Thursday, October 9, 2014

Burp integrates with WebInspect

We're very pleased to announce that Burp is now integrated with the WebInspect vulnerability scanner, thanks to a new extension created by the WebInspect team. People who make use of both Burp and WebInspect can use this integration to share findings between the two products, and make your testing workflows more efficient.

To use the integration, first install the WebInspect Connector extension from the BApp Store. Then, in the WebInspect tab, enter the API URL for your instance of WebInspect (for example: http://localhost:8083/webinspect), and click "Connect":

The UI will display the list of WebInspect scans:

To start working with a WebInspect scan, select it from the list and click "Attach to scan". A new tab will open showing the results of the scan:

You can send items from WebInspect to Burp by selecting one or multiple vulnerabilities in the WebInspect scan tab, and use the context menu to perform the following actions:
  • Send to Spider
  • Send to Intruder
  • Send to Repeater
  • Create issue - this will add the vulnerability to Burp Scanner's results

Issues created in Burp's results are tagged with "[WebInspect]":

You can send items from Burp to WebInspect as follows:
  • Select one or multiple issues in the Burp Scanner results.
  • Use the context menu option "Send to WebInspect".
  • Select an open WebInspect scan.

This will create the issue in WebInspect, and will also create a crawling session based on the selected base request. Issues created in WebInspect's results are tagged with "[Burp]":

We hope that people who use both Burp and WebInspect will find the integration helpful. We plan to announce further integrations between Burp and other leading web security products in the coming months.

Wednesday, October 1, 2014

PortSwigger receives highest score in Manual Web Penetration Testing in Gartner’s Critical Capabilities for Application Security Testing report

In September 2014, Gartner released its Critical Capabilities for Application Security Testing report.

Gartner gave PortSwigger the highest score for manual web penetration testing reflecting 1 out of the 7 use cases in its Critical Capabilities for Application Security Testing report. This new report which reviewed and ranked vendors according to various critical capabilities and use cases saw PortSwigger’s product receive a 4.43 out of a possible 5, the highest product score for its manual web penetration testing use case.

Dafydd Stuttard, founder of PortSwigger Web Security said “It is great that the Gartner report gave us the highest score for its manual web penetration testing use case. We set out to provide the best tool on the market for penetration testing, and we believe our score in this report demonstrates our achievements in this area. We will continue developing Burp Suite to ensure it offers our users cutting-edge capabilities at an affordable price point.

He continues: “We have an ambitious roadmap for our product; users can expect to see our approach for excellence mirrored in many more product enhancements and features. Many of these will see Burp Suite develop the other critical capabilities Gartner has highlighted as key within this market.”

This latest report is designed to be used in conjunction with the Gartner Magic Quadrant for Application Security testing, published by Joseph Feiman & Neil MacDonald on 1 July 2014, which saw PortSwigger move into the ‘Challengers’ quadrant. Together these reports give readers in-depth insight into this important technology market.

For information about PortSwigger Web Security, or to buy or request a trial of Burp Suite, please visit

PortSwigger Web Security is a global leader in the creation of software tools for security testing of web applications. For nearly a decade, we have worked at the cutting edge of the web security industry, and our suite of tools is well established as the de facto standard toolkit used by web security professionals.

Gartner disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.