Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

looks like there is no way of allowing API user to create scans under a folder.

alok | Last updated: Apr 15, 2020 05:38AM UTC

Hi, My security analyst created a REST API user for me. I logged-in to Burp Enterprise REST-API and tried to use the 2 REST-API GET queries, these GET queries are working fine. The problem is with POST query. It does not allow API user, to create scans under a folder, which I had already created with project name. It always creates the scan outside the project folder. Therefore, my security analyst had to provide Administrator access to the API user. My question is, is it necessary to provide Administrator access to a normal REST API user in order to create the scan inside the project folder.

Uthman, PortSwigger Agent | Last updated: Apr 15, 2020 08:31AM UTC

Hi Alok, I would suggest creating a new group, assigning the appropriate site restrictions to it (i.e. limit the API user to accessing a specific folder/site), add the API user to the group, and try re-running your scan. It should only create new scans under the folder you have restricted the API user to. If you want to create a name for the site, it needs to match the existing one under the folder. Alternatively, the name of the site can be left blank. It is not recommended to provide Administrator access to the API user since it does not need it to achieve what you are trying to do. You may find this article helpful in setting up groups, roles, and modifying permissions: https://portswigger.net/burp/documentation/enterprise/reference/team.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.