Burp Suite User Forum

Login to post

Burp Pro API Scan Error

Sandline | Last updated: Jun 26, 2020 02:22PM UTC

Dear Support, We are facing a problem, not sure if it's an issue or we are doing something wrong. The scenario is the following: 1. We start Burp and REST API Service 2.POST a scan to url "https://example.com" 3.We GET the issues from the JSON All if fine till here, but if we rescan the same url again (without restarting Burp) the GET /scan/scan_id JSON returns and empty array. Please see below: Status 200 OK Headers cache-control: no-cache, no-store, must-revalidate content-encoding: gzip content-length: 229 content-security-policy: default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; frame-src 'self'; connect-src 'self' ws://localhost:3333; font-src 'self'; media-src 'self'; object-src 'none'; child-src 'self' blob: content-type: application/json; charset=utf-8 expires: 0 keep-alive: timeout=15 pragma: no-cache x-burp-version: 2020.5.1-2921 x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block Body { "task_id": "10", "scan_status": "succeeded", "scan_metrics": { "crawl_requests_made": 89, "crawl_network_errors": 0, "crawl_unique_locations_visited": 17, "crawl_requests_queued": 0, "audit_queue_items_completed": 3, "audit_queue_items_waiting": 0, "audit_requests_made": 687, "audit_network_errors": 0, "issue_events": 0, "crawl_and_audit_caption": "Audit finished.", "crawl_and_audit_progress": 100 }, "message": "", "issue_events": [] } If we scan another url, the issue_events, is returned the first time also only.. Please advice. Kind regards, Radu

Uthman, PortSwigger Agent | Last updated: Jun 29, 2020 07:58AM UTC

Hi Radu, This is expected behaviour and happens in the UI too. If the same issues (ones already existing in Issue activity on the Dashboard) appear again in the second scan, they will not be reported. You will need to use a new project file each time. It looks like your use-case fits in well with Burp Enterprise. You can schedule scans via the API, compare scan deltas, and this does not operate in the same way as Pro (reporting issues for a scan only if they occur the first time).

You need to Log in to post a reply. Or register here, for free.