Burp Suite User Forum

Login to post

How to scan Rest Api that is using authentication token

Raza | Last updated: Jan 03, 2019 06:44PM UTC

Hi All, I have been struggling that how we can scan the Rest Api using the Burp suite, the Api uses some authentication parameters e.g authentication token, user-id etc as parameters in the header of the request. If anyone have any idea / experience the same challenge so post answer. Any help in this regard is really appreciated. Regards, Raza

PortSwigger Agent | Last updated: Jan 04, 2019 08:28AM UTC

There's general information about testing a REST API here: - https://support.portswigger.net/customer/portal/articles/2898216-using-burp-to-test-a-rest-api If you use an API client to generate valid requests which you proxy through Burp, then these will already contain the relevant authentication, and Burp Scanner will use that. If you use something like OpenAPI Parser to generate requests, you will need to use an extension like Add Custom Header to add the credentials.

Sezer | Last updated: May 24, 2023 10:12AM UTC

Hello, Please, let me jump in. We are considering the purchase Burp Enterprise but I don't see any feature to set Custom Header, Session Cookie, Bearer Token to the scan configuration. Could you please let me know if it is possible to scan applications with specified session cookie or scan APIs with specified Bearer Token?

Liam, PortSwigger Agent | Last updated: May 24, 2023 01:38PM UTC

We're adding a feature to the next release allowing you to add custom headers and cookies via the BSEE UI.

Are your bearer tokens static or dynamically generated?

Sezer | Last updated: May 24, 2023 02:01PM UTC

Hi Liam, Glad to hear that! They are dynamically generated via /oauth REST API endpoint request with a few required parameters and they have 1 hour expiration time. Well, I can generate and set it manually, it will be able to scan 1 hour at least. Let me know if you can suggest something else. Thanks!

Liam, PortSwigger Agent | Last updated: May 25, 2023 01:24PM UTC

We have a development ticket on our triage board that should provide a solution for your dynamically generated bearer tokens.

We'll update this thread if we make progress with the work. Unfortunately, we can't provide an ETA.

Sezer | Last updated: May 25, 2023 02:15PM UTC

Thanks for the update. What about custom headers and cookies? Can you provide an ETA for the next version? We want to try it before our trial period expires.

Liam, PortSwigger Agent | Last updated: May 26, 2023 08:20AM UTC

We hope to get this release out within two weeks. This should be within your trial period, but if you need an extension to test this feature, that won't be a problem.

You need to Log in to post a reply. Or register here, for free.