BURP Plugin

This is a walkthrough of the ThreadFix Plugin for Burp Suite.

First Steps

Download the latest build of Burp Suite application from http://portswigger.net/burp/

Install and launch the application.

Download the Burp Plugin from the Download Tools page in ThreadFix.

Install ThreadFix Plugin

Go to Extender tab > Add > choose threadfix-release-2.jar

A new ThreadFix tab will be presented with three buttons:

  • ThreadFix > Main > Import Endpoints From Source
  • ThreadFix > Main > Import Endpoints From ThreadFix
  • ThreadFix > Main > Export Scan

Import Endpoints

Please ensure that the following are set up correctly in ThreadFix before continuing.

  • A Team with an Application is setup
  • The Application is linked to its source code
  • You've created an API key and it is accessible

  1. Choose the Threadfix tab, then click the desired 'Import Endpoints...' button

    1. Import Endpoints From Source

    2. Import Endpoints From ThreadFix
      1. From the ThreadFix > Options tab, enter the ThreadFix URL & API Key, the ThreadFix application from which you want to get endpoints, and the Target URL

        • You should add "/rest/latest" to the end of the ThreadFix URL in order for Burp to connect using the latest version of the API.
        • If you're running ThreadFix over HTTPS, you may need to import the ThreadFix server's certificate into Burp's trust store (<burp-install>/jre/lib/security).

      2. Then, from the ThreadFix > Main tab, click Import Endpoints From ThreadFix

Run Spider

  1. Burp will import endpoints from the source code.
  2. Begin the spider by choosing Spider from the Target tab.
  3. Burp will then begin scanning and will show its progress.

  4. Once the scan is complete you will be able to export this scan to ThreadFix.

Export Scan

  1. Select ThreadFix > Main > Export Scan
  2. Enter the correct URL and API key
  3. Choose the application for which you want to export a scan to Threadfix

  4. A pop up should be displayed informing you that the export was successful

  5. Check ThreadFix to verify that the scan was uploaded

Import ThreadFix Server Certificate

Burp comes packaged with it's own JRE, which is used when you run the exe program. If you need to import the ThreadFix server's cert in order to connect to it, import it to <Burp Install>/jre/lib/security/cacerts.

Example command:

keytool -importcert -file /path/to/mythreadfix.cer -keystore /<burp path>/jre/lib/security/cacerts -alias tfcert


Note: Your ThreadFix cert should have a SubjectAlternativeName, or you may have trouble establishing a connection.. It should have at least the server's DNS name, plus its IP as a backup.

For info on how to obtain the ThreadFix server's certificate, click here.