Burp community forum

Report functionality for Enterprise edition

Nicolas | Last updated: Mar 08, 2019 06:25PM UTC

Hi, It is possible or planned for the Enterprise edition a "Generate Report" functionality, like the one that is available on the Professional edition? or even a better one? it would be great if we can generate pdf reports of the performed scans, as many other tools can. Thanks in advance

PortSwigger Agent | Last updated: Mar 11, 2019 10:40AM UTC

Currently this isn't possible. What we've been advocating instead is that you create a view-only user for the report recipient. We think this is a more fluent workflow than emailing PDF reports as attachments, and enabled future features like marking issues as false positives. However, lots of people have asked to be able to generate reports so we will add this in future.

Liam, PortSwigger Agent | Last updated: May 21, 2019 09:24AM UTC

The latest release of Burp Enterprise includes an HTML Scan summary report, downloadable from the Scan results page. The report lists issues grouped by host and then issue type. For each issue the issue type, path, severity and confidence are included. There is an option to include or exclude any issues that are marked as false positive. Please let us know what, if any, additional information would be useful or is needed in this report.

Burp User | Last updated: Jul 17, 2019 11:40AM UTC

Hello, we are currently evaluating Burp Enterprise and so far we are quite happy about PortSwigger pushing an Enterprise version! Answering to your call for features, we have some suggestions regarding the reporting feature. The report might be divided into two views: - summary view, and - detailed view whereas the detailed view includes all information from the summary. The possibility to include all visible information from the web UI also in the report would be fantastic! * Summary: -- attack vector (e.g. used XSS payload) -- vulnerable parameter -- color of severity levels -- sort function for each column (e.g. severity, confidence) -- report generation with exclusion feature (e.g. without confidence column) -- machine readable export format (e.g XML, JSON) -- IP address of the scanned target (only the domain is in the report) -- General information of the scanned site (e.g. screenshot of index site and title attribute) -- Example: XSS (reflected) - /account.php - parameter accountid - <script>alert(1)</script> * Details: -- Complete coverage of the "issue" from the burp enterprise web UI (e.g. advisory information, req/resp) -- Reason for encountered "Network errors" -- inclusion feature (e.g. complete response - as the response in the issue is "snapped") Regards, Florian

Rose, PortSwigger Agent | Last updated: Jul 17, 2019 12:38PM UTC

Hi Florian Thanks for the detailed feedback. We've logged these requests in our development backlog to ensure they are considered when planning new content for the reporting feature. At this point, however, we're unable to say whether or not they will be implemented. Please let us know if you need any further assistance.

Burp User | Last updated: Jan 29, 2020 07:31PM UTC

Hi, Looking for that generated HTML report to be saved in the Burp Server or any machine automatically once the scan got completed, so that we can send the report by email. Thanks! Suresh

Liam, PortSwigger Agent | Last updated: Jan 30, 2020 09:18AM UTC

The next release will feature email reporting of scan summary reports. We're keen to capture your requirements for the following release. What would you like to see in the HTML report via email?

Ben, PortSwigger Agent | Last updated: Jan 30, 2020 10:12AM UTC

Glad to hear that this proposed feature will meet your requirements. We will update this thread when the version of Burp Enterprise implementing this feature is released.

Burp User | Last updated: Jan 30, 2020 06:34PM UTC

Thanks for your immediate response and happy to see that email reporting will be available in the coming release. Report will be for Dev team, so whatever mentioned by Florian in the previous request will be good enough. Thanks.

You need to Log in to post a reply. Or register here, for free.