Burp Suite User Forum

Create new post

Difference in response when active scan initiated via "BURP REST API Extension" and "BURP UI"

Ashis | Last updated: Feb 15, 2021 05:51AM UTC

Observed that when "Active scan" is initiated via 'Burp REST API Extension', there is no response obtained for a request. However, if "Active Scan" is performed via the 'Burp UI-> Right Click option ("Do Active Scan")' then the response is obtained for the same request. Please suggest the reason for difference in behavior.

Uthman, PortSwigger Agent | Last updated: Feb 15, 2021 09:25AM UTC

Hi Ashis, The REST API only supports a full Crawl & Audit for the URL you have specified. This is different from right-clicking in Burp and selecting > Do Active Scan because the latter already has the appropriate session information in the request (e.g. cookies, headers, etc...). For any scans launched via the REST API, they are equivalent to selecting New scan > Crawl & Audit so the appropriate session information in your request will not be visible (especially if you manually captured requests via the browser through the Proxy). We have registered your interest in a feature request to allow audit-only scans to be triggered via the REST API and we will let you know when this has been implemented.

RAMAN | Last updated: Mar 01, 2024 10:52AM UTC

is there any update here?

Dominyque, PortSwigger Agent | Last updated: Mar 01, 2024 11:35AM UTC

Hi We currently have no plans to make any changes to the native REST API. You would have to use the UI to perform this action.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.