function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
JeriMorrisJeriMorris 

How to run Burp scanner against a remote server

I'm developing a SF app that interacts with a remote server via a REST API. The app's interation with the API happens in a VF page's controller, not via the page itself.

 

From what I understand about the Burp scanner, it sits as a proxy between my browser and the remote server, but since that's not where the API is being called from, I'm concerned that it won't find anything. How should I run the Burp scan in this case?

 

+ As described in the video on the SF Security page?

+ Develop a simple local HTML test page that has links that exercise the API, and then have the scanner's proxy watch as I click those links?

+ Through some other tool that monitors interaction with the server directly?

 

Thank you for your help.

 

- Jeri

 

JdolphJdolph

You can use curl on the command line tool or you can try SoapUI. (It has REST support) I think you need to set the system wide proxy to get it through burp, but it should work.  There is also a REST style parameters setting in burp that you should configure in order to get good results.  I hope that helps.