Burp Suite User Forum

Login to post

Burp REST API scanning

mpa | Last updated: Jul 27, 2020 02:58PM UTC

Hello, Is there a way to use Burp PRO's REST API to scan all URLs in an existing sitemap? I noticed that the POST /scan request will initiate a Crawl & Audit task in Burp, but it will not take the sitemap as an input. This will be really useful in order to better integrate Burp in CI/CD pipelines, especially when scanning SPA and/or REST APIs. Thanks, Marius

Uthman, PortSwigger Agent | Last updated: Jul 28, 2020 08:43AM UTC

Hi Marius, Burp Pro is not really designed for your use-case. However, you can use the generic CI driver (https://portswigger.net/burp/extender/ci-integration). There is no way (natively) to scan all URLs in an existing sitemap unless you right-click in Burp > Actively/Passively scan this host/branch. The URLs key in the POST endpoint takes an array of string values (array of URLs in this case). You may find it easier to write some code to handle the parsing of the sitemap to add URLs to that array if you intend to scan all of them at the same time. Alternatively, if the crawl is accurately identifying URLs in your site/application then you can simply provide the seed URL. We are working on enhancements to the scanner that will allow it to consume definition files and make API scanning easier. Burp Enterprise fits your use-case (CI/CD pipeline integration) so I would suggest completing a free 30-day trial: - https://portswigger.net/requestfreetrial/enterprise - https://portswigger.net/burp/enterprise

mpa | Last updated: Jul 29, 2020 06:51AM UTC

Hi Uthman, Thanks for that. I already checked Burp Enterprise, but it's not covering our use case as it has the same limitation in terms of initiating a scan from an existing sitemap. The proposed solution of feeding the URLs to the array via the POST endpoint may apply for GET requests mainly. For other HTTP methods it will not be so useful as Burp will just issue requests but without the required parameters. The advantage in starting with an existing sitemap is that Burp knows exactly the parameters it needs to send with a request so it will mainly focus on that. I've just played with both options (manual triggered active scan from existing sitemap vs. scan from API) and it's a huge difference between the issues flagged in favor of the former. Given the increasing number of Single-Page Applications + REST APIs, is there an ETA for triggering a scan from an existing sitemap in Burp's REST API?

Uthman, PortSwigger Agent | Last updated: Jul 29, 2020 10:17AM UTC

Hi Marius, Thanks for the clarification. Unfortunately, I cannot provide an ETA on any new features but you can check out the roadmap here: https://portswigger.net/blog/burp-suite-roadmap-update-july-2020 We are working on a feature that will allow the scanner to consume definition files to make mapping out endpoints much easier. I think this will help your use-case.

Liam, PortSwigger Agent | Last updated: Nov 20, 2020 08:35AM UTC

The latest release of Burp Scanner includes a feature to scan both JSON and YAML-based API definitions for vulnerabilities. - https://portswigger.net/burp/releases/professional-community-2020-11?requestededition=professional - https://portswigger.net/burp/documentation/desktop/scanning/api-scanning

mpa | Last updated: Jan 08, 2021 07:56AM UTC

Great news with API scanning support! Is there any plan to support OAS 2.0 definitions as well? Also, there's a prerequisite that "API definition must not contain any external references.". Does this mean the API definition should be on the same host as the API? There are many cases when the API catalog is on a separate host than the API itself. Thanks!

mpa | Last updated: Jan 08, 2021 07:56AM UTC

Great news with API scanning support! Is there any plan to support OAS 2.0 definitions as well? Also, there's a prerequisite that "API definition must not contain any external references.". Does this mean the API definition should be on the same host as the API? There are many cases when the API catalog is on a separate host than the API itself. Thanks!

Uthman, PortSwigger Agent | Last updated: Jan 11, 2021 09:30AM UTC

We do not currently have any plans to support 2.0 definitions but you can use the OpenAPI Parser extension in Burp Professional to achieve this. In relation to the prerequisite about external references, this just means that there should be no external references in the definition file itself (e.g. links to other domains).

mpa | Last updated: Jan 15, 2021 08:35AM UTC

Thanks Uthman! Just to clarify the second part on external references - if I have an API catalog listing the OAS JSON on a host (api-catalog.petstore.io) and the API itself is running on a separate host (api.petstore.io), this means the API won't get parsed and scanned if I give OAS JSON as input to Burp? # rendered from api-catalog.petstore.io { "openapi": "3.0.0", "servers": [ { "url": "http://api.petstore.io/v1" } ], "paths": { "/pets": { "get": { [...] } }

Uthman, PortSwigger Agent | Last updated: Jan 15, 2021 09:27AM UTC

You are welcome. Your example would actually work since we allow Local References, but not Remote References or URL References. You can find out further information below: - https://swagger.io/docs/specification/using-ref/ Having external references in URLs, servers, etc - like in your example - is fine provided the external references are in scope.

You need to Log in to post a reply. Or register here, for free.