Burp Suite User Forum

Create new post

API Scan Parameters - changing the generated values

Marco | Last updated: May 24, 2024 02:10PM UTC

Hello I'm testing out the new API Scan functionality in the latest Burp Pro release and after converting my Swagger 2.0 -> Openapi 3.0 and loading the JSON file, I was able to add my authentication information (Bearer token) via the UI and I can see the Parameters for the various API Endpoints, however I don't know where it's coming up with the (generated) values for the parameters. Is there a way to edit the Parameters when setting up a "New API scan" via the "API details" -> Parameters tab? I tried to set a default value in the JSON file, but I'm either doing something wrong or it's being ignored. Any suggestions? Thanks Marco

Syed, PortSwigger Agent | Last updated: May 28, 2024 10:46AM UTC

Hi Marco,

Currently, there is no way to edit the parameters in Burp Pro. Burp generates these values based on the types described in the API spec. If you would like to use specific values, you can try using enum values in the spec, they should be able to help.

In a nutshell, you can only edit the API spec for any changes you require but not in Burp Pro.

I hope that helps.

Marco | Last updated: Jun 10, 2024 08:20PM UTC

Thanks Syed, I'll try that! Hopefully future versions will allow for editing within the UI. (Not to mention the ability to update the authentication token if it expires before the scan is complete... currently you have to watch and stop once you start getting 401's after the token expired... and then setup a new API scan for the remainder of tests)

Syed, PortSwigger Agent | Last updated: Jun 11, 2024 10:34AM UTC

You are most welcome, Marco!

Yeah, I am sure the future releases will probably allow you to modify these in the Burp UI itself.

When you say authentication token, is this the one submitted through session handling rules or through API details authentication?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.