Burp Suite User Forum

Login to post

External links in description fields of API definition

Risch, | Last updated: Feb 16, 2023 07:46PM UTC

I am trying to scan an API with Burp Suite Enterprise and I'm getting an error: "Skipping API definition. The data in the definition file is malformed and cannot be read by Burp Scanner. Cause Burp Scanner needs to be able to parse an API definition in order to scan it. Currently, this is only possible for definitions that: Meet the OpenAPI version 3.x.x specification. Do not contain any external references. Any definitions that do not meet these requirements will be skipped during the scan." The API definition in question does have some external links, but only in description fields, e.g.: info: title: SEER*API description: | SEER API is a RESTful Web service that supports various [SEER Program](https://seer.cancer.gov) data sets and mapping. Should it matter if external links are present in descriptions? Do they have to be removed, or is there some syntax which Burp Suite will accept?

Maia, PortSwigger Agent | Last updated: Feb 17, 2023 05:27PM UTC

Links in the description should be fine. External references refer to the $ref string value. We allow local references, but not remote references or URL references. You can find out further information here: https://swagger.io/docs/specification/using-ref/

Risch, | Last updated: Feb 20, 2023 02:03PM UTC

I've searched through the API definition and every $ref value in it is a local reference. I'm happy to provide the file if you want to look at it.

Maia, PortSwigger Agent | Last updated: Feb 20, 2023 06:20PM UTC

We'd be happy to take a look. Can you email it to us at support@portswigger.net please?

Risch, | Last updated: Feb 22, 2023 02:07PM UTC

Email sent, thanks.

You need to Log in to post a reply. Or register here, for free.