function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

AppExchang​e package security review - BURP scan against Webservice



I'm in the process of submitting our salesforce app for a security review (first time I've gone thru this process). Our app communicates with a .Net webservice so I understand that the webservice has to go against a preliminary check with the BURP proxy scanner.


I've run it against the BURP "scanner" tool and it comes up clean (no issues or errors) - is that all there is to it or do I have to run the BURP "intruder" tool also?


I'm also told that I'm supposed to submit the BURP report as part of my security submission. But since I have no issues with the scanner I can't even generate a report (since it only reports on issues). What do I do in this case?



Yogesh BadweYogesh Badwe



If Burp did not find any issue, you can note it when the case processing team asks you for the Burp report. During the actual review, we use the Burp Scanner again as part of our testing. You do not need to run intruder at this point.






My package is failing security review.


One of the comment is"Authentication Vulnerability"


Actually, we do have athentication in place for the webservice in question. We have a header with username and a token which has to be present in Webservice and once inside the webservice method (.Net C#), we get these two valuesf rom header and compare them against database entries we have.


String userName = spAuthenticationHeader.strUserName;
String password = spAuthenticationHeader.strPassword;


Isn't this sufficient?




Yogesh BadweYogesh Badwe

Clarification: This is a 2 year old post that refers to a specifci use-case / scenario mentioned above (where Burp was run and did not generate any issues - which is a very very rare case). Please note that this should not be used as a blanket exception for submitting Burp reports before the security review. 


Yogesh Badwe

Product Security


I am using Burp Suite Professional Edition.

How to run POST webservices using BURP tool?