Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Perform Active Scan With Checksum

Vishal | Last updated: Jul 26, 2024 09:34AM UTC

Hello, I am working with an API that uses a checksum calculated based on all the parameters and values in the request. How can I run an active scan on this API? Is there a way to run a script before or after the request, similar to how it's done in Postman? Thank you.

Syed, PortSwigger Agent | Last updated: Jul 26, 2024 02:37PM UTC

Hi Vishal,

I would need more details about the API you are trying to scan. Is it a single API or an API definition file?

I suppose the checksum is calculated automatically as you send the request? Or is there a separate request to calculate the checksum?

Finally, how are you planning to run the script, and what is the purpose of running it?

Vishal | Last updated: Jul 29, 2024 12:43PM UTC

These are server-to-server APIs. When a request is made to another server, the checksum will be calculated by the code. We are trying to run an active scan on these APIs. APIs are manually tested using the Postman tool, where a pre-request script calculates a checksum based on the request parameters. The checksum is then sent in the request headers. However, we are unable to run an active scan because the checksum does not change when a payload is added, causing the server to reject the request.

Syed, PortSwigger Agent | Last updated: Jul 29, 2024 03:09PM UTC

Hi Vishal,

When you say server-to-server APIs, do you mean SOAP API? If it is SOAP API or an API following a similar protocol, Burp Scanner does not yet support scanning such APIs. We are currently working on it but it might take some time for them to hit the open market.

Vishal | Last updated: Jul 29, 2024 04:00PM UTC

They are REST APIs in JSON format.

Syed, PortSwigger Agent | Last updated: Jul 30, 2024 08:00AM UTC