Burp Suite User Forum

Login to post

Add OAuth2 Support for Burp Professionnal Edition or else

Sylvain | Last updated: Dec 03, 2021 05:39PM UTC

Hi everyone, I've seen that "OAuth" is not on your "prior list" and i don't understand why. Everything is an API at the moment, it should be on your prior list to add this feature. Actually i need to test 2 privates API to audit them, and i can't do it directly using postman, and then the crawler of Burp because i can't specify my Oauth2 credentials. It's a too bad, we will have to add the frontend layer in order to test our api. Regards

Uthman, PortSwigger Agent | Last updated: Dec 06, 2021 09:47AM UTC

Simon | Last updated: Jun 21, 2022 09:18AM UTC

+1 for this request For APIs recording does not work

Hannah, PortSwigger Agent | Last updated: Jun 22, 2022 01:42PM UTC

Have you had a look in the BApp Store for any extensions that might help? You can find the BApp Store in Burp by going to "Extender > BApp Store" or online here: https://portswigger.net/bappstore

Peter | Last updated: Oct 19, 2022 03:02PM UTC

"For APIs recording does not work" I do not understand why Portswigger is not implementing direct specification of OAuth2/OIDC authentication since the beginning of bringing out BurpSuite Enterprise. The whole world is using this authentication mechanism for RESTful services and web applications, it is the de-facto standard and everybody needs it. I just tried the API recording in the current version again and it did not work and failed at the very beginning. If it works that might be cool but if it doesn't there is no easy way to work around this automatic recording and then the product is useless.

Peter | Last updated: Oct 19, 2022 03:06PM UTC

And I would like to add that the recording does not help for testing service-to-service authentication with OAuth2 client credential flow either, because there is no UI, no browser. So we need real direct per-configuration OAuth2/OIDC support or many many companies will not be able to make use of BurpSuite Enterprise.

Hannah, PortSwigger Agent | Last updated: Oct 20, 2022 09:49AM UTC

Hi Are you using Burp Suite Enterprise Edition or Burp Suite Professional? If you're using Pro, does the extension "OAuth2 Token Grabber" (https://portswigger.net/bappstore/657539deacea4d15abd6cecd9c5721c6) work for your use case?

You need to Log in to post a reply. Or register here, for free.