Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Parameter payloads that are required to launch a scan using burp API

Gaurav | Last updated: Oct 06, 2020 08:50PM UTC

hello All, We have SAML authentication for every application and I am trying to automate the Burp Enterprise tool to have it scan using the payloads that are found after a user authenticates using SAML authentication, looking for any leads that would help me determine what parameters does the Burp API take in to scan a site. Regards Gaurav

Uthman, PortSwigger Agent | Last updated: Oct 07, 2020 08:38AM UTC

Hi Gaurav, Can you clarify what you mean by the below? "scan using the payloads that are found after a user authenticates using SAML authentication" How have you currently configured the authentication? Is that working? Which API are you referring to? REST? Or GraphQL?

Gaurav | Last updated: Oct 07, 2020 04:15PM UTC

Hey Uthman, Thanks for connecting, so we are implementing a local orchestration engine which will open a chrome browser using selenium to enter SAML credentials for a site and then those strings will be captured by the API which will then trigger a scan, my intend is to use the GraphQL API to achieve this and trigger a scan, what are the parameters that I need to capture in terms staring a scan and which GraphQL API call should I use? regards!

Uthman, PortSwigger Agent | Last updated: Oct 07, 2020 04:24PM UTC

You will need to use the create_schedule_item mutation (https://portswigger.net/burp/extensibility/enterprise/graphql-api/create_schedule_item.html) to start the scan. This takes site_id, schedule, and scan_configuration_ids as input. A working example using curl (please replace the appropriate sections): curl --request POST \ --url <ENTERPRISE-SERVER-URL>/graphql/v1 \ --header 'authorization: <API-KEY>' \ --header 'content-type: application/json' \ --data '{"query":"mutation CreateScheduleItem {\n create_schedule_item(input: {site_id: 34, scan_configuration_ids: [\"a4bfa3ae-ebde-4a2e-8911-87a22feadf04\", \"662e3e00-a02b-4230-a94f-6d5dcefa85a8\"]}) {\n schedule_item {\n id\n }\n }\n}","operationName":"CreateScheduleItem"}' In my example, I have left out the schedule field so the scan can run right away.

Gaurav | Last updated: Oct 12, 2020 12:15AM UTC

Is this the request that will help in collecting the user-string/ sessions once an app is authenticated using Selenium and launch a scan?

Gaurav | Last updated: Oct 12, 2020 12:35AM UTC

Also I am getting error while pushing the scan using curl command, says that scan configuration was not found! Although I used "id": "30edeeb5-e4db-4625-a158-e579edf5236b", "name": "Auditchecks-allexceptJavaScriptanalysis" We can carry the conversation through email if possible. Thanks!

Uthman, PortSwigger Agent | Last updated: Oct 12, 2020 08:41AM UTC

Hi Gaurav, Sure. Please send us an email at support@portswigger.net

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.