Burp Suite User Forum

REST API. Get scan status after Burp restart: Task ID not found

Oleksii | Last updated: Nov 20, 2019 03:03PM UTC

Burp Suite Pro version: 2.1.05; Steps to reproduce: 1. Start Burp Suite Pro; 2. Launch new scan, using REST API, i.e. do HTTP POST scan configuration to http://127.0.0.1:1337/$apiKey/v0.1/scan; 3. Poll scan status with HTTP GET http://127.0.0.1:1337/$apiKey/v0.1/scan/$taskID; 4. Stop Burp Suite; 5. Launch Burp Suite again with --unpause-spider-and-scanner command line option; 6. Scan status poll fails with HTTP 400: {"type":"ClientError","error":"Task ID not found"} Expected behavior: Burp Suite stores taskID in project file/temporary directory and allows to poll scan status even after Burp Suite restart.

Liam, PortSwigger Agent | Last updated: Nov 20, 2019 03:51PM UTC

You should be able to find the Task ID in the "location" header. Please let us know if you need any further assistance.

Liam, PortSwigger Agent | Last updated: Nov 20, 2019 03:55PM UTC

To view the task_id of an item, you can: 1) Note the value of the location header that is returned when you start the scan. 2) Look at the Burp Dashboard tab. 3) Configure a callback URL and note the task_id in the body of the request.

Burp User | Last updated: Nov 20, 2019 04:26PM UTC

I know where to find task ID, but the report isn't about it. Say, you received a response to POST request and saved task ID from 'Location' HTTP header, then you can perform HTTP GET requests with this task ID to obtain scan status and all works just fine until... After Burp Suite restart you will not able to poll scan status because Burp Suite responds with HTTP 400: {"type":"ClientError","error":"Task ID not found"} whatever you give it as a task ID. Read my steps to reproduce carefully, please.

Burp User | Last updated: Nov 21, 2019 01:32AM UTC

Dear Support, This issue has a significant impact on the way we are trying to utilize Burp Pro 2.x via API. In our case, the some targets we test are not available 24x7, so we have to deal with suspending the scan & audit and resuming it later. However, doing that via API does not work as the TaskID is not recognized by Burp Pro after the restart. Please advise. Thanks, Alex.

Liam, PortSwigger Agent | Last updated: Nov 21, 2019 02:55PM UTC

Sasha, we reproduced the behavior you are having an issue with. We'll discuss this with the appropriate product team and get back to you.

Burp User | Last updated: Nov 25, 2019 07:59PM UTC

It's great news, Liam, thank you! Please keep me posted or let me know otherwise what we can do to get the fix for this behavior prioritized /expedited. Sasha.

Michelle, PortSwigger Agent | Last updated: Nov 26, 2019 01:15PM UTC

Hi We've raised this as a bug with our product team, we don't have an ETA for the fix as yet.

Synack | Last updated: Feb 17, 2020 10:07PM UTC

Hi, do you have and updates on this issue? Thanks, Sasha.

Michelle, PortSwigger Agent | Last updated: Feb 18, 2020 10:33AM UTC

Hi Sasha This issue is in our backlog, we don't have an ETA as yet, but we've linked this thread so we can post an update when there's news.

You need to Log in to post a reply. Or register here, for free.