Reporting in Burp Suite Enterprise Edition
From time to time, you might want to report the results of a particular scan, or even report on the overall progress towards improving your security posture. Burp Suite Enterprise Edition provides several options to help you generate offline reports so that you can share scan data with other members of your organization, even if they do not have access to the application itself.
Downloading scan reports
You can download scan reports in HTML format for any scan that has either been completed, or was started and subsequently failed. To download a scan report, go to the relevant scan, click the "More Actions" button, and select "Download report".
You then have the following options for controlling what information is contained in the report.
You can select either a Summary or Detailed report. Both report types contain an overview of the scan details, such as the included URLs, scan configurations used, the duration of the scan, and so on. They also provide the following statistics:
- Issues by severity
- Scanned URLs and URLs with problems
- Requests made
- Network errors
Both reports also contain a list of issue types, along with the corresponding URLs where these issues were identified. Burp Scanner's confidence and estimated severity level are indicated for each issue.
The detailed report contains all of the same information as the summary report. However, it includes an additional section that provides more information about each issue. This includes a brief description of what the issue type means, as well as background information and some high-level remediation advice. There are also links to additional resources so that you can learn more about the issue type.
Regardless of whether you select a summary or detailed report, you can choose which issue severities you want to include. By default, all severities are included. However, if a large number of issues was identified, you might want to limit the report to high-severity ones, for example.
By default, issues that have been marked as false positives are excluded from scan reports. However, you can choose to include them if you want.
Automatically sending scan summary reports
As well as being able to generate scan reports on demand, you can also configure Burp Suite Enterprise Edition to automatically send scan summary reports. When creating a new site, you can add a list of email addresses to which a summary report will be sent whenever a scan finishes for that site. Alternatively, you can add recipients to an existing site from the site details page.
Note: To use this feature, your administrator must have configured the integration with your SMTP server.
Throughout Burp Suite Enterprise Edition, there are several charts that provide an overview of various metrics related to your sites and scans. Although you can view these directly in the application, you also have the option to download them in either
JPG format. This can be useful for sharing the chart in a report or presentation, for example.
Simply click on the three vertical dots in the upper-right corner of the chart that you want to download, then select your preferred image format.
Downloading the event log
For each scan, you can also download an event log in
CSV format. From the relevant scan, go to "More actions" > "Download event log". This contains details of basic events that occurred during the scan and can be useful for debugging purposes.