Burp Suite User Forum

Login to post

Difference in response when active scan initiated via "BURP REST API Extension" and "BURP UI"

Ashis | Last updated: Feb 15, 2021 05:51AM UTC

Observed that when "Active scan" is initiated via 'Burp REST API Extension', there is no response obtained for a request. However, if "Active Scan" is performed via the 'Burp UI-> Right Click option ("Do Active Scan")' then the response is obtained for the same request. Please suggest the reason for difference in behavior.

Uthman, PortSwigger Agent | Last updated: Feb 15, 2021 09:25AM UTC

Hi Ashis, The REST API only supports a full Crawl & Audit for the URL you have specified. This is different from right-clicking in Burp and selecting > Do Active Scan because the latter already has the appropriate session information in the request (e.g. cookies, headers, etc...). For any scans launched via the REST API, they are equivalent to selecting New scan > Crawl & Audit so the appropriate session information in your request will not be visible (especially if you manually captured requests via the browser through the Proxy). We have registered your interest in a feature request to allow audit-only scans to be triggered via the REST API and we will let you know when this has been implemented.

You need to Log in to post a reply. Or register here, for free.