Enabling CORS in Burp Suite Enterprise Edition
Last updated: January 19, 2022
Read time: 3 Minutes
Even if you're integrating Burp Suite Enterprise Edition with your CI/CD system using our native plugins, you will still need to whitelist your Jenkins or TeamCity URL in order to use the "Burp site-driven scan" option.
How to whitelist an application for CORS in Burp Suite Enterprise Edition
You can whitelist an application for CORS from the Burp Suite Enterprise Edition network settings page.
- Log in to Burp Suite Enterprise Edition as an administrator.
- From the settings menu, go to the "Network" page.
In the "Allowed Origins for GraphQL API" section, enter the origin on which the other application is running. Note that this should include URL scheme, domain name, and port. You can whitelist as many origins as you want, each separated by a new line. For example:
- Double-check your entries and click "Save".
Test your external application to make sure that it now works as expected. If you still run into CORS-related issues, examine the
Originheader of the associated request and compare this to the URLs that you have in the whitelist. There should be no discrepancies.
The origin of incoming requests refers only to the URL scheme, domain name, and port. In other words, you can whitelist all cross-origin requests from
https://example.com:8080 but you cannot restrict this to specific subdirectories such as
https://example.com:8080/my-app. For more granular control, you need to deploy your application to a dedicated subdomain:
Why do I need to do this?
The same-origin policy aims to prevent scripts running on one website from accessing and interacting with data on another website. This is an important security mechanism. If we didn't enforce the same-origin policy, arbitrary external websites would potentially be able to access sensitive data from your Enterprise server.
Origin header in the corresponding HTTP request matches an origin that you have explicitly whitelisted.
For more information about CORS, the same-origin policy, and the related security implications, please refer to the corresponding topic on our Web Security Academy.Cross-origin resource sharing