Our Burp Suite integration gives you a way to import Burp scan reports and store the findings discovered by the Burp Suite scanner with those discovered by WAS and share this information with multiple users. Import Burp reports to manage your Burp findings with WAS. Each report must be an XML file no more than 20MB containing detections for only one web application.
* Burp Management is not available to Express Lite users.
We recommend you to try Qualys WAS Burp extension to easily import Burp-discovered issues into WAS. Learn more
Go to Detections > Burp > Import. Choose a Burp file in XML format from your local file system and select the web application that the Burp report applies to. You can import a report that is no more than 20MB and that contains detections for one web application. You can successfully import Burp files that belong to version 1.7.24 and lower. Click Import. Tip - We recommend the Purge option to avoid duplicate findings when importing from multiple Burp instances.
The Purge option will remove any existing Burp issues for the selected web application before importing the report. If you import from more than one instance of Burp, you may want to use the Purge option to avoid importing duplicate findings.
The Close option will close the web application's existing Burp issues that are not in the report. If you choose Close but not Purge, the closed issues will be marked as fixed.
The preview pane appears under the reports list when you click anywhere in a report row. The report preview shows the name of the imported XML file, the name of the web application associated with the report, assigned tags (if any), the number of issues reported and the report size. Click the Actions menu to take actions on the report. To download the report click Download.
The issues imported with your Burp reports are displayed in the Detections list. Go to Detections > Detections List. Select Burp in the Finding Type of the Search Filter and you can view issues in detail - including detection dates, status and severity.
Our service checks the Burp issue serial number against existing imported issues for the web application. If the issue was not previously imported, status is set to New. Otherwise the status is set to Active or Reopened (if the issue was previously imported and fixed). The status is accurate only if a single instance of Burp is used. This is because issue serial numbers are specific to each instance of Burp.
We assign severity in WAS to a Burp issue depending on the two factors: Burp Severity and Burp Confidence.
Just select View from the Quick Actions menu to see the Burp issue details. You'll have the option to ignore the issue if you want.
Hover over the issue and choose Ignore from the Quick Actions menu, or double click the issue to display the details then click the Ignore link in the top right corner of the details window. When you ignore an issue, you'll be prompted to give a reason - false positive, acceptable risk or not applicable. The status label is grayed out in the list and a message on the issue details page shows your reason for ignoring the issue.
The Activate action reverses the Ignore action. The status will no longer be grayed out in the list and the vulnerability will appear in web application reports.
The preview pane appears below the list when you click in a row in the issues list. The preview displays the issue severity level, the URL where the issue was detected, the web application name, vulnerability group and status, the Burp serial number, confidence and location, the dates when first detected and last detected and the number of times the issue was detected.
You might need to request permission from your account manager.
Note Burp Management is not available to Express Lite users.
You can upload Burp log files when you create or edit a web application. After you upload, we will parse it to create requests and then crawl the web application. You can always download and view the uploaded Burp file.
You can upload only one Burp file at a time. If you upload a second file, the new file will replace the old file.