Burp Suite User Forum
For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.
Found 250 posts in 241 threads
server response, for me, contains the following JSON:
{
"username": "wiener",
"email": "test@hotmail.com … I can then resend the POST request with the following JSON included in the body:
{"email":"test@hotmail.com
chr892@hotmail.com
omanrich87@hotmail.com
web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="test2@hotmail.com
Want to know how can that be achieved using the Burp's native API.
Would it be best to create an API for the http requests coming from the web application?
Hi Team,
I am unable to find configurations for API scanning I think its not available for trial version
burpsuite extension, I want to know if the spider crawl is complete and whether there is a relevant api … Whether burpsuite should add more api
Hi,
I will need your help.I have a project that has to do with API pentest. How can Burp help me? … I was given a url and token for the API . … How can I connect to the API and test for vulnerability?
Urgent please!
Thank you
What is the different between Burp Extender API and Montoya API? … Can I use Burp Extender API from Montoyal API ?
I want to automate BurpSuite scans using burp's REST API (https://portswigger.net/blog/burps-new-rest-api
How do Perform API's from Burp.
Hey Burp Team, having some issues with how the Burp Suite Enterprise Edition REST API functions. … However, my team sets up the site in BSEE either through the dashboard or using the GraphQL API endpoint … To have the REST API match the preconfigured site, the list of URLs and the site name must be exactly … Is there a roadmap to have the REST API endpoint optionally use the site ID to request a new scan? … Or move that functionality to the GraphQL API, which already leans into the ID functionality?
While I am doing the rest api pentest, I manually enter the available variables from excel each time … or do you have easier method for rest api pentest?
I think I explained it complicated. … POST /api/{variable1}?
I trying to scan API in my environment, and I have a question.
I'm dealing more and more with websockets: is there _any_ way to modify requests on the fly?
I'm not afraid of writing a custom extension or fiddle with scripting my own tools. FWIW, if you provide some guidance, I could...
How Do I stop the scanner from running through API calls? … the spider but nothing to indicate if it has finished spidering or if it can be stopped through the api
I'm running into wss more as we see the shift towards single page, media rich applications. As such, I often find the need to implement custom deserialization of binary websockets messages. It would be helpful if I could...
Is there an anticipated timeline available for api scanning feature to be available in BurpSuite Enterprise
How API is verified by Burp as there exist a vulnerability or not?
Hi,
I wrote an extension some time ago, but abandoned it due to missing API functionality.
I maybe doing things the wrong way but I am trying to get all issues type of all scans with the API
Hi,
I have lots of powershell scripts calling the api (Graphql) and don't seem to see a way of linking … https://portswigger.net/burp/extensibility/enterprise/graphql-api/SiteTree.html
Any help would be
Hi , I have been using the Burp Suite Enterprise Edition REST API. … Is there any API or possible way of accruing the SCAN ID by passing the projectname or sitename that … If not, can you help me figure how to get the SCAN ID from Jenkins and use it in the POST api for getting
Do you have any API ,other than the three mentioned in the API Documentation?
Hi,
I was wondering if you could change the Montoya API enum classes. … Therefore, the entire API relies on something that is final and can't be extended.
How can I perform an authenticated API scan using the new API scanning functionality?
There seems to be no way to change these values to be more relevant to the API being tested, and adding … configure the scanner to remove parameters from the scan; *** Above all else, this is the issue that makes API … scanning next to useless as it currently stands***
2) Some API requests are automatically deselected
Is there a way to use these or any other API call to perform actions like those available on the GUI,
I'm getting "unauthorized" message when using GraphQL API with Postman. … I'm using a valid API Key, but apparently, I'm not configuring it properly. … Could please let me know how to use API key on authorization header using Postman (or curl or httpie)
Hi, I am currently evaluating the BS Enterprise Edition and have some questions about the various API … After looking at the GraphQL API, it seems very well documented and supported, however, I don't see the … Or is that something I can only do through the REST API and/or CI driver? … (b) Does the CI driver provide the same query operations that the GraphQL API offers, or does it only … support the same 3 operations that the REST API supports?
Hi dear,
I wanted to call graphql api, but I have a problem in my code, I use .net 6.0. … When I called the api from PostMan everything's are OK, but when I call it from my code the response
Please see the API documentation:
https://portswigger.net/burp/extender/api/burp/IInterceptedProxyMessage.html
agent's response:
"There isn’t currently any way to use Burp’s own Content Discovery feature via the API
Is there any provision for API Testing in Burp ?
Can u test SOAP / REST API using Burp suite only ?
Can we test SOAP / REST API using Burp suite only ?
There's a way to audit a rest API with Burp enterprise using the swagger file like with OpenAPI Parser
would are now developing some web interface in which we can feed urls and send them to to Burp REST API … We think that the API should and needs to be extended for better functionality like adding the following
is it possible to use the GET /SCAN/[task_id] to obtain information on a running "live audit".
id like to know details like how many requests it is making currently, how many queued, how many issues found etc.
i can see...
While reviewing a site, I noticed that some API keys, including NREUM and Bootstrap are exposed. … How do I know if this exposed information is critical enough to report (Any suggestions on general API
Download the Burp Extender interface files" but that points to https://portswigger.net/burp/extender/api
Hi,
I just wanted to know whether Burp enterprise has API scanning facility ?
Are these kind of API currently in your Roadmap? Thank you!
Federico
Hi,
Is it possible to make use of API to perform some tasks with the Burp Suite Pro?
Burp Suite Professional still can't crawl the API endpoint on my target site.
I am unable to scan api endpoint using api defination. … :13.0237514Z 2023-08-20 12:50:13 INFO dastardly.EventLogPrinter - Aug 20 2023 12:50:10 DEBUG Found API
https://portswigger.net/burp/extender/api/allclasses-noframe.html
I'm having trouble calling GraphQL API on our Enterprise BurpSuite server. … For example, our burpsuite enterprise URL is http://<BURPURL>
I tried calling ScanReport GraphQL API … via Postman as follows:
Endpoint: http://<BURPURL>
Headers: "Authorization:<API KEY MY ADMIN SENT
MenuItem.basicMenuItem("# of added columns");
I'm using last version of Burp Professional and last version of Montoya API
I'm currently working on a Burp extension that uses the Montoya API. … requests to the Burp Repeater, and it would be great if I could create a new tab group using the Montoya API … Do you have any plans to extend the Montoya API in the near future?
Is there a rest api for automation?
If it exists, please provide api documentation or link.
I am looking at https://portswigger.net/burp/extender/api/, but only find doActiveScan and doPassiveScan … Does Burp Extender API have a way to configure crawler and start it?
We are automating the scan of launch URLs from the API point and we noticed the following behavior. … 1 - launch scan API
curl -vgw "\n" -X POST 'http://XXX.xxx.xxx.xx:91/APIKEY/v0.1/scan' -d '{"urls"
James Kettle mentioned that the extension uses the burp API and does not explicitly do a hostname check
Hi Burp Team,
I would like two additional REST API endpoints that support crawl only functionality
Hi,
Every scan initiated via Burp's API initiates a crawling and auditing stage.
Hello,
Is there a way to use Burp PRO's REST API to scan all URLs in an existing sitemap?
are available for use and also we are trying to setup scan scheduling and adding sites using REST API
HELLO DEARS,
I need to test an authenticated WEB API, through a header "AUTORIZATION" + <STRING OF 30 … So, how could I configure the authorization code so that the API can be tested?
have installed burp PRO on an Ubuntu server I didn't find a way to include a key to access the REST Api … with GUI access and tried to use the UserConfigPro.json file on the Ubuntu server, without success the api
I'm trying to use the browser in burp suite but I'm getting this error: {"apiKey":"no api key provided
While testing https://github.com/vmware/burp-rest-api/, we realized that there is a bug in the Burp Extender … API iScanQueueItem.getPercentageComplete() for Burp Professional v2.x (beta). … Please see https://github.com/vmware/burp-rest-api/issues/80 for the original bug.
You can browse the API documentation at [Service URL]/[API key]. … - https://portswigger.net/blog/burps-new-rest-api
I am talking about the ***Extender API*** https://portswigger.net/burp/extender/api/index.html
Is … there a Javadoc of the new Extender API since it's not 100% compatible with previous versions?
Hello,
The Burp Extender API JavaDoc link (https://portswigger.net/burp/extender/api/index.html) currently
I don't think, there is a way we can get the status of Spider tool thru API.
Hi,
I'm trying to write a script that can parse the json output of a scan from the rest API (Professional
Hi,
How i can scan an API with the Pro edition?
Hey,
I am using the latest version of Burp Pro (jar) and I would like to use the API. … I need to turn on the API and make an API key while headless. … I tried to run the same jar on a machine that has a GUI and enabling the API there and created an API … it looks kinda like this:
{
"user_options":{
"misc":{
"api":{ … When performing running Burp this way on the machine that does have a GUI (and where the API is already
Hello,
I would like to scan APIs with Burp Enterprise. I have the relevant OpenAPI specs as files (JSON or YAML). However, it is unclear how I can leverage them to configure my scans, and I cannot find a clear...
I'm trying to use the SQLiPy extension but Burp won't recognize that the API is running. … When I try to start the API through the interface, nothing happens. … When I start the API through the CLI with "python sqlmapapi.py -s -H 127.0.0.1 -p 9090" it successfully … runs but Burpsuite still says that the API is NOT running.
Hello,
I found a suprising behavior in the Extender API (using Jython). … Given the API documentation (both online http://portswigger.net/burp/extender/api/burp/IHttpRequestResponse.html
Hi,
Is there any API to stop scanning and start scanning.
Hi,
in my experience, launching an active scan on valid dataset from Proxy is the best approach. We have regular releases, triggering test packs for changed functionality which can be routed through Burp Suite. So far, we...
My API is token secured ().
Can Burp Suite scan a secured API?
Provide an official "API" to access the collaborator subdomains (Like the "Poll now", but also for a
I'm having a trouble creating a folder using the graphql api, I'm using the following query :
mutation
I can open https://portswigger.net/burp/extender/api/index.html but whichever link I click on this page
Hi Guys,
Sending requests using the Montoya API based on examples is to use the following :
`
How do I capture the OAuth 2.0 information when performing the REST API security testing in Enterprise
Hi Team simple question how to test rest API in burp.There is any way step how to test it in Burp.?
Hello everyone,
We are integrating Burp Enterprise with our Jira. Where can I find Swagger's path so we can analyze it?
Best Regards,
hello portswigger team reset my progress of api testing
I'm trying to build an extension that reads results from the BurpSuite Pro scanner using the Montoya API
The VMware REST API exposes the Extender API functionality at a web endpoint. … You can find the Extender API documentation online here: https://portswigger.net/burp/extender/api/
Hi,
I was looking for REST-API endpoints to create a Folder, Sub-folders and new site.
Hi,
I was looking for REST-API endpoints to create a Folder, Sub-folders and new site.
http://forum.portswigger.net/thread/1117/api-sequencer
As per your response for API support for Sequencer … On a Similar note, do you have a roadmap to support the the 'Go' action in BURP API?
understanding is, even though Spider is paused, it starts running upon calling sendToSpider() method from API
I noticed that the javadoc for the Burp API is no longer accessible. … https://portswigger.net/burp/extender/api/
Hi,
I am trying to use rest api feature on my professional.
Hi Team,
I have generated api key and keeping http://127.0.0.1:1337 service running in useroption … http://127.0.0.1:1337/v0.1/ it is working fine but When i am trying to http://127.0.0.1:1337/<your API
Usually, I would use a PrintWriter, but how can I do this with this API?
Hi Team
I want to Scan My API website, but it inform "No valid server URLs found.
Where can I get detailed documentation of the Burp 2.0 Rest API (https://portswigger.net/blog/burps-new-rest-api … The above API call do not seem to return any task-id that I can see. … supplies the task-id to get the status or results of the scan using the GET '/scan/[task_id: string]' API … What does one specify an API key and where to obtain one? … Assuming it is not desirable to not enable "Allow access without an API key" setting.
We start Burp and REST API Service
2.POST a scan to url "https://example.com"
3.We GET the issues from
When I create a custom configuration I am unable to use the Custom Configuration with the API to execute … The call is "curl -vgw "\n" -x POST 'https://[myburpscanner]:8443/api/[user api key]/v0.1/scan' -d '{
The API works nice, besides that I supposed
that using API I will be able to get scan results that were
Hi, we want API to get repeater history. … Though burp API provides proxy history API (getProxyHistory), there is no repeater history API. … If there is an API to get repeater history, it is really helpful for us to get the all repeater requests … there is a same feature requests in Logger++ extension, but they can't do because there is no burp API
Hi, we want API to get repeater history. … Though burp API provides proxy history API (getProxyHistory), there is no repeater history API. … If there is an API to get repeater history, it is really helpful for us to get the all repeater requests … there is a same feature requests in Logger++ extension, but they can't do because there is no burp API
I am using java api
Thanks for creating a new Burp Extension API, I am testing the new Montoya API to create a plugin with
When Burp performs DOM-based scanning, is it possible to utilize the API to extend the scanning to identify
Hey BurpSuite,
I've been attempting to test some python code to interact with the GraphQL API and
Hi,
I want to write new extensions for BurpSuite,
For one of them i need To Set Stream Proxy (PyMultitor),
For the other one i need to see WebSocket Raw Sockets To Show And Fuzz Every Parameter.
It would be really handy for testing if PortSwigger could add (or update) an Extender API to allow developers … Currently only the generation of payloads and polling is available in the IBurpCollaboratorClientContext API
At the moment there's no Montoya API for the functionality I can find. … Are Discovery overrides on the current API roadmap?
Is there any Burp Extension to run API Testing using Postman Collection file?
Hello, is there any way to disable pretty print on IMessageEditorTab through Burp Api?
Hi,
We would like to obtain the documentation of the rest API for burp suite pro. … example, using the /v0.1/scan endpoint with a URL callback as parameter as described in the enterprise API
Hello,
i have request format like this
POST /api/login HTTP/1.1
Host: www.domain.com
Device_type
Hi,
I was wondering if you guys had any plans to bring an update to the burp-api, containing an extension … of the api for the intruder? … intruders "request-firing", "response-storing", "grep-extract from response" feature via the extension-api … E.g.: I get use an api call to define and start an intruderAttack. … Those in turn I can hand over to another api-call which uses the user-defineable "repsonse-patterns"
Hello,
I used the api from https://github.com/vmware/burp-rest-api, but i would like to switch to … the official burp rest api. … can see the port 8080 listening, but the port 1337 is not listening and so i cannot use the burp rest api
When a finding is marked as a False Positive in the web ui, it is not updated in the API output. … finding marked as False Positive in the web ui but then it is still listed as a valid finding in the API … Can the API output be updated to respect the web ui findings? … Also, is there a switch for the scan progress API task to include/exclude False Positives like there
Hi,
I want to start scans from the API.
Is there a way to scan APIs REST or other ?
Hello,
I have successfully created an HTTP request as such:
httpService = self._helpers.buildHttpService("google.com", 80, False)
requestResponse = self._callbacks.makeHttpRequest(httpService, message)
When...
and I am trying to hit your GetScan (https://portswigger.net/burp/extensibility/enterprise/graphql-api
I am trying to issue HTTP requests using the Montoya API with Swing Workers. … burpReq2 = new BurpHTTPRequest(http, host, path2);
String response2 = burpReq2.call();
With the old API
I'm trying to use the SQLipy extension but I am facing error as SQLMap API is not running. … When I try to start the API by clicking on the "Start API", nothing happens.
After a system reboot, the REST API suddenly stopped working. I'm using Burp Enterprise. … I can still start scans via the GUI, but all the API calls that used to work result in a 500 Internal … Also, when I go to localhost:8080/api/[apikey]/v0.1/scan, it gives an Internal Server Error. … When I use an invalid api key, it gives an Unahtorized, but with a valid api key, I get this internal … I've also tried regenerating the api key, but that didn't solve the problem.
I use scanner api in curl commandline. I don't set header and request body. But its no working. … I use api /burp/scanner/scans/active scanner. … application/json' \
-d '{
"request": {
"method": "POST",
"url": "https://api.dl10.jp/api … username\":\"petabit\",\"password\":\"password\"}"
}
}'
https://github.com/vmware/burp-rest-api
I am currently developing a burp extension and would like to be able to check the state of the "Intercept" button in the proxy tab. I am able to turn on/off the interception but am not able to poll the state.
Thanks
We understand that burp doesn't handle any authentication such as Oauth, and API key. … https://portswigger.net/burp/documentation/desktop/scanning/api-scanning
Thanks
Ranjith
I have a Backend REST API application that I want to scan. … I am following the steps in https://portswigger.net/burp/documentation/desktop/automated-scanning/api-scans … It says "To run an API scan, click New scan > API scan on the Dashboard." … When I click on "New scan" on the dashboard, I do not see the "API scan" option at all.
Is there an api / method to list all installed extensions and their file locations?
Thanks!
There is not a specific API for this in the Montoya API.
Is there a way or API class/method that I can turn this off when running my Extension? … can't seem to find any documentation on it via - https://portswigger.github.io/burp-extensions-montoya-api
Is it possible to do this through the BURP API?
Name (top)
- Site 1
- Site 2
Group 2 Name (top)
- Site 1
- SIte 2
Yet when I call the API … to run the scan using their API key, I constantly get a 401.
Hi,
I am currently testing the REST API of the Burpsuite Pro and trying to scan POST parameters.
Hello, I seem to be having trouble making a simple query on the Burp Suite Enterprise GraphQL API. … =============================
burpEndpoint = '<Enterprise_server_url>/api/graphql/v1'
apiToken =
Hi There
With the latest Version of Burp (2021.3.1) we have following issue:
The IContextMenuInvocation Object passed to the createMenuItems Method of a IContextMenuFactory class holds the wrong request Object with...
Hi,
I am quite new to Burp
I am trying to intercept API response
could see reponse on encrypted
Will there be an interface built soon for the Burp API makes the proxy interfaces public?
Hey.. i'm trying to start a simple crawl WITHOUT AUDIT CHECKS.
I've saved my crawl config in the Configuration Library named as crawling_1, then..
curl -vgw "\n" -X POST 'http://127.0.0.1:1337/xxxxxxx/v0.1/scan' -d...
endpoints we have needs to be provided with 2-4 headers) and invoke this scan using the native rest API … [because we did not find any way to configure any session rules via burps native rest API even if some
Hello
I'm testing out the new API Scan functionality in the latest Burp Pro release and after converting … my authentication information (Bearer token) via the UI and I can see the Parameters for the various API … Is there a way to edit the Parameters when setting up a "New API scan" via the "API details" -> Parameters
This information isn't currently available via the API, sorry. … When we next update the API in general, we will look into providing this information for all requests
Hello sorry for the bother, i have wrote extension to send api request to burp to scan url but can't
There is no api on <http://host:port/api/apikey> that extract Html report for burp enterprise.
When "Allow access without API key" is enabled if an invalid API key is used the API does not return … For example if a valid API key is "valid" and the API key "test" does not exist:
GET http://127.0.0.1 … GET http://127.0.0.1:1337/test/v0.1/knowledge_base/issue_definitions
will return:
400
"Invalid API … version"
it should return:
401
"Unauthorized"
If the "Allow access without an API key" option … is disabled the API will return:
401
"Unauthorized"
for bad keys as expected.
Hello,
I'm launching the scan through the Rest API perfectly and I am able to use the endpoint /v0.1 … But when I close and reopen the burp/project, API stills working but now /v0.1/scan/3 returns {"type"
Hi,
I saw this post (https://portswigger.net/blog/api-scanning-with-burp-suite) where it mentioned … I've tried OpenAPIParser where I can import an OpenAPI file and send the API collection to the Target
We are using burp enterprise and would like to know the option to export scan report using an API. … Please help us to provide API details to use extract report.
Hi there,
I am trying to send a request with the method sendRequest();
String body = "GET /vdp/helloworld HTTP/1.1\n" +
"Host: sandbox.api.visa.com\n" +
...
Wondering about the API scanning abilities for Burp Suite Enterprise Cloud. … I see that sometime this year, "You’ll also be able to upload and scan API specifications with authentication
This API will do what you need:
https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html
Using the "processHttpMessage" method I'm able to edit a request. How can I make this changed request show up in the proxy as an edited request (just like when a request is edited with proxy intercept)?
Hello Support,
If we upgrade to Burp Suite Professional 2.0 will we be able to access REST APIs or do we need to pay for that service.
Also what is the difference between Professional and community Edition apart from...
When the Burp 2 REST API is enabled and the "Allow access without an API key" option is enabled and there … is an API key added it is not possible to use the API key to make API calls. … For example this:
http://127.0.0.1:1337/<api key>/v0.1/
will give me an "Invalid API version" error … What I expect to happen is that the API keys that exist should work and I can also call the APIs without
Hi,
Have you a API for download a relese of Burp Suite?
Hello Support,
What is the GraphQL API endpoint for BurpSuite Enterprise?
How do I download a latest scan report using a grapql api Without using the scan I'd.
Hi Team,
Why i am not getting any data in issue events? Below is the response of CURL command (curl -vgw "\n" -X GET 'http://ipadd/myapikey/v0.1/scan/41' ) which i am using to get the scan results:
{
"task_id":...
Hi,
We are attempting to use Enterprise's REST API Scanning feature. … least have a "forced" mode, where the OpenAPI discovery occurs and the scan is done even if the REST API … What is the timeline/roadmap for fully supporting Rest API scanning without limitations?
Hello,
I am excited to see the Montoya API now adds support for WebSockets and I am trying to create … Is it possible to do this using the new API or is this limited to WebSockets opened through the proxy
Is there an example of how to handle multipart parameters in Montoya API?
I using the burp-rest-api (from https://github.com/vmware/burp-rest-api) in centOS server and set http_proxy … such as when I set proxy and use "git clone https://github.com/vmware/burp-rest-api"
it shows:
Peer's
I have looked at the Rest API and It has scan submission API(post) with scan configuration.But I'm looking … byte[] request, java.util.List<int[]> insertionPointOffsets)) which seems not possible through Rest API
This isn't possible through the REST API at present. … It is possible through the Extender API, using callbacks.doActiveScan.
If so, can I manage the creation of these threads using the API?
Any insight/help is appreciated.
I created a new scan through the new REST API and then checked the status after the scan was complete … The task in the dashboard says 'Finished' with eight requests and eight errors but the REST API returns
How to initiate a scan with burp REST API for "Audit Selected Items".
from the proprietary XML parser could be added to the IExtensionHelpers class in the Burp Extender API
Is there any way to perform active scans on an API for a server that uses HTTP2 only?
My feature request is to extend the "Extender API" to support custom "Decoder" algorithms.
When creating a new scan with an API key:
POST http://127.0.0.1:1337/<key>/v0.1/scan
... … It is not possible to retreive the task without the API key if the 'Allow access without API key' option … If you create a scan without an API key:
POST http://127.0.0.1:1337/v0.1/scan
It is not possible … to retrieve the task with an API key
GET http://127.0.0.1:1337/<key>/v0.1/scan/4
400 Bad request … Most likely it comes down to having the API key in the URL and perhaps this is by design
but it
Hi Team,
I tried scanning a web application using Burp.
I have used: Audit coverage - thorough Configuration.
While entering the scope URLs, in the Advanced Scope category, I have put some URLs in the "include URL...
It would be very useful to have API to modify the configuration of the scanner via an extension to run
An API call would be preferred.
I wasn't able to find an API call that met this need.
Have you tried using the new REST API:
- https://portswigger.net/blog/burps-new-rest-api
The extension
Yes, I want to use Burp REST API.
You can find information on the Burp REST API here:
https://portswigger.net/blog/burps-new-rest-api
Hi,
Im trying to run a scan against a test target. First time i scan, everything is ok. But the second time i scan it, it does not show results. If i run a scan against a different target and again run against first...
Hello everyone, I tried the burp-rest-API on testphp.vulnweb.com but I notice that the API issues report … c9fb79369b56407792a7104e3c4352fb
I can't find any security issues from this Extention in the burp API … /scan/{ID} endpoint but it gives me 2 results from it in the burp UI, is burp API doesn't allow to include
Hello, I'm trying to scan testphp.vulnweb.com through the Burpsuite REST-API but I notice that the issues … results in the API is 165 but in the UI is more than 300
trying to follow the meager information at https://portswigger.net/burp/documentation/desktop/scanning/api-scanning … in order to scan a REST API (I have the API definition file on disk). … "Note
If you prefer, you can disable API scanning by deselecting the Parse API definitions crawl option
I was able to find APi documentation for Burp Suite Enterprise Edition- can I reference that doc for … Or does Burp Suite Pro not have an API?
Hi There,
I was looking through the API and I couldn't find support for passing in values for Active … openRedirection
headerManipulation
serverLevelIssues
While the GUI allows this, I am unsure if the API
+1 - Would be very useful for API testing
+1 - Would be very useful for API testing
Yes without the /api/ part resolved my issue.
Hi there,
At least version 2020.2.1 broke the processHttpMessage extender API. … According to the "processHttpMessage" documentation on https://portswigger.net/burp/extender/api/burp … Please please please create UnitTests for the API. … _helpers = callbacks.getHelpers()
callbacks.setExtensionName("Stop breaking the Extender API … ")
callbacks.registerHttpListener(self)
print("Stop breaking the Extender API!")
I would like know if Burpsuite have a API Vulnerability Scanning feature and on the other does enterprise
Hi,
I'm working with the Burp Enterprise Graphql API, and I can't figure out how to do proper pagination … According to the documentation (https://portswigger.net/burp/extensibility/enterprise/graphql-api/scan.html
Hello,
Burp Suite Professional 2022.7.1
While accessing the Burp Rest API http://127.0.0.1:1337
Hello, many thanks to your efforts on the cool Montoya API. … I'm using a MontoyaAPI v2023.12.1 (net.portswigger.burp.extensions:montoya-api:2023.12.1) with a BurpSuite … My custom extension uses Scope.includeInScope API[1] to include some URL in the target scope as below … :
```kt
api.scope().includeInScope("https://example.com")
// where `api` is the argument of `initialize … [1] https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/scope/Scope.html
Can anyone help me on how to initiate API scans using Burp Pro REST APIs. … Should we pass the API documentation path/location in the URL parameter? … When I pass the URL of API documentation in URL field, a scan is triggered but the name of the scan is … "Crawl and Audit of ...." , whereas, if i initiate an API scan from the UI the name shown is "API scan
The Azure site is an API site
Could you please help me with performing API endpoint scan using Burp Suite Enterprise edition?
I can't readily identify a method with the current API to meet my desired goal.
Hello everyone,
I'm trying to export all scan results through Rest API (ID Scan, URL, Status - When
Burp extension, I noticed that data related to static analysis is not accessible using the Montoya API … But with the API, I only have access to the first HttpRequestResponse and I cannot retrieve any data … Do you plan to expose this data through the API?
Thank you in advance.
Is it possible to change a HttpHeader on the HttpRequestResponse selected via a ContextMenuEvent in a Reapeater tab?
Hi,
I want to test my API using Burp suite pro. is there any way to test my API in Burppro.
Hi, I would like to know how Burrp (licensed version) can be controlled using an remote API..
Burp's current API support is for in-process use only, and there isn't a remote/web API, sorry.
nice if the payloads get automatically loaded from custom file when invoking sendToIntruder method and API … method to disable URL encode these characters through API. … Thereby launching the attack through API
Sorry, no, the API doesn't currently expose WebSockets messages.
grow over a period of time and there is no option to clear the SiteMap and clear the Scan Queue from API … I think, one can clear few items from SiteMap thru UI, but not from API. … I hope there is a way to perform these thru API.
There's general information about testing a REST API here:
- https://support.portswigger.net/customer … /portal/articles/2898216-using-burp-to-test-a-rest-api
If you use an API client to generate valid
Hi,
I'm writing a custom logger extension using Montoya API.
But I want to see the documentation of rest api , how do I do that
I tried http://localhost:1337/v0.1 … /<key>/api-docs it does not work
Have you integrated Scan check builder through API?
I am trying to scan an API with Burp Suite Enterprise and I'm getting an error:
"Skipping API definition … Cause
Burp Scanner needs to be able to parse an API definition in order to scan it. … The API definition in question does have some external links, but only in description fields, e.g.: … info:
title: SEER*API
description: |
SEER API is a RESTful Web service that supports various
I am trying to complete the first exercise in this lab and whenever I try to update the email I get the error - `undefined: Malformed URL: query only supported with GET (undefined)`
Is something wrong with my burp...
I found https://portswigger.net/burp/extender/api/burp/IScanIssue.html but there is no information regarding
In the Burp extender API when retrieving the selected messages from the proxy history, I don't see any
But is there a way to do it from plugin API ? … I'm looking at potential API https://portswigger.net/Burp/extender/api/burp/IHttpRequestResponse.html
Hi folks,
I am currently trying to learn the Burp Extensibility API using this example (in Java);
Burp Suite Profesional v2020.8.1
Steps to reproduce:
1. Start Burp Suite Pro
2. Launch new scan in the GUI
3. Poll scan status with HTTP GET https://127.0.0.1:1337/v0.1/$taskID
--> Scan status poll fails with HTTP...
Hi Team,
If i wanted to send a header or body(json) or any parameter with an API to test, Is it Possible
The REST API fulfills my needs, thank you!
So, i am using GraphQL API provided for BurpSuite Enterprise. … However, to test my API Key and i called both Rest API and GrapghQL API. … My API works when calling REST api at webserverURL/api/myapikey. … (FYI,I have included my API key using Authorization header in Postman i.e key = api_key and value= ** … I tried using POST Request to the graphql Api, which returned 401 unauthorized message.
Hi Team,
I'm trying to pentest REST API collection from Postman. … intercept Burp Request & Response, Request is successfully intercepted; however while intercepting API … When Burp proxy is removed, I'm receiving successful response from API.
Please help.
testing burp enterprise since a couple of days and I'm suprise I can't retrieve the site map through the API
the meta information (timestamp, IP, etc.) for each request/response interaction from the Extender API … Currently, the getProxyHistory() (see https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html
headless-burp are old and have deprecation issues, I am making my own extension for this with the new Montoya API … https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/scanner/Crawl.html … Is there any workaround for this or is this problem simply impossible with the Montoya API?
I want to customize a scan, using burp pro API and run it.
multiple HTTP req to intruder with positions marked using sendToIntruder() method in burp Extender API
Can Hotkeys under Misc options be changed using API?
Could the API be adjusted to allow extenders to have the information, if request is coming from Macros
I only saw get methods for cookies, there's no set or remove methods.
Hi,
We are trying to do Burp Scan using API (We use BurpSuite Professional).
Would be interesting to delete completed from REST API..
Hi, I'm attempting to automate Burp licensing and run Burp with the REST API in headless mode via a Docker … I've also noticed that the REST API does not appear to come online within the container, even after successful … 2/ Which method is the intended way to license an automated Burp, and get Burp REST API up within the
Hi, is there a way to do request/response on behalf of burp?
I see there is the IHttpListener.processHttpMessage that is called on request and on response , but this only seems to adapt the HTTP request/response, but it...
how to test api security testing using burp suite ? … there is any way to automated api testing with burp ?
https://forum.portswigger.net/thread/extender-api-callback-on-active-scan-completed-8dd0bebf
The /api route, which apparently solved the lab, doesn't exist.
Hi Hardik
Are you trying to scan an API? … Burp is not able to scan an API automatically, and you will need to manually crawl followed by "Audit … You can find out more here:
- https://portswigger.net/support/using-burp-to-enumerate-a-rest-api
- https … ://portswigger.net/support/using-burp-to-test-a-rest-api
Hi,
I wanna create a scan using the REST API and add it to a certain directory in the Burp Enterprise
If I initiate a scan using Burp POST REST API, I see even number (scan / task_id) as a part of HTTP response … location header but if I initiate a scan using GraphQL API, I see odd number (and wrong scan id) in
Hi!
I'm experiencing an issue with edited HTTP Responses and Burp Suite extensions.
I'm working on an application that signs HTTP requests and responses. I created a Burp Suite extension that resign request and...
When crawl scanning APIs with Burp crawler it cannot find any endpoint.
for instance If I select the https://api.example.com from the target sitemap and scan crawl it. Then it will find no endpoints.
Hello, I have a project where i should automate pentests on REST APIs so using the BURP REST API with
Hello
Is there some api support to toggle http request? … toggle method from GET and POST,is there some one support toggle param to mutipart param in montoya api
Hi,
when I start API Scan and have the session handling rule "Use cookies from Burp's cookie jar"
Please, add this features.
1) Add creation of a scheduled scan through api
2) Auto creating jira … level of criticality and the choice of the jira project, depending on the url or name scan. also do for api
If you have a look at our Extender API documentation https://portswigger.net/burp/extender/api/
The
Are you using Burp's REST API with Burp Suite Professional?
We also use OAuth2.0 for API authorization.
Before there was an API scan, I would do some manual testing on APIs and then run the API through scanner … Now I see there is an option for API scan or Web app scan but what is the difference? … Does API scan just not crawl as to only scan the specific API? … I noticed the API scan makes you use a certain format, does that allow BURP to better locate injection … Just trying to see if I should use API Scan or just stay with the Web App scan.
Is there an API function that can be called to check if an URL is in scope?
Hi,
I have initiated the burp suite API in Headless mode "java -Xmx4G -Djava.awt.headless=true -jar
You should be able to use the REST API:
- https://security.stackexchange.com/questions/178815/using-burp-rest-api-how-do-i-log-into-my-web-application-in-order-to-scan-for-v
Hi there,
I'm developing a new extension using the Montoya API.
When I try to run an API scan (New scan > API scan) I encounter the problem that there is no tab "Parameters … " in "API details" (New scan > API scan > API details > Parameters).