Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

GraphQL request in python

Fernández | Last updated: Sep 10, 2021 11:46AM UTC

Hi, I can't make a request to the BurpSuite Enterprise GraphQL API in python, I always get a 401 error, unauthorized access. The user is registered and the API Key is correct. Any ideas? -------------- import requests import json burpEndpoint = "http://x.x.x.x/graphql/v1" apiToken = "xxxxxxxxxxxxxxxx" headers = {"Authorization": apiToken} def run_query(query): request = requests.post(burpEndpoint, query, headers) if request.status_code == 200: return request.json() else: raise Exception( "Query failed to run by returning code of {}. {}".format( request.status_code, query ) ) query = """ { query GetSiteTree { site_tree { sites { id name scope { included_urls excluded_urls } application_logins { login_credentials { label username } recorded_logins { label } } } folders { id name } } } } """ result = run_query(query) print(result) ----------- Thanks¡¡

James, PortSwigger Agent | Last updated: Sep 10, 2021 12:52PM UTC

Hi Jose, Thanks for getting in touch. Does the user have the required permissions set within Burp Enterprise? Please try creating a new test API user and key and give the user full admin permissions. I would also recommend trying the Insomnia tool which is helpful for checking GraphQL queries, you can also generate the code in Python. https://insomnia.rest/download (Click the dropdown for the query you create on the left side and 'Generate Code' > Python) https://portswigger.net/burp/extensibility/enterprise/graphql-api/ Example (Get SiteTree): import requests url = "http://<SERVERURL:PORT>/graphql/v1" payload = "{\"query\":\"query GetSiteTree {\\n site_tree {\\n sites {\\n id\\n name\\n parent_id\\n }\\n }\\n}\",\"operationName\":\"GetSiteTree\"}" headers = { "Content-Type": "application/json", "Authorization": "<APIKEY>" } response = requests.request("POST", url, data=payload, headers=headers) print(response.text) Let us know if you need any further assistance.

Fernández | Last updated: Sep 12, 2021 07:09AM UTC

I have managed to correctly build the python code helping me from Insomnia, the user's api key was correct. Thank you¡¡

James, PortSwigger Agent | Last updated: Sep 13, 2021 07:55AM UTC

Hi Jose,

I'm glad that was helpful.

If you need any further assistance feel free to get in touch.

Have a good day.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.