Closed johntidwell1 closed 3 months ago
mikewhiteman
commented
3 months ago @johntidwell1 Do you mind also confirming what scan evidence we can collect for self-submitted scan results? Meaning, outside of the test results themselves, is there a way to export scan logs we can use for evidence?
johntidwell1
commented
3 months ago @mikewhiteman With Burp Professional in order to get access to scan configurations details for audit on a particular audit scan run, the org would need to save the burp project file and share. This would show a strong connection between the results and the config used. This file however would contain all details associated with requests / responses for issues found (and also non-issue relevant requests), some orgs may not want to share with us.
The generated repots through burp professional (example: https://portswigger.net/burp/samplereport/burpscannersamplereport) do not show scan configuration used to obtain the results.
If the org had burp enterprise however the details would be available however (https://portswigger.net/burp/documentation/enterprise/user-guide/reference/reports)
Overview: Several test procedures require that the lab "Execute authenticated Burp Suite scan on the target application using the ADA scan configuration."
Action: Upload burp configuration into repository for Burp vulnerabilities identified in test plan.