The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How to scan all backend API inside a website

thanhpt | Last updated: Oct 03, 2023 04:40PM UTC

I used Burp Scanner to scan a web app. Inside the app, there are 3 sub domain: 1. app-ui.domain.com for store statics file, serving the view 2. be.domain.com for BE API JSON 3. be-stg.domain.com for BE API Stg function Because I want Burp to scan all URLs that come from these 3 domains, in the URLs to scan, I defined like this: https://app-ui.domain.com https://be.domain.com https://be-stg.domain.com But when I check the audit items queue during scan, Burp only scan the "app-ui.domain.com". This scan make no sense due to the UI only contains statics files. In Sitemap, I see Burp can crawl "be.domain.com" and "be-stg.domain.com" with many URLs, but it does not includes them to scan, only crawl. How can I scan all sub domain inside a target ?

Syed, PortSwigger Agent | Last updated: Oct 04, 2023 10:16AM UTC

Hi,

Burp can scan both web apps and APIs but there are certain differences in scanning them.

The reason why Burp only scanned app-ui domain, is because it is a website with a GUI and Burp goes through a website just like a user would in a browser. Burp Scanner will go through the website, get the session tokens, maintain the sessions, and audit the locations it finds.

Prerequisites:
The specification of the API definition must be OpenAPI version 3.x.x, and based on either JSON or YAML.
The API definition must not contain any external references.
The API definition needs to be hosted and accessible by the scanning machine. 
The API definition URL also is required to be included within the site scope of your scan.

Also, if the API uses an auth service such as OAuth 2 with client credentials flow, Burp doesn't have a way to insert the clientid and clientsecret to get new session tokes to scan the authenticated APIs. We do have a Burp extension for that though, which you can find here: https://github.com/Hannah-PortSwigger/ClientCredentialsOauth.

Normally, if these API calls are part of the web app, Burp will use the session tokens generated by the app to scan these authenticated API calls. If they are not part of the app, it is better to start a new project for each API definition, and use the extension mentioned above to get the session tokens and scan the APIs.

Regards,
Syed

thanhpt | Last updated: Oct 05, 2023 07:50AM UTC

These API calls are part of the web app, it is consider Backend for the web app. I see in the sitemap that Burp also crawl the API within the app. https://imgur.com/a/JSSq18u That make me wonder, if all requests has been listed in Sitemap, why Burp not scan them automatically?

Syed, PortSwigger Agent | Last updated: Oct 05, 2023 01:20PM UTC

Rune | Last updated: Oct 31, 2024 03:01PM UTC

On this same topic, instead of explicitly specifying the sub-domains, is there a way to insert a whildcard for the "URLs to Scan" and "Included URL prefixes"?

Ben, PortSwigger Agent | Last updated: Nov 01, 2024 08:49AM UTC