Reporting in Burp Suite Enterprise Edition
Last updated: May 17, 2022
Read time: 5 Minutes
From time to time, you might want to report the results of a particular scan, or even report on the overall progress towards improving your security posture. Burp Suite Enterprise Edition provides several options to help you generate offline reports so that you can share scan data with other members of your organization, even if they do not have access to the application itself.
You can download scan reports in HTML format for any scan that has either been completed, or was started and subsequently failed. To download a scan report, select the relevant scan, open the Reporting & logs tab, and then select the required report from the Report type menu.
There are two categories of report available in Burp Suite Enterprise Edition:
- Standard reports give a general overview of scan details, such as the included URLs, scan configurations used, and the duration of the scan.
- Compliance reports help to show whether a site meets a specific compliance standard or framework. We currently offer compliance reporting for the OWASP Top 10 list and the PCI DSS security compliance standard.
Downloading standard reports
Burp Suite Enterprise Edition offers two standard reports: Summary and Detailed. As well as an overview of scan details, both reports provide the following statistics:
- Issues by severity
- Scanned URLs and URLs with problems
- Requests made
- Network errors
There reports also contain a list of issue types, along with the corresponding URLs where these issues were identified. Burp Scanner's confidence and estimated severity level are indicated for each issue.
The Detailed report contains all of the same information as the summary report. In addition, it includes a section providing more information about each issue, including a brief description of what the issue type means, background information, and some high-level remediation advice. There are also links to additional resources so that you can learn more about the issue type.
Both standard reports enable you to choose the issue severity that you want to include. By default, all severities are included. However, if a large number of issues was identified, you might want to limit the report to high-severity issues, for example.
By default, issues that have been marked as false positives are excluded from scan reports. However, you can choose to include them in standard reports if you want.
Downloading compliance reports
Burp Suite Enterprise Edition offers reporting for the OWASP Top 10 list and the PCI DSS security compliance standard. These reports use your existing scan data to generate a report that indicates whether a given site would meet compliance standards, and to highlight where work may be needed in order to meet those standards.
The following reports are available:
- The OWASP report highlights any issues found by the scan that correspond to issue categories in the OWASP Top 10.
- The PCI DSS report highlights any issues found by the scan that break the requirements set out in the PCI DSS standard.
Burp Suite Enterprise Edition's compliance reports do not guarantee compliance or non-compliance with any specific security standard.
To run a compliance report:
- Open the Scans tab and select a scan.
- Select the Reporting & logs tab to display a set of options relating to reports.
- Select OWASP Top Ten or PCI DSS from the Report Type menu.
- Click Download Report. The report is saved to your browser's default download location.
Note that you cannot specify severities to report on or choose whether to include false positives when running a compliance report. Compliance reports always include all issue severities and exclude false positives.
If the selected scan did not run all the necessary checks for the selected report type, or if the scan was run before support for compliance reporting was introduced, then a warning message is displayed. You can still download the report in these cases, but you should be aware that the results may not fully reflect your security posture. Any compliance reports generated from incompatible scans display a warning at the top of the report body.
Compliance report contents
The reports detail each category of compliance issue that the scan found an example of, including:
- The Burp Suite issue type.
- The URL at which the issue was found.
- The severity of the issue.
- Scan confidence levels.
Click View to see more information about each issue, including a brief description of what the issue type means, background information, and some high-level remediation advice.
OWASP Top 10 and PCI DSS categories are "broader" than Burp Suite issue types. As such, the report may display several issue types under the same compliance category. For example, SQL Injection and PHP Code Injection are two separate issue types within Burp Suite. However, in the 2021 OWASP Top 10 they both fall under the category of "A03:2021 - Injection".
The PCI DSS report also contains a typical Common Vulnerability Scoring System (CVSS) score for each issue found. CVSS scores are intended to give a standardized indication of the severity of a vulnerability.
Note that the CVSS score provided in the report is an example score based on the type of issue found, and is provided for information purposes only. The system does not take any details of the specific issue into account when displaying a CVSS score.
The reports display details of any issues found by the scan that do not correspond to a category in the relevant compliance standard. These issues are referred to as "uncategorized" issues, and are detailed in the Uncategorized section at the bottom of the report. The information displayed for uncategorized issues is the same as that displayed for categorized ones.
Viewing scan details
The Scan Details section at the bottom of the report lists information about the scan itself, including the time of the scan, its duration, and a full list of all checks that were run.
Automatically sending scan summary reports
As well as being able to generate scan reports on demand, you can also configure Burp Suite Enterprise Edition to automatically send scan summary reports. When creating a new site, you can add a list of email addresses to which a summary report will be sent whenever a scan finishes for that site. Alternatively, you can add recipients to an existing site from the site details page.
To use this feature, your administrator must have configured a connection to an SMTP server.
Throughout Burp Suite Enterprise Edition, there are several charts that provide an overview of various metrics related to your sites and scans. Although you can view these directly in the application, you also have the option to download them in either
JPG format. This can be useful for sharing the chart in a report or presentation, for example.
Simply click on the three vertical dots in the upper-right corner of the chart that you want to download, then select your preferred image format.
Downloading the event log
For each scan, you can also download an event log in
CSV format. From the relevant scan, go to the Reporting & logs tab and then click Download event log. This contains details of basic events that occurred during the scan and can be useful for debugging purposes.