Introducing a Burp Extension for Integration with Qualys Web Application Scanning

Qualys offers a wide array of security and compliance solutions for your organization.  All capabilities are delivered from Qualys Cloud Platform.  Visit Qualys Cloud Platform Apps to learn more.

But let’s narrow the discussion to web application security.  To have a complete webappsec program, it’s important that ALL of your web applications have some level of security testing.  Automated scans using Qualys Web Application Scanning (WAS) are perfect to meet this need given its cloud-based architecture, accuracy, and ability to scale.  However, performing manual penetration testing against your most business-critical applications is highly recommended to supplement automated scanning.  Manual analysis complements scanning by identifying security holes such as flaws in business logic or authorization that an automated scanner would be incapable of detecting.

One of the most popular tools for manual testing of web apps is Burp Suite Professional. This month Qualys introduced a Burp extension for Qualys WAS to easily import Burp-discovered issues into Qualys WAS.  With this integration, Burp issues and WAS findings can be viewed centrally, and webappsec teams can perform integrated analysis of data from manual penetration testing and automated web application scans. The combined data set may also be programmatically extracted via the Qualys API for external analysis.

Qualys Burp Extension

The Qualys WAS extension is available today in Burp’s BApp Store:

Using the extension is quite simple.  Once you’ve installed the extension and generated some Burp scanner issues (either passively or actively), go to the Target tab.  Select the issues you wish to send to WAS, right-click to open the context menu, and select “Send to Qualys WAS”.

In the example below we are sending three Burp issues to WAS:

You’ll be asked to choose your platform and enter your Qualys credentials unless you’ve already done so on the Qualys WAS tab.  Note that your Qualys user account must have API access enabled.

After providing valid credentials, a list of web applications in your WAS subscription will appear.  Select the web application for which these Burp issues apply. Using the checkboxes, you may optionally choose to purge (delete) existing Burp issues for the application in WAS or choose to close existing Burp issues in WAS that you aren’t sending.

Click the “Send to Qualys WAS” button and look for a success message.  If the operation fails, check the “Logs” section under the Qualys WAS tab in Burp for troubleshooting information.

We can see from the screenshot below that our three Burp issues were successfully imported into Qualys WAS.  You can use the filters on the left to see only the detections that you’re interested in.

Once the Burp data is stored within WAS, you can leverage the Qualys API to programmatically retrieve both WAS findings and Burp issues.  The API output data format can be either in XML or JSON. See the WAS API User Guide for details.

A More Complete Picture

To summarize, the Qualys WAS Burp extension provides a seamless method for Qualys WAS customers to push Burp scanner findings to the WAS module.  Viewing and reporting Burp issues alongside WAS findings allows you to have a more complete picture of your web application’s security posture.

In addition to web application security testing, Qualys offers a wide array of security and compliance solutions for your organization.  All capabilities are delivered from Qualys Cloud Platform.  To learn more, please visit Qualys Cloud Platform Apps.