Whitelist an application for CORS

COMPANY

You can use our GraphQL API to integrate Burp Suite Enterprise Edition with third-party applications. For web applications that send requests to the API using client-side JavaScript, you must whitelist the origin of those requests for cross-origin resource sharing (CORS).

This allows you to develop more powerful built-in applications capable of retrieving relevant data, creating and modifying sites, and launching new analytics directly from the browser using AJAX.

To note

Even if you integrate Burp Suite Enterprise Edition with your CI/CD system using our native plugins, you still need to whitelist your Jenkins or TeamCity URL in order to use the Site-driven burp scan option.

You can whitelist as many origins as you want, each separated by a newline:

  1. Log in to Burp Suite Enterprise Edition as an administrator.

  2. From the settings menu select Network.

  3. In the Authorized origins for the GraphQL API , enter the origin on which the other app is running. be sure to include the URL scheme, domain name, and port. For instance:

    https://third-party-app.com:8082
    https://custom-app.your-company.net:8083

  4. When you are sure your entries are correct, click to safeguard.

  5. Test your external application to make sure it works as expected.

If you’re still having issues with CORS, look into the Origin associated request header and compare it to the URLs you have in the whitelist. There should be no discrepancies.

To note

The origin of incoming requests refers only to the URL scheme, domain name and port. In other words, you can whitelist all cross-origin requests coming from https://example.com:8080 but you can’t limit this to specific subdirectories such as https://example.com:8080/my-app. For finer control, you should deploy your app to a dedicated subdomain:
https://your-app.example.com:8080


Source link

Comments are closed.