Integrating Burp Suite with HP WebInspect

Users of both Burp and WebInspect can use the WebInspect Connecter from the BApp store to integrate the two products. The plugin allows users of HP WebInspect to transfer vulnerability details back and forth between Burp and their WebInspect instance via the WebInspect API. This will empower users currently using Burp and WebInspect as a part of their analysis process with a more efficient workflow.

To use the integration, follow the instructions below.

Integration_HPWI_1

First install the WebInspect Connector extension from the BApp Store.

 
Integration_HPWI_2

It is important to ensure that the WebInspect API is running and logged in using the same credentials as the WebInspect application.

Open HP Fortify Monitor from the HP WebInspect folder (C:\ProgramFiles\HP\HP WebInspect).

The values are set the first time Fortify Monitor is run and are based on the current user.

 
Integration_HPWI_3

Use the Fortify Monitor icon in the system tray to configure and start the Web Inspect API.

 

 
Integration_HPWI_14

Configure the API port and Host and click start for the API to listen for connections.

Alternatively, click "Start Web Inspect API" from the system tray menu.

 
Integration_HPWI_4

The credentials can also be configured manually.

Open your services manager on your system.

 
Integration_HPWI_5

Find the "WebInspect API" service and double click it to open the "WebInspect API Properties" window.

 
Integration_HPWI_6

Go to the "Log On" tab and ensure the credentials match accordingly.

In this example ".\user".

 
Integration_HPWI_7

You can visit the API in your browser to check that it is running (for example: http://localhost:8083/webinspect).

 
Integration_HPWI_8

Return to Burp and go to the "WebInspect" tab.

Enter the appropriate details in to the "Host" and "Proxy" settings.

Click the "Connect" button.

 
Integration_HPWI_9

An updated list of scans should now be presented in the table below.

You can refresh the scans at any time using the "Refresh Scans" button.

Double click on one of the scans to bring up a specific scan tab.

 
Integration_HPWI_10

You can send items from WebInspect to Burp by selecting one or multiple vulnerabilities in the WebInspect scan tab, and use the context menu to perform the following actions:

  • Send to Spider
  • Send to Intruder
  • Send to Repeater
  • Create issue - this will add the vulnerability to Burp Target's site map.
 
Integration_HPWI_11

Issues created in Burp's results are tagged with "[WebInspect]".

 
Integration_HPWI_12

You can send items from Burp to WebInspect as follows:

Select one or multiple issues in the Burp Site map "Issues" section.

Right click on the issue to bring up the context menu.

Go to "Send to WebInspect".

Select an open WebInspect scan.

 
Integration_HPWI_13

This will create the issue in WebInspect, and will also create a crawling session based on the selected base request.