+ Start a Discussion

Burp Scan Necessary?

I am looking to list an app I developed on the appExchange.  The app contains a VF component with a js library that talks to a label printer and also includes a few JS remoting calls to fetch some data from the component controller.  Does this fit within the context of a web service, therefore requiring a burp scan for the app security review?  It doesn't seem to me that it would, but I'm a little bit confused.


Hello Bryan,


The Burp tool must only be used to evaluate the security of your web application that resides outside of Force.com (e.g. www.partnersite.com). For applications residing completely on Force.com (e.g. partner-visual.force.com, appxpartner.force.com. etc.), please use the Force.com Source Source Scanner . So i don't think that you need a Burp scan.

Please note that you are not permitted to run this tool against any servers owned and operated by salesforce.com, without prior written approval.


For details please refer below link: http://security.force.com/security/tools/webapp/burpabout