Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Initiating API scans using Burp Pro REST APIs

Jeevesh | Last updated: Jul 22, 2024 05:39AM UTC

Can anyone help me on how to initiate API scans using Burp Pro REST APIs. Should we pass the API documentation path/location in the URL parameter? When I pass the URL of API documentation in URL field, a scan is triggered but the name of the scan is "Crawl and Audit of ...." , whereas, if i initiate an API scan from the UI the name shown is "API scan of ....".

Syed, PortSwigger Agent | Last updated: Jul 22, 2024 08:34AM UTC

Hi Jeevesh,

Yes, you can use Burp Pro REST API to initiate API scans. You must pass the hosted API spec URL in the URLs field and the configuration name in the Configurations field. If your API spec is hosted on a separate endpoint than the one where your API endpoints reside, then you need to ensure that both URLs are in scope, which can be done using the Scope option.

Whether it shows 'Crawl and Audit...' or 'API scan...', it will still scan the API the same way.

If you still need help with this, please email me at support@portswigger.net

Jeevesh | Last updated: Jul 22, 2024 09:06AM UTC

Hi Syed, Thank you for your prompt response, Is there a way to pass API documentation file which is stored locally?

Syed, PortSwigger Agent | Last updated: Jul 22, 2024 09:15AM UTC

Hi Jeevesh,

If you are asking about uploading the API spec, then no. If you are asking about hosting the API spec locally and then scanning it through REST API, then yes.

I hope that helps.

Jeevesh | Last updated: Jul 31, 2024 05:33AM UTC

Hi Team, Currently what all types of authentication mechanisms does API scanning using REST APIs support? Can you provide some sample payloads which demonstrate the use of these authentication mechanisms.

Syed, PortSwigger Agent | Last updated: Jul 31, 2024 09:27AM UTC

Hi Jeevesh,

Burp Scanner currently supports the following authentication types for API scanning:

  • Basic authentication
  • API key authentication
  • Bearer authentication

Examples:

Basic authentication: Basic Authentication involves sending the username and password encoded in base64 in the Authorization header.

GET /api/resource HTTP/1.1
Host: example.com
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

In this example, dXNlcm5hbWU6cGFzc3dvcmQ= is the base64 encoding of username:password.

API key authentication: API Key Authentication involves including an API key in the request. This key can be sent in the query parameters, request headers, or as a cookie.

Example (Query Parameter):

GET /api/resource?api_key=1234567890abcdef HTTP/1.1
Host: example.com

Example (Request Header):

GET /api/resource HTTP/1.1
Host: example.com
X-API-Key: 1234567890abcdef

Bearer authentication: Bearer authentication involves sending a token to the Authorization header. This token is typically a JWT (JSON Web Token) or other opaque token.

GET /api/resource HTTP/1.1
Host: example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

In this example, eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c is the JWT token.

I hope this helps.

Jeevesh | Last updated: Jul 31, 2024 11:34AM UTC

Hi Syed, Thank you for your reply. I'm aware of this but I am interested in exploring on how to utilize these options when I am performing an API scan by invoking the REST APIs that burp pro exposes.

Syed, PortSwigger Agent | Last updated: Jul 31, 2024 02:51PM UTC

Hi Jeevesh,

My bad. I misunderstood the context of your message. Regarding your query, unfortunately, Burp's REST API does not support scans of authenticated APIs. You will need to use the UI for that.

Jeevesh | Last updated: Aug 08, 2024 06:26AM UTC

Hi Syed, Thanks for the confirmation. Can I convert my postman collection which has the authentication details as well into open api documentation format and use it to scan the API endpoints for my scenario? If I can specify the authentication details in the postman collection itself will burp scanner be able to use these to perform authenticated scans? I will be hosting this authenticated api spec locally and trigger the /scan REST API on this API spec.

Jeevesh | Last updated: Aug 08, 2024 06:26AM UTC

Hi Syed, Thanks for the confirmation. Can I convert my postman collection which has the authentication details as well into open api documentation format and use it to scan the API endpoints for my scenario? If I can specify the authentication details in the postman collection itself will burp scanner be able to use these to perform authenticated scans? I will be hosting this authenticated api spec locally and trigger the /scan REST API on this API spec.

Syed, PortSwigger Agent | Last updated: Aug 08, 2024 08:42AM UTC

Hi Jeevesh,

I am afraid not. With the REST API, you can only run unauthenticated API scans. Burp only supports three authentication types, Basic, Bearer, and API Key, but only through the UI.

Any API endpoint in an API spec you want to scan through the REST API must not have any authentication at all.

Jeevesh | Last updated: Aug 08, 2024 09:20AM UTC

Hi Syed, In that case what happens if I use burp as a proxy server for my postman client and capture the API call request and run an active scan using the captured request. Will that work? If this works is there a way to automate this?

Syed, PortSwigger Agent | Last updated: Aug 08, 2024 02:12PM UTC

Hi Jeevesh,

Yes, that would work but the scan will only be useful as long as the session is active. Once the session token expires, Burp will probably just get a whole bunch of 403s.

How would you like to automate this?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.