The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

GraphQL request in python

Fernández | Last updated: Sep 10, 2021 11:46AM UTC

Hi, I can't make a request to the BurpSuite Enterprise GraphQL API in python, I always get a 401 error, unauthorized access. The user is registered and the API Key is correct. Any ideas? -------------- import requests import json burpEndpoint = "http://x.x.x.x/graphql/v1" apiToken = "xxxxxxxxxxxxxxxx" headers = {"Authorization": apiToken} def run_query(query): request = requests.post(burpEndpoint, query, headers) if request.status_code == 200: return request.json() else: raise Exception( "Query failed to run by returning code of {}. {}".format( request.status_code, query ) ) query = """ { query GetSiteTree { site_tree { sites { id name scope { included_urls excluded_urls } application_logins { login_credentials { label username } recorded_logins { label } } } folders { id name } } } } """ result = run_query(query) print(result) ----------- Thanks¡¡

James, PortSwigger Agent | Last updated: Sep 10, 2021 12:52PM UTC

Hi Jose, Thanks for getting in touch. Does the user have the required permissions set within Burp Enterprise? Please try creating a new test API user and key and give the user full admin permissions. I would also recommend trying the Insomnia tool which is helpful for checking GraphQL queries, you can also generate the code in Python. https://insomnia.rest/download (Click the dropdown for the query you create on the left side and 'Generate Code' > Python) https://portswigger.net/burp/extensibility/enterprise/graphql-api/ Example (Get SiteTree): import requests url = "http://<SERVERURL:PORT>/graphql/v1" payload = "{\"query\":\"query GetSiteTree {\\n site_tree {\\n sites {\\n id\\n name\\n parent_id\\n }\\n }\\n}\",\"operationName\":\"GetSiteTree\"}" headers = { "Content-Type": "application/json", "Authorization": "<APIKEY>" } response = requests.request("POST", url, data=payload, headers=headers) print(response.text) Let us know if you need any further assistance.

Fernández | Last updated: Sep 12, 2021 07:09AM UTC

I have managed to correctly build the python code helping me from Insomnia, the user's api key was correct. Thank you¡¡

James, PortSwigger Agent | Last updated: Sep 13, 2021 07:55AM UTC