Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Automated Scan and Auditing of REST API

Akanksha | Last updated: Nov 29, 2021 11:41AM UTC

Hi, We want to scan and audit our REST APIs (The endpoints we have needs to be provided with 2-4 headers) and invoke this scan using the native rest API. Is this possible? [because we did not find any way to configure any session rules via burps native rest API even if some extension is used for adding these headers] If there is a different way, what is that? Thanks

Alex, PortSwigger Agent | Last updated: Nov 29, 2021 04:21PM UTC

Hi,

Thanks for your post.

As a workflow you could save your session rules as a configuration file and launch Burp via the CLI with the relevant command line arguments to include the project config file. A scan then initiated via the REST API would include your session rules.

Either save the project file with your preferred session handling rules or save the session handling rules as a configuration file:

  • New Project > Project Options > Sessions > Session Handling Rules (either add default values or invoke a Burp extension like add custom headers or Reshaper)
  • Options cog > Save options > Save session configuration

As a workflow:

  1. Launch Burp via the CLI
  1. Utilise command line arguments to ensure the session rules are applied:
--project-file (Open the specified project file. This will be created as a new project if the file does not exist)

Alternatively you could do this on a per config file basis rather than an existing project file:

--config-file (Load the specified project configuration file. This option may be repeated to load multiple files)

  1. Initiate scan via REST API

I hope that helps, any questions please do let me know.

Thanks

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.