Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Perform Active Scan With Checksum

Vishal | Last updated: Jul 26, 2024 09:34AM UTC

Hello, I am working with an API that uses a checksum calculated based on all the parameters and values in the request. How can I run an active scan on this API? Is there a way to run a script before or after the request, similar to how it's done in Postman? Thank you.

Syed, PortSwigger Agent | Last updated: Jul 26, 2024 02:37PM UTC

Hi Vishal,

I would need more details about the API you are trying to scan. Is it a single API or an API definition file?

I suppose the checksum is calculated automatically as you send the request? Or is there a separate request to calculate the checksum?

Finally, how are you planning to run the script, and what is the purpose of running it?

Vishal | Last updated: Jul 29, 2024 12:43PM UTC

These are server-to-server APIs. When a request is made to another server, the checksum will be calculated by the code. We are trying to run an active scan on these APIs. APIs are manually tested using the Postman tool, where a pre-request script calculates a checksum based on the request parameters. The checksum is then sent in the request headers. However, we are unable to run an active scan because the checksum does not change when a payload is added, causing the server to reject the request.

Syed, PortSwigger Agent | Last updated: Jul 29, 2024 03:09PM UTC

Hi Vishal,

When you say server-to-server APIs, do you mean SOAP API? If it is SOAP API or an API following a similar protocol, Burp Scanner does not yet support scanning such APIs. We are currently working on it but it might take some time for them to hit the open market.

Vishal | Last updated: Jul 29, 2024 04:00PM UTC

They are REST APIs in JSON format.

Syed, PortSwigger Agent | Last updated: Jul 30, 2024 08:00AM UTC

Hi Vishal,

Well, that changes things. This checksum you mentioned is calculated for each request sent to another server. For the receiving server to accept the request, each request needs a new checksum calculated pre-request. Am I correct?

Where is this pre-request script hosted, and is this checksum calculation part of the actual API request, or are these two separate events? The reason I am asking this is because if these are two separate events, you won't be able to run a usual active scan on this API as you do in Postman. You cannot run scripts in Burp Suite, but you can use session handling rules to run a macro to attach updated headers to each request that leaves Burp Suite. For this, you will need a set of requests that generate the checksum, a script won't work.

Is it possible to calculate the checksum using a set of request(s)?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.