Search Forum – PortSwigger

How can I "Observe that the response contains your role ID."

server response, for me, contains the following JSON: { "username": "wiener", "email": "test@hotmail.com … I can then resend the POST request with the following JSON included in the body: {"email":"test@hotmail.com

Get the Free Community Burp Suite Software to Run

chr892@hotmail.com

my burp suite profsional desnt

omanrich87@hotmail.com

Lab: CSRF where token is duplicated in cookie

web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="test2@hotmail.com

CI/CD API scan using REST API (native API)

Want to know how can that be achieved using the Burp's native API.

AWS API

Would it be best to create an API for the http requests coming from the web application?

API Scanning

Hi Team, I am unable to find configurations for API scanning I think its not available for trial version

Spider api

burpsuite extension, I want to know if the spider crawl is complete and whether there is a relevant api … Whether burpsuite should add more api

API Testing

Hi, I will need your help.I have a project that has to do with API pentest. How can Burp help me? … I was given a url and token for the API . … How can I connect to the API and test for vulnerability? Urgent please! Thank you

Burp Extender API and Montoya API

What is the different between Burp Extender API and Montoya API? … Can I use Burp Extender API from Montoyal API ?

Burp API

I want to automate BurpSuite scans using burp's REST API (https://portswigger.net/blog/burps-new-rest-api

API scan

How do Perform API's from Burp.

REST API

Hey Burp Team, having some issues with how the Burp Suite Enterprise Edition REST API functions. … However, my team sets up the site in BSEE either through the dashboard or using the GraphQL API endpoint … To have the REST API match the preconfigured site, the list of URLs and the site name must be exactly … Is there a roadmap to have the REST API endpoint optionally use the site ID to request a new scan? … Or move that functionality to the GraphQL API, which already leans into the ID functionality?

API PENTEST

While I am doing the rest api pentest, I manually enter the available variables from excel each time … or do you have easier method for rest api pentest? I think I explained it complicated. … POST /api/{variable1}?

API Scans

I trying to scan API in my environment, and I have a question.

WebSocket API

I'm dealing more and more with websockets: is there _any_ way to modify requests on the fly? I'm not afraid of writing a custom extension or fiddle with scripting my own tools. FWIW, if you provide some guidance, I could...

Burp API Useage

How Do I stop the scanner from running through API calls? … the spider but nothing to indicate if it has finished spidering or if it can be stopped through the api

Websockets API support

I'm running into wss more as we see the shift towards single page, media rich applications. As such, I often find the need to implement custom deserialization of binary websockets messages. It would be helpful if I could...

Rest API Scanning

Is there an anticipated timeline available for api scanning feature to be available in BurpSuite Enterprise

Testing Rest API

How API is verified by Burp as there exist a vulnerability or not?

API extensions

Hi, I wrote an extension some time ago, but abandoned it due to missing API functionality.

graphQL API

I maybe doing things the wrong way but I am trying to get all issues type of all scans with the API

API query

Hi, I have lots of powershell scripts calling the api (Graphql) and don't seem to see a way of linking … https://portswigger.net/burp/extensibility/enterprise/graphql-api/SiteTree.html Any help would be

REST API Functionality

Hi , I have been using the Burp Suite Enterprise Edition REST API. … Is there any API or possible way of accruing the SCAN ID by passing the projectname or sitename that … If not, can you help me figure how to get the SCAN ID from Jenkins and use it in the POST api for getting

Do you have any API ,other than the three mentioned in the API Documentation?

Montoya API enums

Hi, I was wondering if you could change the Montoya API enum classes. … Therefore, the entire API relies on something that is final and can't be extended.

Authenticated API Scan

How can I perform an authenticated API scan using the new API scanning functionality?

REST API Scanning

There seems to be no way to change these values to be more relevant to the API being tested, and adding … configure the scanner to remove parameters from the scan; *** Above all else, this is the issue that makes API … scanning next to useless as it currently stands*** 2) Some API requests are automatically deselected

Scope manipulation API

Is there a way to use these or any other API call to perform actions like those available on the GUI,

Using GraphQL API

I'm getting "unauthorized" message when using GraphQL API with Postman. … I'm using a valid API Key, but apparently, I'm not configuring it properly. … Could please let me know how to use API key on authorization header using Postman (or curl or httpie)

API Integration Options

Hi, I am currently evaluating the BS Enterprise Edition and have some questions about the various API … After looking at the GraphQL API, it seems very well documented and supported, however, I don't see the … Or is that something I can only do through the REST API and/or CI driver? … (b) Does the CI driver provide the same query operations that the GraphQL API offers, or does it only … support the same 3 operations that the REST API supports?

call graphql api

Hi dear, I wanted to call graphql api, but I have a problem in my code, I use .net 6.0. … When I called the api from PostMan everything's are OK, but when I call it from my code the response

modifications visible in the proxy

Please see the API documentation: https://portswigger.net/burp/extender/api/burp/IInterceptedProxyMessage.html

content discovery API access?

agent's response: "There isn’t currently any way to use Burp’s own Content Discovery feature via the API

Provision for API testing

Is there any provision for API Testing in Burp ?

Can u test SOAP / REST API using Burp suite only ?

Can we test SOAP / REST API using Burp suite only ?

Audit a REST API

There's a way to audit a rest API with Burp enterprise using the swagger file like with OpenAPI Parser

Extending REST API functionality

would are now developing some web interface in which we can feed urls and send them to to Burp REST API … We think that the API should and needs to be extended for better functionality like adding the following

BurpSuite Pro REST API

is it possible to use the GET /SCAN/[task_id] to obtain information on a running "live audit". id like to know details like how many requests it is making currently, how many queued, how many issues found etc. i can see...

Finding Sensitive API Keys

While reviewing a site, I noticed that some API keys, including NREUM and Bootstrap are exposed. … How do I know if this exposed information is critical enough to report (Any suggestions on general API

Extender API broken link

Download the Burp Extender interface files" but that points to https://portswigger.net/burp/extender/api

Burp Enterprise API scan

Hi, I just wanted to know whether Burp enterprise has API scanning facility ?

Extension API for WebSocket

Are these kind of API currently in your Roadmap? Thank you! Federico

Burp Suite Pro - API

Hi, Is it possible to make use of API to perform some tasks with the Burp Suite Pro?

problem with API scanning

Burp Suite Professional still can't crawl the API endpoint on my target site.

API scanning using dastardly

I am unable to scan api endpoint using api defination. … :13.0237514Z 2023-08-20 12:50:13 INFO dastardly.EventLogPrinter - Aug 20 2023 12:50:10 DEBUG Found API

Extender API Parameters

https://portswigger.net/burp/extender/api/allclasses-noframe.html

Call GraphQL API

I'm having trouble calling GraphQL API on our Enterprise BurpSuite server. … For example, our burpsuite enterprise URL is http://<BURPURL> I tried calling ScanReport GraphQL API … via Postman as follows: Endpoint: http://<BURPURL> Headers: "Authorization:<API KEY MY ADMIN SENT

Montoya API NoSuchMethodError

MenuItem.basicMenuItem("# of added columns"); I'm using last version of Burp Professional and last version of Montoya API

Can We Implement a "Create New Group" API to the Montoya API?

I'm currently working on a Burp extension that uses the Montoya API. … requests to the Burp Repeater, and it would be great if I could create a new tab group using the Montoya API … Do you have any plans to extend the Montoya API in the near future?

rest api document inquiry

Is there a rest api for automation? If it exists, please provide api documentation or link.

Crawler API for Burp

I am looking at https://portswigger.net/burp/extender/api/, but only find doActiveScan and doPassiveScan … Does Burp Extender API have a way to configure crawler and start it?

API Rest BURP PRO

We are automating the scan of launch URLs from the API point and we noticed the following behavior. … 1 - launch scan API curl -vgw "\n" -X POST 'http://XXX.xxx.xxx.xx:91/APIKEY/v0.1/scan' -d '{"urls"

Burp API Hostname Resolution

James Kettle mentioned that the extension uses the burp API and does not explicitly do a hostname check

REST API - Crawl Only

Hi Burp Team, I would like two additional REST API endpoints that support crawl only functionality

Initiating scans through API

Hi, Every scan initiated via Burp's API initiates a crawling and auditing stage.

Burp REST API scanning

Hello, Is there a way to use Burp PRO's REST API to scan all URLs in an existing sitemap?

Regarding Rest API working

are available for use and also we are trying to setup scan scheduling and adding sites using REST API

Testing WEB API connection

HELLO DEARS, I need to test an authenticated WEB API, through a header "AUTORIZATION" + <STRING OF 30 … So, how could I configure the authorization code so that the API can be tested?

API Rest withou GUI

have installed burp PRO on an Ubuntu server I didn't find a way to include a key to access the REST Api … with GUI access and tried to use the UserConfigPro.json file on the Ubuntu server, without success the api

No API key provided

I'm trying to use the browser in burp suite but I'm getting this error: {"apiKey":"no api key provided

v2.0.x Extender API iScanQueueItem.getPercentageComplete() does not work

While testing https://github.com/vmware/burp-rest-api/, we realized that there is a bug in the Burp Extender … API iScanQueueItem.getPercentageComplete() for Burp Professional v2.x (beta). … Please see https://github.com/vmware/burp-rest-api/issues/80 for the original bug.

You can browse the API documentation at [Service URL]/[API key]. … - https://portswigger.net/blog/burps-new-rest-api

I am talking about the ***Extender API*** https://portswigger.net/burp/extender/api/index.html Is … there a Javadoc of the new Extender API since it's not 100% compatible with previous versions?

Extender API JavaDoc is Down

Hello, The Burp Extender API JavaDoc link (https://portswigger.net/burp/extender/api/index.html) currently

Get Spider Status thru API

I don't think, there is a way we can get the status of Spider tool thru API.

API documentation for evidence types

Hi, I'm trying to write a script that can parse the json output of a scan from the rest API (Professional

Scan API with BurpSuite Pro

Hi, How i can scan an API with the Pro edition?

Turn on REST API headless

Hey, I am using the latest version of Burp Pro (jar) and I would like to use the API. … I need to turn on the API and make an API key while headless. … I tried to run the same jar on a machine that has a GUI and enabling the API there and created an API … it looks kinda like this: { "user_options":{ "misc":{ "api":{ … When performing running Burp this way on the machine that does have a GUI (and where the API is already

API Scanning with Burp Enterprise

Hello, I would like to scan APIs with Burp Enterprise. I have the relevant OpenAPI specs as files (JSON or YAML). However, it is unclear how I can leverage them to configure my scans, and I cannot find a clear...

SQLMap API is NOT running

I'm trying to use the SQLiPy extension but Burp won't recognize that the API is running. … When I try to start the API through the interface, nothing happens. … When I start the API through the CLI with "python sqlmapapi.py -s -H 127.0.0.1 -p 9090" it successfully … runs but Burpsuite still says that the API is NOT running.

Hidden API for IHttpRequestResponse objects?

Hello, I found a suprising behavior in the Extender API (using Jython). … Given the API documentation (both online http://portswigger.net/burp/extender/api/burp/IHttpRequestResponse.html

Stop scanning form API call

Hi, Is there any API to stop scanning and start scanning.

Burp REST API - capturing traffic

Hi, in my experience, launching an active scan on valid dataset from Proxy is the best approach. We have regular releases, triggering test packs for changed functionality which can be routed through Burp Suite. So far, we...

Scanning application - Angular 11 (frontend) and Spring Boot (backend)

My API is token secured (). Can Burp Suite scan a secured API?

Collaborator Token definition & "API" Access

Provide an official "API" to access the collaborator subdomains (Like the "Poll now", but also for a

Creating Folder using GraphQL Api

I'm having a trouble creating a folder using the graphql api, I'm using the following query : mutation

Can't Access Extensibility API documentation

I can open https://portswigger.net/burp/extender/api/index.html but whichever link I click on this page

Sending Request using Montoya API

Hi Guys, Sending requests using the Montoya API based on examples is to use the following : `

REST API - OAuth 2.0

How do I capture the OAuth 2.0 information when performing the REST API security testing in Enterprise

Test a REST API

Hi Team simple question how to test rest API in burp.There is any way step how to test it in Burp.?

SWAGGER FOR API INTEGRATION

Hello everyone, We are integrating Burp Enterprise with our Jira. Where can I find Swagger's path so we can analyze it? Best Regards,

reset progress of api

hello portswigger team reset my progress of api testing

Montoya API Scanner Examples

I'm trying to build an extension that reads results from the BurpSuite Pro scanner using the Montoya API

Expose class/method/functions of burp extension via rest api in python

The VMware REST API exposes the Extender API functionality at a web endpoint. … You can find the Extender API documentation online here: https://portswigger.net/burp/extender/api/

Burp-Enterprise REST-API: Creating a Folder,Sub-folders and Site through REST-API endpoints.

Hi, I was looking for REST-API endpoints to create a Folder, Sub-folders and new site.

Burp-Enterprise REST-API: Creating a Folder,Sub-folders and Site through REST-API endpoints.

Hi, I was looking for REST-API endpoints to create a Folder, Sub-folders and new site.

API Support for repeater & Sequencer

http://forum.portswigger.net/thread/1117/api-sequencer As per your response for API support for Sequencer … On a Similar note, do you have a roadmap to support the the 'Go' action in BURP API?

Resume the Scanner thru API

understanding is, even though Spider is paused, it starts running upon calling sendToSpider() method from API

Burp API Javadoc not accessible

I noticed that the javadoc for the Burp API is no longer accessible. … https://portswigger.net/burp/extender/api/

Burp new rest api feature

Hi, I am trying to use rest api feature on my professional.

BURP api is not working

Hi Team, I have generated api key and keeping http://127.0.0.1:1337 service running in useroption … http://127.0.0.1:1337/v0.1/ it is working fine but When i am trying to http://127.0.0.1:1337/<your API

Montoya API Burp HTTP Request

Usually, I would use a PrintWriter, but how can I do this with this API?

how to Scan API website

Hi Team I want to Scan My API website, but it inform "No valid server URLs found.

Burp 2.0 Rest API documentation

Where can I get detailed documentation of the Burp 2.0 Rest API (https://portswigger.net/blog/burps-new-rest-api … The above API call do not seem to return any task-id that I can see. … supplies the task-id to get the status or results of the scan using the GET '/scan/[task_id: string]' API … What does one specify an API key and where to obtain one? … Assuming it is not desirable to not enable "Allow access without an API key" setting.

Burp Pro API Scan Error

We start Burp and REST API Service 2.POST a scan to url "https://example.com" 3.We GET the issues from

Enterprise API Custom Configuration Failure

When I create a custom configuration I am unable to use the Custom Configuration with the API to execute … The call is "curl -vgw "\n" -x POST 'https://[myburpscanner]:8443/api/[user api key]/v0.1/scan' -d '{

Getting scan results from API

The API works nice, besides that I supposed that using API I will be able to get scan results that were

API to get repeater history

Hi, we want API to get repeater history. … Though burp API provides proxy history API (getProxyHistory), there is no repeater history API. … If there is an API to get repeater history, it is really helpful for us to get the all repeater requests … there is a same feature requests in Logger++ extension, but they can't do because there is no burp API

API to get repeater history

Hi, we want API to get repeater history. … Though burp API provides proxy history API (getProxyHistory), there is no repeater history API. … If there is an API to get repeater history, it is really helpful for us to get the all repeater requests … there is a same feature requests in Logger++ extension, but they can't do because there is no burp API

Get scope list

I am using java api

Montoya API - Custom Scanner Check

Thanks for creating a new Burp Extension API, I am testing the new Montoya API to create a plugin with

Burp Extension/API DOM Checks

When Burp performs DOM-based scanning, is it possible to utilize the API to extend the scanning to identify

Python GraphQL API -- No Response

Hey BurpSuite, I've been attempting to test some python code to interact with the GraphQL API and

Extend API Functionality (Stream Proxy + WebSocket)

Hi, I want to write new extensions for BurpSuite, For one of them i need To Set Stream Proxy (PyMultitor), For the other one i need to see WebSocket Raw Sockets To Show And Fuzz Every Parameter.

Extender API for Custom OAST Servers

It would be really handy for testing if PortSwigger could add (or update) an Extender API to allow developers … Currently only the generation of payloads and polling is available in the IBurpCollaboratorClientContext API

Adding Discovery to the Montoya API

At the moment there's no Montoya API for the functionality I can find. … Are Discovery overrides on the current API roadmap?

API Testing using Postman Collection file

Is there any Burp Extension to run API Testing using Postman Collection file?

Disable pretty print through Burp Api?

Hello, is there any way to disable pretty print on IMessageEditorTab through Burp Api?

Documentation of the BURP rest API

Hi, We would like to obtain the documentation of the rest API for burp suite pro. … example, using the /v0.1/scan endpoint with a URL callback as parameter as described in the enterprise API

burteforce API endpoint that use encoding

Hello, i have request format like this POST /api/login HTTP/1.1 Host: www.domain.com Device_type

extension to the intruder api

Hi, I was wondering if you guys had any plans to bring an update to the burp-api, containing an extension … of the api for the intruder? … intruders "request-firing", "response-storing", "grep-extract from response" feature via the extension-api … E.g.: I get use an api call to define and start an intruderAttack. … Those in turn I can hand over to another api-call which uses the user-defineable "repsonse-patterns"

burp API inside a docker

Hello, I used the api from https://github.com/vmware/burp-rest-api, but i would like to switch to … the official burp rest api. … can see the port 8080 listening, but the port 1337 is not listening and so i cannot use the burp rest api

Enterprise REST API False Positives

When a finding is marked as a False Positive in the web ui, it is not updated in the API output. … finding marked as False Positive in the web ui but then it is still listed as a valid finding in the API … Can the API output be updated to respect the web ui findings? … Also, is there a switch for the scan progress API task to include/exclude False Positives like there

Run consecutive scans from API

Hi, I want to start scans from the API.

How do I scan API

Is there a way to scan APIs REST or other ?

setHTTPService API method appears broken

Hello, I have successfully created an HTTP request as such: httpService = self._helpers.buildHttpService("google.com", 80, False) requestResponse = self._callbacks.makeHttpRequest(httpService, message) When...

GraphQL API GetScan call failing

and I am trying to hit your GetScan (https://portswigger.net/burp/extensibility/enterprise/graphql-api

HTTP Request using Montoya API

I am trying to issue HTTP requests using the Montoya API with Swing Workers. … burpReq2 = new BurpHTTPRequest(http, host, path2); String response2 = burpReq2.call(); With the old API

SQLMap API is not running!

I'm trying to use the SQLipy extension but I am facing error as SQLMap API is not running. … When I try to start the API by clicking on the "Start API", nothing happens.

Rest API Internal Server Error

After a system reboot, the REST API suddenly stopped working. I'm using Burp Enterprise. … I can still start scans via the GUI, but all the API calls that used to work result in a 500 Internal … Also, when I go to localhost:8080/api/[apikey]/v0.1/scan, it gives an Internal Server Error. … When I use an invalid api key, it gives an Unahtorized, but with a valid api key, I get this internal … I've also tried regenerating the api key, but that didn't solve the problem.

support cli burp-rest-api

I use scanner api in curl commandline. I don't set header and request body. But its no working. … I use api /burp/scanner/scans/active scanner. … application/json' \ -d '{ "request": { "method": "POST", "url": "https://api.dl10.jp/api … username\":\"petabit\",\"password\":\"password\"}" } }' https://github.com/vmware/burp-rest-api

Expose intercept state for Burp API

I am currently developing a burp extension and would like to be able to check the state of the "Intercept" button in the proxy tab. I am able to turn on/off the interception but am not able to poll the state. Thanks

REST API Scanning Using Burp Enterprise

We understand that burp doesn't handle any authentication such as Oauth, and API key. … https://portswigger.net/burp/documentation/desktop/scanning/api-scanning Thanks Ranjith

How do I perform API scanning?

I have a Backend REST API application that I want to scan. … I am following the steps in https://portswigger.net/burp/documentation/desktop/automated-scanning/api-scans … It says "To run an API scan, click New scan > API scan on the Dashboard." … When I click on "New scan" on the dashboard, I do not see the "API scan" option at all.

Montoya API to list installed extensions?

Is there an api / method to list all installed extensions and their file locations? Thanks!

There is not a specific API for this in the Montoya API.

Montoya API Burp Extension Identifying Help

Is there a way or API class/method that I can turn this off when running my Extension? … can't seem to find any documentation on it via - https://portswigger.github.io/burp-extensions-montoya-api

Save Project File with BURP API

Is it possible to do this through the BURP API?

Restrict Sites on Burp Enterprise API

Name (top) - Site 1 - Site 2 Group 2 Name (top) - Site 1 - SIte 2 Yet when I call the API … to run the scan using their API key, I constantly get a 401.

Scan POST Parameter with REST API

Hi, I am currently testing the REST API of the Burpsuite Pro and trying to scan POST parameters.

Calling Burp GraphQL API on python

Hello, I seem to be having trouble making a simple query on the Burp Suite Enterprise GraphQL API. … ============================= burpEndpoint = '<Enterprise_server_url>/api/graphql/v1' apiToken =

Burp Extender API IContextMenuInvocation wrong Data

Hi There With the latest Version of Burp (2021.3.1) we have following issue: The IContextMenuInvocation Object passed to the createMenuItems Method of a IContextMenuFactory class holds the wrong request Object with...

how do i intercept API response

Hi, I am quite new to Burp I am trying to intercept API response could see reponse on encrypted

Burp Extension API - list available proxy interfaces

Will there be an interface built soon for the Burp API makes the proxy interfaces public?

Burp Rest API - Launch a simple crawling

Hey.. i'm trying to start a simple crawl WITHOUT AUDIT CHECKS. I've saved my crawl config in the Configuration Library named as crawling_1, then.. curl -vgw "\n" -X POST 'http://127.0.0.1:1337/xxxxxxx/v0.1/scan' -d...

Automated Scan and Auditing of REST API

endpoints we have needs to be provided with 2-4 headers) and invoke this scan using the native rest API … [because we did not find any way to configure any session rules via burps native rest API even if some

API Scan Parameters - changing the generated values

Hello I'm testing out the new API Scan functionality in the latest Burp Pro release and after converting … my authentication information (Bearer token) via the UI and I can see the Parameters for the various API … Is there a way to edit the Parameters when setting up a "New API scan" via the "API details" -> Parameters

Timings for Request/Responses

This information isn't currently available via the API, sorry. … When we next update the API in general, we will look into providing this information for all requests

how to send api request to burp to do repeater or intruder request once via api

Hello sorry for the bother, i have wrote extension to send api request to burp to scan url but can't

How do I export reports from Burp Enterprise?

There is no api on <http://host:port/api/apikey> that extract Html report for burp enterprise.

More Burp 2 Beta API Key Issues

When "Allow access without API key" is enabled if an invalid API key is used the API does not return … For example if a valid API key is "valid" and the API key "test" does not exist: GET http://127.0.0.1 … GET http://127.0.0.1:1337/test/v0.1/knowledge_base/issue_definitions will return: 400 "Invalid API … version" it should return: 401 "Unauthorized" If the "Allow access without an API key" option … is disabled the API will return: 401 "Unauthorized" for bad keys as expected.

Rest API scan bug when reopening project..

Hello, I'm launching the scan through the Rest API perfectly and I am able to use the endpoint /v0.1 … But when I close and reopen the burp/project, API stills working but now /v0.1/scan/3 returns {"type"

Scan API with Burp Suite Pro v2021.3.1

Hi, I saw this post (https://portswigger.net/blog/api-scanning-with-burp-suite) where it mentioned … I've tried OpenAPIParser where I can import an OpenAPI file and send the API collection to the Target

Burp suite enterprise API to download report

We are using burp enterprise and would like to know the option to export scan report using an API. … Please help us to provide API details to use extract report.

Error while sending request via Montoya API

Hi there, I am trying to send a request with the method sendRequest(); String body = "GET /vdp/helloworld HTTP/1.1\n" + "Host: sandbox.api.visa.com\n" + ...

API Scanning via Burp Suite Enterprise Cloud

Wondering about the API scanning abilities for Burp Suite Enterprise Cloud. … I see that sometime this year, "You’ll also be able to upload and scan API specifications with authentication

How do I automate Active Scanning

This API will do what you need: https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html

API proxy show as edited request

Using the "processHttpMessage" method I'm able to edit a request. How can I make this changed request show up in the proxy as an edited request (just like when a request is edited with proxy intercept)?

Regarding REST API and Community Edition

Hello Support, If we upgrade to Burp Suite Professional 2.0 will we be able to access REST APIs or do we need to pay for that service. Also what is the difference between Professional and community Edition apart from...

Burp 2 Beta API key issues

When the Burp 2 REST API is enabled and the "Allow access without an API key" option is enabled and there … is an API key added it is not possible to use the API key to make API calls. … For example this: http://127.0.0.1:1337/<api key>/v0.1/ will give me an "Invalid API version" error … What I expect to happen is that the API keys that exist should work and I can also call the APIs without

API to download Burp Suite Enterprise

Hi, Have you a API for download a relese of Burp Suite?

What is the GraphQL API endpoint

Hello Support, What is the GraphQL API endpoint for BurpSuite Enterprise?

Burp Enterprise Report export using Api

How do I download a latest scan report using a grapql api Without using the scan I'd.

Issue_events not working in burp API

Hi Team, Why i am not getting any data in issue events? Below is the response of CURL command (curl -vgw "\n" -X GET 'http://ipadd/myapikey/v0.1/scan/41' ) which i am using to get the scan results: { "task_id":...

Burp Suite Enterprise REST API Scanning

Hi, We are attempting to use Enterprise's REST API Scanning feature. … least have a "forced" mode, where the OpenAPI discovery occurs and the scan is done even if the REST API … What is the timeline/roadmap for fully supporting Rest API scanning without limitations?

Creating new WebSocket via Montoya API?

Hello, I am excited to see the Montoya API now adds support for WebSockets and I am trying to create … Is it possible to do this using the new API or is this limited to WebSockets opened through the proxy

Handling multipart requests with Montoya API

Is there an example of how to handle multipart parameters in Montoya API?

burp command line

I using the burp-rest-api (from https://github.com/vmware/burp-rest-api) in centOS server and set http_proxy … such as when I set proxy and use "git clone https://github.com/vmware/burp-rest-api" it shows: Peer's

Scan Configuration

I have looked at the Rest API and It has scan submission API(post) with scan configuration.But I'm looking … byte[] request, java.util.List<int[]> insertionPointOffsets)) which seems not possible through Rest API

Burp 2 send base request

This isn't possible through the REST API at present. … It is possible through the Extender API, using callbacks.doActiveScan.

Identify scanning threads using the Extender API

If so, can I manage the creation of these threads using the API? Any insight/help is appreciated.

Burp 2.0 beta scan_status REST API issue

I created a new scan through the new REST API and then checked the status after the scan was complete … The task in the dashboard says 'Finished' with eight requests and eight errors but the REST API returns

Need help with new Burp REST API

How to initiate a scan with burp REST API for "Audit Selected Items".

Burp XML Parser Functionality in Extender API

from the proprietary XML parser could be added to the IExtensionHelpers class in the Burp Extender API

Active scan on API with HTTP/2

Is there any way to perform active scans on an API for a server that uses HTTP2 only?

Extender API to add additional Decoder algorithms

My feature request is to extend the "Extender API" to support custom "Decoder" algorithms.

Burp 2.0 beta REST API key issue

When creating a new scan with an API key: POST http://127.0.0.1:1337/<key>/v0.1/scan ... … It is not possible to retreive the task without the API key if the 'Allow access without API key' option … If you create a scan without an API key: POST http://127.0.0.1:1337/v0.1/scan It is not possible … to retrieve the task with an API key GET http://127.0.0.1:1337/<key>/v0.1/scan/4 400 Bad request … Most likely it comes down to having the API key in the URL and perhaps this is by design but it

Active Scan issues in BURP REST API

Hi Team, I tried scanning a web application using Burp. I have used: Audit coverage - thorough Configuration. While entering the scope URLs, in the Advanced Scope category, I have put some URLs in the "include URL...

API to modify configuration of scanner via extension

It would be very useful to have API to modify the configuration of the scanner via an extension to run

Get local path of burp file via API

An API call would be preferred. I wasn't able to find an API call that met this need.

How to run active scan from burp command line for burp 2.1

Have you tried using the new REST API: - https://portswigger.net/blog/burps-new-rest-api The extension

Filter requests in Target Sitemap.

Yes, I want to use Burp REST API.

You can find information on the Burp REST API here: https://portswigger.net/blog/burps-new-rest-api

Using API to run scan against a target

Hi, Im trying to run a scan against a test target. First time i scan, everything is ok. But the second time i scan it, it does not show results. If i run a scan against a different target and again run against first...

Burp API does not include the extension report

Hello everyone, I tried the burp-rest-API on testphp.vulnweb.com but I notice that the API issues report … c9fb79369b56407792a7104e3c4352fb I can't find any security issues from this Extention in the burp API … /scan/{ID} endpoint but it gives me 2 results from it in the burp UI, is burp API doesn't allow to include

Burp API does not include the all issues

Hello, I'm trying to scan testphp.vulnweb.com through the Burpsuite REST-API but I notice that the issues … results in the API is 165 but in the UI is more than 300

How do I scan an OpenAPI 3.0 API?

trying to follow the meager information at https://portswigger.net/burp/documentation/desktop/scanning/api-scanning … in order to scan a REST API (I have the API definition file on disk). … "Note If you prefer, you can disable API scanning by deselecting the Parse API definitions crawl option

Is there API documention for Burp Suite Professional?

I was able to find APi documentation for Burp Suite Enterprise Edition- can I reference that doc for … Or does Burp Suite Pro not have an API?

Burp API Support for Selecting Active Scanning Areas

Hi There, I was looking through the API and I couldn't find support for passing in values for Active … openRedirection headerManipulation serverLevelIssues While the GUI allows this, I am unsure if the API

Update Header in Session Handling/Macros

+1 - Would be very useful for API testing

Enterprise - Generic CI Driver - Expected 101 when negotiating websocket

Yes without the /api/ part resolved my issue.

Extension API processHttpMessage does not honor set* methods

Hi there, At least version 2020.2.1 broke the processHttpMessage extender API. … According to the "processHttpMessage" documentation on https://portswigger.net/burp/extender/api/burp … Please please please create UnitTests for the API. … _helpers = callbacks.getHelpers() callbacks.setExtensionName("Stop breaking the Extender API … ") callbacks.registerHttpListener(self) print("Stop breaking the Extender API!")

Do BurpSuite have a API Vulnerability Scanning Feature

I would like know if Burpsuite have a API Vulnerability Scanning feature and on the other does enterprise

[Burp Enterprise GraphQL API] Sort Issues in scans

Hi, I'm working with the Burp Enterprise Graphql API, and I can't figure out how to do proper pagination … According to the documentation (https://portswigger.net/burp/extensibility/enterprise/graphql-api/scan.html

REST API. After Scan: Task ID not found

Hello, Burp Suite Professional 2022.7.1 While accessing the Burp Rest API http://127.0.0.1:1337

MontoyaAPI v2023.12.1 Invalid URL Exception in includeInScope API

Hello, many thanks to your efforts on the cool Montoya API. … I'm using a MontoyaAPI v2023.12.1 (net.portswigger.burp.extensions:montoya-api:2023.12.1) with a BurpSuite … My custom extension uses Scope.includeInScope API[1] to include some URL in the target scope as below … : ```kt api.scope().includeInScope("https://example.com") // where `api` is the argument of `initialize … [1] https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/scope/Scope.html

Initiating API scans using Burp Pro REST APIs

Can anyone help me on how to initiate API scans using Burp Pro REST APIs. … Should we pass the API documentation path/location in the URL parameter? … When I pass the URL of API documentation in URL field, a scan is triggered but the name of the scan is … "Crawl and Audit of ...." , whereas, if i initiate an API scan from the UI the name shown is "API scan

login fails using Burp - site authenticates another site in azure

The Azure site is an API site

Burp Suite Enterprise edition - API endpoint scan

Could you please help me with performing API endpoint scan using Burp Suite Enterprise edition?

Extender API -- Callback on active scan completed

I can't readily identify a method with the current API to meet my desired goal.

EXTRACT ALL SCANS STATUS IN REST API

Hello everyone, I'm trying to export all scan results through Rest API (ID Scan, URL, Status - When

Static analysis data exposed through Montoya API

Burp extension, I noticed that data related to static analysis is not accessible using the Montoya API … But with the API, I only have access to the first HttpRequestResponse and I cannot retrieve any data … Do you plan to expose this data through the API? Thank you in advance.

Montoya API: Update HttpHeader in Repeater Tab

Is it possible to change a HttpHeader on the HttpRequestResponse selected via a ContextMenuEvent in a Reapeater tab?

What are the security test mandatory for webservices (Rest API)

Hi, I want to test my API using Burp suite pro. is there any way to test my API in Burppro.

API support for controlling from remote automation framework

Hi, I would like to know how Burrp (licensed version) can be controlled using an remote API..

Burp's current API support is for in-process use only, and there isn't a remote/web API, sorry.

disable Payload encoding and auto load payloads through API

nice if the payloads get automatically loaded from custom file when invoking sendToIntruder method and API … method to disable URL encode these characters through API. … Thereby launching the attack through API

replace text in websocket operations

Sorry, no, the API doesn't currently expose WebSockets messages.

Clear the Scan Queue and Site Map from API

grow over a period of time and there is no option to clear the SiteMap and clear the Scan Queue from API … I think, one can clear few items from SiteMap thru UI, but not from API. … I hope there is a way to perform these thru API.

How to scan Rest Api that is using authentication token

There's general information about testing a REST API here: - https://support.portswigger.net/customer … /portal/articles/2898216-using-burp-to-test-a-rest-api If you use an API client to generate valid

Burp Extension to call other extension using Montoya API

Hi, I'm writing a custom logger extension using Montoya API.

How to see the documentation of rest api

But I want to see the documentation of rest api , how do I do that I tried http://localhost:1337/v0.1 … /<key>/api-docs it does not work

Add custom XSS Payloads in Scanner

Have you integrated Scan check builder through API?

External links in description fields of API definition

I am trying to scan an API with Burp Suite Enterprise and I'm getting an error: "Skipping API definition … Cause Burp Scanner needs to be able to parse an API definition in order to scan it. … The API definition in question does have some external links, but only in description fields, e.g.: … info: title: SEER*API description: | SEER API is a RESTful Web service that supports various

Exploiting an API endpoint using documentation Lab Trouble

I am trying to complete the first exercise in this lab and whenever I try to update the email I get the error - `undefined: Malformed URL: query only supported with GET (undefined)` Is something wrong with my burp...

Extender API no method to get Issue references

I found https://portswigger.net/burp/extender/api/burp/IScanIssue.html but there is no information regarding

Burp API - IContextMenuInvocation - Modified request/response access/hinting

In the Burp extender API when retrieving the selected messages from the proxy history, I don't see any

API function to change Response on the fly

But is there a way to do it from plugin API ? … I'm looking at potential API https://portswigger.net/Burp/extender/api/burp/IHttpRequestResponse.html

Auditing not calling doActiveScan(...) method via Extensibility API

Hi folks, I am currently trying to learn the Burp Extensibility API using this example (in Java);

REST API. After Scan: Task ID not found

Burp Suite Profesional v2020.8.1 Steps to reproduce: 1. Start Burp Suite Pro 2. Launch new scan in the GUI 3. Poll scan status with HTTP GET https://127.0.0.1:1337/v0.1/$taskID --> Scan status poll fails with HTTP...

Burp Enterprise : API Scanning with headers and Body

Hi Team, If i wanted to send a header or body(json) or any parameter with an API to test, Is it Possible

Automatically starting a preconfigured scan

The REST API fulfills my needs, thank you!

Getting 401 Unauthorized while using Graphql API call

So, i am using GraphQL API provided for BurpSuite Enterprise. … However, to test my API Key and i called both Rest API and GrapghQL API. … My API works when calling REST api at webserverURL/api/myapikey. … (FYI,I have included my API key using Authorization header in Postman i.e key = api_key and value= ** … I tried using POST Request to the graphql Api, which returned 401 unauthorized message.

Connection Reset / Communication Error - While Intercepting API Response

Hi Team, I'm trying to pentest REST API collection from Postman. … intercept Burp Request & Response, Request is successfully intercepted; however while intercepting API … When Burp proxy is removed, I'm receiving successful response from API. Please help.

Are the crawled webpages retrievable through the API ?

testing burp enterprise since a couple of days and I'm suprise I can't retrieve the site map through the API

Expose Proxy History Meta Information for Extender API

the meta information (timestamp, IP, etc.) for each request/response interaction from the Extender API … Currently, the getProxyHistory() (see https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html

Crawl.statusMessage in Montoya API is "Not yet implemented"

headless-burp are old and have deprecation issues, I am making my own extension for this with the new Montoya API … https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/scanner/Crawl.html … Is there any workaround for this or is this problem simply impossible with the Montoya API?

Customize a scan via the Burp Pro API

I want to customize a scan, using burp pro API and run it.

java.net.socket Exception when configuring intruder through Burp Extender API

multiple HTTP req to intruder with positions marked using sendToIntruder() method in burp Extender API

How do I send keyboard interrupts like CTRL +R for send to repeater through burp extender API

Can Hotkeys under Misc options be changed using API?

API to allow for distinguishing traffic requested by Macros

Could the API be adjusted to allow extenders to have the information, if request is coming from Macros

How to update and remove cookies through Burp API

I only saw get methods for cookies, there's no set or remove methods.

Start a Burp Suite Scan through an API call

Hi, We are trying to do Burp Scan using API (We use BurpSuite Professional).

Delete multiple tasks scanning

Would be interesting to delete completed from REST API..

Automating Burp Pro - docker issues (Activation & REST API availability)

Hi, I'm attempting to automate Burp licensing and run Burp with the REST API in headless mode via a Docker … I've also noticed that the REST API does not appear to come online within the container, even after successful … 2/ Which method is the intended way to license an automated Burp, and get Burp REST API up within the

Extender API: do request/response on behalf of Burp

Hi, is there a way to do request/response on behalf of burp? I see there is the IHttpListener.processHttpMessage that is called on request and on response , but this only seems to adapt the HTTP request/response, but it...

how to test api security testing using burp suite ?

how to test api security testing using burp suite ? … there is any way to automated api testing with burp ?

Extender API -- How to get a Scan complete flag ?

https://forum.portswigger.net/thread/extender-api-callback-on-active-scan-completed-8dd0bebf

Issue with Lab: Exploiting an API endpoint using documentation

The /api route, which apparently solved the lab, doesn't exist.

Unable to scan all Urls of site map at once

Hi Hardik Are you trying to scan an API? … Burp is not able to scan an API automatically, and you will need to manually crawl followed by "Audit … You can find out more here: - https://portswigger.net/support/using-burp-to-enumerate-a-rest-api - https … ://portswigger.net/support/using-burp-to-test-a-rest-api

Burp Enterprise: Set Folder Destination in API Request

Hi, I wanna create a scan using the REST API and add it to a certain directory in the Burp Enterprise

Different scan ID from REST vs GraphQL API

If I initiate a scan using Burp POST REST API, I see even number (scan / task_id) as a part of HTTP response … location header but if I initiate a scan using GraphQL API, I see odd number (and wrong scan id) in

Extension API on edited HTTP Responses (IHttpListener, IProxyListener)

Hi! I'm experiencing an issue with edited HTTP Responses and Burp Suite extensions. I'm working on an application that signs HTTP requests and responses. I created a Burp Suite extension that resign request and...

Burp crawler not finding endpoint on api sites

When crawl scanning APIs with Burp crawler it cannot find any endpoint. for instance If I select the https://api.example.com from the target sitemap and scan crawl it. Then it will find no endpoints.

Configure authorization headers to test REST API endpoints

Hello, I have a project where i should automate pentests on REST APIs so using the BURP REST API with

api to toggle request method and body encoding

Hello Is there some api support to toggle http request? … toggle method from GET and POST，is there some one support toggle param to mutipart param in montoya api

API Scan, use cookies from cookie.jar not working

Hi, when I start API Scan and have the session handling rule "Use cookies from Burp's cookie jar"

Add scheduled scan through api and auto creating jira tasks

Please, add this features. 1) Add creation of a scheduled scan through api 2) Auto creating jira … level of criticality and the choice of the jira project, depending on the url or name scan. also do for api

Extract a single value from each response

If you have a look at our Extender API documentation https://portswigger.net/burp/extender/api/ The

How to trigger existing scan

Are you using Burp's REST API with Burp Suite Professional?

How can test various API methods with Burp Suite Enterprise

We also use OAuth2.0 for API authorization.

Does API Scan do anything different than just using scanner?

Before there was an API scan, I would do some manual testing on APIs and then run the API through scanner … Now I see there is an option for API scan or Web app scan but what is the difference? … Does API scan just not crawl as to only scan the specific API? … I noticed the API scan makes you use a certain format, does that allow BURP to better locate injection … Just trying to see if I should use API Scan or just stay with the Web App scan.