Burp Suite User Forum

Login to post

Burp REST API scanning

mpa | Last updated: Jul 27, 2020 02:58PM UTC

Hello, Is there a way to use Burp PRO's REST API to scan all URLs in an existing sitemap? I noticed that the POST /scan request will initiate a Crawl & Audit task in Burp, but it will not take the sitemap as an input. This will be really useful in order to better integrate Burp in CI/CD pipelines, especially when scanning SPA and/or REST APIs. Thanks, Marius

Uthman, PortSwigger Agent | Last updated: Jul 28, 2020 08:43AM UTC

Hi Marius, Burp Pro is not really designed for your use-case. However, you can use the generic CI driver (https://portswigger.net/burp/extender/ci-integration). There is no way (natively) to scan all URLs in an existing sitemap unless you right-click in Burp > Actively/Passively scan this host/branch. The URLs key in the POST endpoint takes an array of string values (array of URLs in this case). You may find it easier to write some code to handle the parsing of the sitemap to add URLs to that array if you intend to scan all of them at the same time. Alternatively, if the crawl is accurately identifying URLs in your site/application then you can simply provide the seed URL. We are working on enhancements to the scanner that will allow it to consume definition files and make API scanning easier. Burp Enterprise fits your use-case (CI/CD pipeline integration) so I would suggest completing a free 30-day trial: - https://portswigger.net/requestfreetrial/enterprise - https://portswigger.net/burp/enterprise

mpa | Last updated: Jul 29, 2020 06:51AM UTC

Hi Uthman, Thanks for that. I already checked Burp Enterprise, but it's not covering our use case as it has the same limitation in terms of initiating a scan from an existing sitemap. The proposed solution of feeding the URLs to the array via the POST endpoint may apply for GET requests mainly. For other HTTP methods it will not be so useful as Burp will just issue requests but without the required parameters. The advantage in starting with an existing sitemap is that Burp knows exactly the parameters it needs to send with a request so it will mainly focus on that. I've just played with both options (manual triggered active scan from existing sitemap vs. scan from API) and it's a huge difference between the issues flagged in favor of the former. Given the increasing number of Single-Page Applications + REST APIs, is there an ETA for triggering a scan from an existing sitemap in Burp's REST API?

Uthman, PortSwigger Agent | Last updated: Jul 29, 2020 10:17AM UTC

Hi Marius, Thanks for the clarification. Unfortunately, I cannot provide an ETA on any new features but you can check out the roadmap here: https://portswigger.net/blog/burp-suite-roadmap-update-july-2020 We are working on a feature that will allow the scanner to consume definition files to make mapping out endpoints much easier. I think this will help your use-case.

Liam, PortSwigger Agent | Last updated: Nov 20, 2020 08:35AM UTC

The latest release of Burp Scanner includes a feature to scan both JSON and YAML-based API definitions for vulnerabilities. - https://portswigger.net/burp/releases/professional-community-2020-11?requestededition=professional - https://portswigger.net/burp/documentation/desktop/scanning/api-scanning

You need to Log in to post a reply. Or register here, for free.