Salesforce have asked me to do a BURP Scan on my managed package before I submit it to the AppExchange.
My Managed Package is built on the Force.com platform. It does perform a couple of callouts to other applications (iPad app, web app). I’m surprised that the Force.com security scanner isn’t enough, but anyway…
I have a license and was able to launch BURP. However, I have no idea how to “scan my managed package”.
Here’s what I have tried (based on tutorials mainly):
- In Spider -> Options, set the application login credentials for my package org.
- In Repeater -> Request -> Raw, set the following
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Following this, I right-clicked and selected “Add to Site Map”
- In Target -> Scope, added a Scope. Set Host/IP Range regex as ^na12$ with Port ^443$ (I have also tried na12.salesforce.com, but I realized that wouldn’t cover the “visual.force.com” pages)
At some point it did seem to be scanning Salesforce, but not my managed package; just pages like the Forgot Password page, and other system files. Salesforce themselves have been extremely unhelpful and won’t provide any further info.
I realize this isn’t a true Salesforce question, but I’m sure other developers have been asked/will be asked to do this during the submission process for AppExchange and I could do with some help.
I have some notes on using the BURP scanner to test a web service for submission to the security review – Using the Burp Suite to test a Web Service that is consumed in a Salesforce app.
The basic idea is:
- Have BURP intercept typical requests by acting as a proxy as you browse around the site. If it is Salesforce calling a web service you will need to make the calls in a way the BURP can intercept them.
- Run the BURP scanner on the nodes or host/branch that you want to scan.
- Review the results looking for things you should correct.
- Export the BURP scanner results to printer-friendly HTML with hyperlinks to include in the security review submission.
I don’t think they want it pointed back at Salesforce. In fact, I think they explicitly say don’t do this! The security scanner is focused on scanning the components you have created within Salesforce. BURP is for scanning web services and sites that you interact with outside of Salesforce.
It should be more focused on any web services you consume and the connected web applications. BURPs strengths are in scanning the web application for possible vulnerabilities.