Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp 2.0 beta REST API key issue

Seth | Last updated: Aug 31, 2018 01:49PM UTC

When creating a new scan with an API key: POST http://127.0.0.1:1337/<key>/v0.1/scan ... It is not possible to retreive the task without the API key if the 'Allow access without API key' option is checked GET http://127.0.0.1:1337/v0.1/scan/3 400 Bad request The inverse is also true. If you create a scan without an API key: POST http://127.0.0.1:1337/v0.1/scan It is not possible to retrieve the task with an API key GET http://127.0.0.1:1337/<key>/v0.1/scan/4 400 Bad request Most likely it comes down to having the API key in the URL and perhaps this is by design but it is incredibly confusing and the error messages returned don't really point to the API key being in the URL or not as being the problem.

Adam, PortSwigger Agent | Last updated: Aug 31, 2018 02:47PM UTC

Hi Seth, The isolation of scans per API key (where no key is counted as a single pool of its own) is by design; scans must be triggered and queried with the same key. We'll certainly look into making the error messages clearer, however! Best regards, Adam

Burp User | Last updated: Sep 04, 2018 05:09PM UTC

Ok I thought as much. Thanks! One thing to note though is that querying the knowledge base works in the same way. I think that since the knowledge base is for static issue definitions perhaps that could be fixed though?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.