+ Start a Discussion

How to run Burp scanner against a remote server

I'm developing a SF app that interacts with a remote server via a REST API. The app's interation with the API happens in a VF page's controller, not via the page itself.


From what I understand about the Burp scanner, it sits as a proxy between my browser and the remote server, but since that's not where the API is being called from, I'm concerned that it won't find anything. How should I run the Burp scan in this case?


+ As described in the video on the SF Security page?

+ Develop a simple local HTML test page that has links that exercise the API, and then have the scanner's proxy watch as I click those links?

+ Through some other tool that monitors interaction with the server directly?


Thank you for your help.


- Jeri



You can use curl on the command line tool or you can try SoapUI. (It has REST support) I think you need to set the system wide proxy to get it through burp, but it should work.  There is also a REST style parameters setting in burp that you should configure in order to get good results.  I hope that helps.