Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Automatically scan endpoints

Josh | Last updated: Mar 05, 2020 08:31PM UTC

I am currently building some automation workflows using Python and Burp. I have a Python application that consumes a configuration file and a Postman collection, extracts all the described requests, applies the proper authentication headers to them, and then submits them through the proxy listener. Originally we were planning on using the Burp Headless feature until we realized it no longer really works with version 2, so we shifted to the REST API. I now have the application submitting a scan request using the URLs identified as the scan targets. The scan kicks off fine, but it is only going against the base requests - it doesn't maintain the proper method, headers, payloads, etc. that are needed. Since the point of this exercise is to rapidly process a large number of test cases against APIs, the crawl and scan method is completely useless as there is nothing to crawl. We were hoping that the scan would utilize the objects already added to the site map via the proxy, but this does not seem to be the case. Is there anything else that we can use here or is this project now dead in the water and we have to shift to another tool?

Josh | Last updated: Mar 05, 2020 08:39PM UTC

Immediately after putting this in, I found the Live Task functionality which does allow me to define a static scanning task for anything that comes in through the proxy, but this is still very limited. Our end goal is to be able to run this in a rather headless/automated manner, though not in a CI/CD pipeline. But the more manual configuration, observation, etc. that comes into play, the more the time savings decrease. We also cannot retrieve the scan results automatically, as using the REST API to pull back the task IDs results gives us a 400 Bad Request. For example, task ID 3 (returned both from the REST API when we submitted it and visually confirmed from the Dashboard tab) gives us the findings from that task. The Live Scanning task is ID 4, which gives a 400 Bad Request when pulled through the API. Thoughts?

Hannah, PortSwigger Agent | Last updated: Mar 06, 2020 04:45PM UTC

Hi We're looking into this and will get back to you with some more details on Monday.

Hannah, PortSwigger Agent | Last updated: Mar 09, 2020 11:34AM UTC