Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Insert Jenkins parameters / variables in Burp API POST - JSON scan definition

asdf | Last updated: Jun 05, 2020 05:55PM UTC

I'm using "Burp plugin for Jenkins" to initiate Burp scan from Jenkins. In Jenkins, I have parameters like scan URLs, application name, scan configurations etc. How can I use or insert these parameters in "Scan definition in JSON format" for Burp scan plugin in Jenkins. For e.g. Jenkins string parameter: APP_NAME, APP_URL and how can I insert APP_NAME in Burp API POST request inside JSON {"name": APP_NAME..... or even APP_URL inside JSON "urls": APP_URL..... What is the correct syntax to insert it in JSON? I have tried different syntaxes but no luck: $APP_NAME {APP_NAME} ${APP_NAME} "$APP_NAME" '$APP_NAME' "${APP_NAME}" '${APP_NAME}' '{APP_NAME}' 'APP_NAME' ${params.APP_NAME} ${env.APP_NAME} %APP_NAME%

Hannah, PortSwigger Agent | Last updated: Jun 08, 2020 10:15AM UTC

Can you clarify whether you are using Burp Suite Enterprise Edition, or Burp Suite Professional? Have you tried accessing the Burp REST API and using it to interactively build your request?

asdf | Last updated: Jun 08, 2020 02:49PM UTC

I'm using Burp Suite Enterprise Edition and below is the workflow which makes it difficult to build POST requests for every scan. 1. I need to scan multiple apps. (1000+) and all have different names and URLs 2. These apps. are on demand i.e. their names and URL can change and unfortunately, there is no way to build the BURP SCAN POST request before hand using BURP REST API dashboard. Plus these apps. (with their name and URL) are coming into Jenkins automatically. 3. Jenkins string parameters APP_NAME and APP_URL are being set for each application name and URL respectively. And I need to insert these parameters in "Scan definition in JSON format" for Burp scan plugin in Jenkins automatically without copying and pasting it everytime from BURP API dashboard. What is the point of integrating Burp in CI CD tools if automation cannot be performed.

Hannah, PortSwigger Agent | Last updated: Jun 08, 2020 03:45PM UTC

Apologies, I only meant to suggest using the API to work out the basic structure of the requests rather than to create a new API request each time. Once you have the basic structure, you could write a simple program or script to automatically generate your API calls for your Jenkins pipeline.

asdf | Last updated: Jun 08, 2020 04:24PM UTC

Sure, I can definitely script it but again I have to insert the variable containing Burp scan JSON definition at "Scan definition in JSON format" for Burp scan plugin in Jenkins. How can it be done. Is it possible if I can reach you directly and share screenshots for better understanding?

Hannah, PortSwigger Agent | Last updated: Jun 09, 2020 10:49AM UTC

Are you referring to your scan configuration in this case? You can configure your scan configuration in the Enterprise UI (Dropdown menu > Scan configuration), then select a scan configuration and click the "Download" button to download the scan configuration as a JSON file. You can then include the JSON String contained in the file as a custom scan configuration in your API call. If you are referring to the entire JSON String that is generated by the REST API to define the entire scan, then you would be best off using the interactive curl command builder to generate a template and go from there. You can email us directly at support@portswigger.net with any screenshots or additional information.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.