Burp Suite’s professional pentest report export feature, while seemingly straightforward, is actually a powerful tool that can be customized to generate highly effective, tailored reports, rather than just generic summaries.
Here’s a look at Burp Suite generating a report, not as a static output, but as a dynamic representation of findings that can be shaped to impress stakeholders.
GET /vulnerabilities?severity=high&project=AcmeCorp HTTP/1.1
Host: burp-api.local
Accept: application/json
[
{
"id": "CVE-2023-12345",
"name": "SQL Injection",
"severity": "High",
"confidence": "Certain",
"description": "The application is vulnerable to SQL injection in the 'user_id' parameter of the '/users' endpoint. An attacker can manipulate the database queries to exfiltrate sensitive data or modify existing records.",
"remediation": "Implement parameterized queries or prepared statements for all database interactions. Sanitize and validate all user input before it is used in database queries. Consider using an ORM (Object-Relational Mapper) which often handles this automatically.",
"affected_endpoints": [
"/users?user_id=1"
],
"evidence": [
{
"request": "GET /users?user_id=1' OR '1'='1 HTTP/1.1\nHost: vulnerable-app.com\n...",
"response": "HTTP/1.1 200 OK\nContent-Type: application/json\n...\n[{\"username\": \"admin\", \"id\": \"1\"}, ...]"
}
],
"cvss_score": "8.8"
},
{
"id": "BURP-LOW-001",
"name": "Missing Security Headers",
"severity": "Medium",
"confidence": "Firm",
"description": "The application is missing several important security headers, such as Content-Security-Policy and X-Content-Type-Options, which can help mitigate common web vulnerabilities like XSS and clickjacking.",
"remediation": "Implement the following HTTP security headers: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Referrer-Policy.",
"affected_endpoints": [
"/"
],
"evidence": [
{
"request": "GET / HTTP/1.1\nHost: vulnerable-app.com\n...",
"response": "HTTP/1.1 200 OK\nContent-Type: text/html\n...\n<p>Welcome!</p>"
}
],
"cvss_score": "5.3"
}
]
This is a simplified JSON representation of what Burp Suite might process internally when generating a report. Each object represents a distinct finding, complete with its technical details, remediation advice, and supporting evidence. The affected_endpoints and evidence fields are crucial for demonstrating the impact and reproducibility of a vulnerability.
The core problem Burp Suite’s reporting solves is translating raw, technical vulnerability data into a digestible, actionable format for various audiences. A penetration tester might see the raw HTTP requests and responses as the primary evidence, but a CISO needs a clear risk assessment, and a developer needs precise instructions on how to fix the issue. Burp’s reporting engine aims to bridge this gap by allowing customization of the output.
Internally, Burp Suite maintains a structured representation of each identified vulnerability. This includes fields for the vulnerability name, description, severity, confidence level, affected URLs, parameters, request/response pairs, and suggested remediation steps. When you initiate a report export, Burp iterates through its findings, applies any selected templates or filters, and assembles the information into the chosen format (HTML, XML, PDF, etc.).
The key levers you control are primarily through the "Project options" and "Reporting" sections within Burp Suite. Under "Project options," you can configure scan settings that influence what gets reported. More directly, in the "Reporting" section, you select a report template. Burp comes with several built-in templates (e.g., "Standard Report," "Fast Report"), but the real power lies in creating or modifying custom templates. These templates are essentially HTML files with embedded placeholders (e.g., {{finding.name}}, {{finding.description}}, {{finding.request}}) that Burp populates with the actual vulnerability data. You can edit these templates to change the layout, add or remove sections, and tailor the language to your client’s needs. For instance, you might want to add a specific executive summary section, a glossary of terms, or a detailed breakdown of the testing methodology.
When crafting a custom report template, remember that the {{finding.evidence}} field can contain multiple request/response pairs. If you want to display only the first one for brevity, you might iterate over finding.evidence | first or similar templating logic. More advanced customization involves using Burp’s Extender API with custom reporting extensions, which can generate reports in entirely different formats or integrate with external reporting tools, moving beyond simple HTML templating.
The next step in mastering Burp Suite reporting is understanding how to leverage its extensibility through custom reporting extensions to generate dynamic, interactive reports.