Burp Suite User Forum

Login to post

Different scan ID from REST vs GraphQL API

asdf | Last updated: Jun 23, 2020 08:43PM UTC

If I initiate a scan using Burp POST REST API, I see even number (scan / task_id) as a part of HTTP response location header but if I initiate a scan using GraphQL API, I see odd number (and wrong scan id) in JSON response.

Hannah, PortSwigger Agent | Last updated: Jun 25, 2020 06:39AM UTC

With the GraphQL API there isn't a one to one correspondence between schedule items and scans, you can schedule recurring scans, and the first scan does not have to run immediately. The returned ID is the ID of the schedule item, not the ID of the first scan (which we may not have given an ID to yet). The IDs for scans and schedule items come from the same pool, hence the odd/even thing if you only ever create one scan per schedule. The graphQL API is more flexible, but less convenient for the use case of running a single scan as you need to poll to get the results of a scan when it's complete.

You need to Log in to post a reply. Or register here, for free.