Burp Suite User Forum

Login to post

Can we send the api endpoint urls for scan without its payload and http method?

Hardik | Last updated: Jun 26, 2020 05:50AM UTC

Can we send the api endpoint urls for scan without its payload and http method? Will it automatically scan with all the http method and payload combinations? or I need to provide the http method and payload by setting proxy through my rest api framework?

Michelle, PortSwigger Agent | Last updated: Jun 26, 2020 12:50PM UTC

Can you tell us a bit more about your workflow and the scan you want to carry out, please?

Hardik | Last updated: Jun 26, 2020 04:36PM UTC

I want to automate pentestfor my api calls. I have two approaches: 1. to set the proxy at my rest api framework to trace the requests, in this case I have both http methods and payload of my api request. the amount of duplicate requests is huge and i am not able to eliminate through automation. 2. to get all the endpoint urls of my api and directly scan these urls.in this case I dont have http methods and payload of my api requests. In second method, will the burp take care of providing the http method and payload so that i can directly scan the endpoints?

Hardik | Last updated: Jun 28, 2020 02:52PM UTC

Any inputs Michelle?

Michelle, PortSwigger Agent | Last updated: Jun 29, 2020 10:58AM UTC

There is not currently any way to automate the scanning of an API. We have plans in the future to adapt our scanner to enable it to automatically scan APIs. This extension might help you though: https://portswigger.net/bappstore/6bf7574b632847faaaa4eb5e42f1757c

Liam, PortSwigger Agent | Last updated: Nov 20, 2020 08:22AM UTC

The latest release of Burp Scanner includes a feature to scan both JSON and YAML-based API definitions for vulnerabilities. - https://portswigger.net/burp/releases/professional-community-2020-11?requestededition=professional - https://portswigger.net/burp/documentation/desktop/scanning/api-scanning

You need to Log in to post a reply. Or register here, for free.