Burp Suite User Forum

Login to post

Burp Suite Enterprise REST API Scanning

Miller, | Last updated: Oct 18, 2022 02:34PM UTC

Hi, We are attempting to use Enterprise's REST API Scanning feature. We understand the published limitations, which do not allow for Authorization or Additional headers to be specified in the OpenAPI Specification. This is problematic for us, as our APIs specify authorization and/or additional http headers. We can solve for authorization through custom scripts, however, enterprise automatically skips these endpoints when authorization or additional headers are specified, meaning we can't even attempt to provide these via additional scripts or custom logic. We are basically stuck as it seems we either have to have our APIs perfectly meet the limited set requirements. In an enterprise environment, I don't think the limitations are realistic. A couple of questions: 1. Can we at least have a "forced" mode, where the OpenAPI discovery occurs and the scan is done even if the REST API limits aren't met? That way we could solve for the additional requirements via custom scripts or plugins. 2. What is the timeline/roadmap for fully supporting Rest API scanning without limitations?

Alex, PortSwigger Agent | Last updated: Oct 19, 2022 12:26PM UTC

Hi Mark, Thanks for your post. If you are able to provide any examples of your API definitions and your site configuration in Burp Suite Enterprise, I would be happy to review them for you and suggest any potential workarounds. You can submit this information to support@portswigger.net. In regards to our API scanning roadmap, I can confirm that we are planning to make a number of improvements to its functionality next year. Best regards,

You need to Log in to post a reply. Or register here, for free.