigger Agent | Last updated: Feb 09, 2021 04:04PM UTC

Hi Justin, Ultimately we see Professional and Enterprise as two entirely separate products designed specifically for different types of users (there is, for example, no upgrade path between the two editions). Having said that, we appreciate your feedback and I will pass it on to the relevant people within Portswigger.

You need to Log in to post a reply. Or register here, for free.