SETUP:
Add the Faction BurpSuite extension by downloading the jar file above and adding it via the Burp Extensions tab inside BurpSuite. Once installed click the Faction tab and go to Config. In the server name enter the hostname of your Faction instance prepended with ‘/api’ (i.e. cute-name-32323.factionsecurity.com/api).
Your token can be found inside your Faction instance when you click Profile at in the upper right corner.
If your API key is blank then you may not have api access. As an admin it is controlled in the user settings as shown below:
OVERVIEW:
Most of the same Faction dashboard functionality is available inside the Faction BurpSuite Extension so you don’t even need to log into the web version when performing your assessments/Verifications. You have the ability to see you assessment queue, verification queue, assessment vulnerability history, and submit vulnerabilities directly from Burp.
Below is your assessment and verification queues.
Clicking on your current assessment will display the scope and assessment history as well as issues your teammates are discovering in real time.
You can even replay the payloads found by other assessors into your repeater. Every payload saved to Faction will have the option to replay the request inside Burp. This helps not only with your current assessment but also for verification/retests. No longer will you need to find an old burp state to recreate findings for retest.
SUBMIT VULNERABILITIES DIRECTLY FROM BURPSUITE :
Any request, response, or scan issue be added directly to Faction from Burp. For instance lets say you find XSS on a site. You can select just the section of the response showing the exploit and have it automatically added into your report. The following example will extract the POST request, the relevant section of the response, and you can add the reproduction steps. We support the Markdown syntax for inserting text and you can search the database for default vulnerabilities(i.e. XSS, SQLi, etc) to add to the assessment.
Below is an example the issue being inserted directly into the final report.
