As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
BURP Plugin
You will learn
How to install and run the ThreadFix Plugin for Burp Suite.
Prerequisites
Audience: IT Professional, or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: Burp Suite Application, Burp Suite Plugin
Burp Suite Application and Plugin Downloads
Download the latest build of Burp Suite application from Burp Suite - Application Security Testing Software
Install and launch the Burp Suite application.
In ThreadFix, click the Help icon and select Download Tools.
Download the Burp Plugin from the Download Tools page in ThreadFix.
Install ThreadFix Plugin
From the Extender tab, within the Extensions sub-tab click the Add button.
From the Load Burp Extensions modal, in the Extension file (.jar) field, select the threadfix-release-2-burp.jar file downloaded from the ThreadFix Download Tools page.
A new ThreadFix Main tab will be presented with three buttons:
Import Endpoints From Source
Import Endpoints From ThreadFix
Export Scan
Import Endpoints
Please ensure that the following are set up correctly in ThreadFix before continuing.
A Team with an Application is setup
The Application is linked to its source code
An API key has been created and is accessible
From the ThreadFix Main tab click the desired 'Import Endpoints...' button.
Import Endpoints From Source
Import Endpoints From ThreadFix.
From the ThreadFix Options tab, enter the ThreadFix URL & API Key, the ThreadFix application from which to get endpoints, and the Target URL.
Add "/rest/latest" to the end of the ThreadFix URL in order for Burp to connect using the latest version of the API
If running ThreadFix over HTTPS, it may be necessary to import the ThreadFix server's certificate into Burp's trust store (<burp-install>/jre/lib/security)
Then, from the ThreadFix Main tab, click Import Endpoints From ThreadFix.
Run Spider
Burp will import endpoints from the source code.
Begin the spider by choosing Spider from the Target tab.
Burp will then begin scanning and will show its progress.
Once the scan is complete, this scan can be exported to ThreadFix.
Export Scan
Select the ThreadFix Main tab and click the Export Scan button.
Enter the correct URL and API key.
Choose the application for which to export a scan to ThreadFix.
A message will display informing the export succeeded.
Check ThreadFix to verify that the scan was uploaded.
Import ThreadFix Server Certificate
Burp comes packaged with it's own JRE, which is used when running the exe program. Users needing to import the ThreadFix server's certificate, in order to connect to it, should import it to <Burp Install>/jre/lib/security/cacerts.
Example command:
keytool -importcert -file /path/to/mythreadfix.cer -keystore /<burp path>/jre/lib/security/cacerts -alias tfcert
Note the ThreadFix certificate should have a SubjectAlternativeName, or there may have trouble establishing a connection. It should at least have the server's DNS name, plus its IP as a backup.
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.