Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Clarification on Webservices scanning

Karthik | Last updated: Jul 07, 2015 03:07PM UTC

I have some clarifications on web service testing. Question 1: Is burp suite capable of performing testing webservices against all known vulnerabilities associated with web services ? All scanning options present under Active Scanning areas are applicable for web service testing ? or it is limited to subset of those ? Question 2: I browsed a website and it captured a webservice URL (and many sub URLs) In the target, I expanded one of the URLs and in the right hand side I see the method as GET But in the Request pane in the bottom, I can see the request going as OPTIONS and not get. (All the webservice URLs show the same behavior) Why does it go with a OPTIONS instead of a GET ? Question 3: For the above scenario, the response code is HTTP/1.1 204 No Content and Content-Length is 0 But if I take the URL and paste it in browser (Request goes as GET instead of OPTIONS) there is a HTTP/1.1 200 OK response with content-length greater than 0 and there is a valid data in the response. Could you please clarify ?

PortSwigger Agent | Last updated: Jul 08, 2015 08:02AM UTC

1. Burp can scan web services / SOAP requests but it doesn't natively parse WSDL files and generate SOAP requests. You have two options: (a) use a tool like soapUI to generate SOAP requests and proxy the traffic via Burp, then test it in the normal way; (b) try the Wsdler extension in the BApp Store, which does parse WSDL files and generate suitable requests. 2. There was a bug like this in the site map a while ago but it has been fixed. Are you using the latest Pro version? 3. OPTIONS and GET requests do very different things, and so typically receive different responses. You can copy the URL and in Repeater choose "Paste URL as request" from the context menu, to send a suitable GET request within Burp, which should receive a normal response.

Burp User | Last updated: Jul 08, 2015 01:12PM UTC

Thanks for the response. The Webservice used the REST format. So, is it supported via BURP ?

PortSwigger Agent | Last updated: Jul 08, 2015 03:11PM UTC

Yes, Burp can work with REST endpoints. If you access these in the normal way via Burp, Burp can scan and test the resulting requests in the normal way. Note that if the application places data parameters into the URL file path, then you need to enable "REST-style URL parameters" at Scanner / Options / Attack insertion points.

PortSwigger Agent | Last updated: Feb 19, 2016 09:53AM UTC

There is no difference in the approach to testing for services using HTTPS as opposed to plain HTTP.

Burp User | Last updated: Apr 26, 2017 10:30AM UTC

How to scan the REST webservices which is using SSL (HTTPS).

Burp User | Last updated: Jul 04, 2018 05:49AM UTC

As per you saying like this " OPTIONS and GET requests do very different things, and so typically receive different responses. You can copy the URL and in Repeater choose “Paste URL as request” from the context menu, to send a suitable GET request within Burp, which should receive a normal response" ->after getting response in burp Repeater how to test vulnerabilities.

PortSwigger Agent | Last updated: Jul 04, 2018 09:03AM UTC