Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Suite Enterprise GraphQL

Glenn | Last updated: Jul 06, 2020 01:16PM UTC

When I try to use PostMan to access Burp Suite Enterprise via GraphQL, it either does not get me access to GraphQL or I am not authorized to actually perform anything. - I try to use our "BurpSuite URL"/"My APIKey". This gets me access to Burp Suite, but not the GraphQL API. - If I try "BurpSuite URL"/GraphQL/V1/"My APIKey", I get an erro, "Unexpected exception occurred...."extensions":{"code":77}". - If I try "BurpSuite URL"/"My APIKey"GraphQL/V1/, I get the same error. - If I try without the APIKey, I get errors about no authorization. What url should I be trying? How do I set my APIKey so Burp Suite will use it? Thanks,

Michelle, PortSwigger Agent | Last updated: Jul 06, 2020 02:38PM UTC

Hi The GraphQL endpoint is located at <ENTERPRISE-SERVER-URL>/graphql/v1. When you send the POST requests you will need to include the API key in the Authorization header of the request. Please let us know if you need any further assistance.

Glenn | Last updated: Jul 06, 2020 04:52PM UTC

Michelle, I added the API Key as a Bearer token to the header and got an unauthorized error. It shows in the header view from PostMan but still makes no effect on the execution. Other thoughts, I know it must be able to be done. I'm not just getting exactly what I need to do. Thanks, Glenn

Michelle, PortSwigger Agent | Last updated: Jul 07, 2020 08:40AM UTC

Hi Glenn Could you email us a screenshot of the request you're creating in PostMan to support@portswigger.net, please? We'll be able to take a closer look then and work out what's happening.

Glenn | Last updated: Jul 07, 2020 10:57AM UTC

OK, I was able to figure it out. The header must be set to Authorization <API Key>. Once I did that it was able to pass the authentication and get my list of sites. It was setting a header record for "Authorization" with a value of my API Key that I needed. Thanks for your help

Michelle, PortSwigger Agent | Last updated: Jul 07, 2020 11:10AM UTC

I'm glad that's all sorted for you now, thanks for letting us know

Daniel | Last updated: Jul 14, 2020 08:52AM UTC

I'm seeing similar behaviour from Postman and Curl. Here's my curl string: curl --location --request GET '<$FQDN>/graphql/v1' \ --header 'Authorization: <$APIKEY>' \ --header 'Content-Type: application/json' \ --data-raw '{"query":"query GetScanConfigurations {\n scan_configurations {\n id\n name\n }\n}","variables":{}}' Which returns: {"errors":[{"message":"Unexpected exception occurred. Check logs for more details.","extensions":{"code":77}}]} In both Postman and curl. In Postman the `Authorization` header is set to $APIKEY as it is in curl above. Anything obviously wrong there as I can't see anything?

Michelle, PortSwigger Agent | Last updated: Jul 14, 2020 09:38AM UTC

Hi Thanks for getting in touch. If you change the request to POST that should resolve the error. If it doesn't then let us know what you see either via the forum or email (support@portswigger.net) and we can take a closer look with you.

Daniel | Last updated: Jul 14, 2020 09:42AM UTC

On second thoughts, it was a GET and should have been a POST! Disregard.

Michelle, PortSwigger Agent | Last updated: Jul 14, 2020 09:45AM UTC

Our forum posts crossed then, I'm glad you've got things sorted, please disregard my last post too :-)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.