Burp Suite User Forum

Login to post

REST API. Get scan status after Burp restart: Task ID not found

Oleksii | Last updated: Nov 20, 2019 03:03PM UTC

Burp Suite Pro version: 2.1.05; Steps to reproduce: 1. Start Burp Suite Pro; 2. Launch new scan, using REST API, i.e. do HTTP POST scan configuration to http://127.0.0.1:1337/$apiKey/v0.1/scan; 3. Poll scan status with HTTP GET http://127.0.0.1:1337/$apiKey/v0.1/scan/$taskID; 4. Stop Burp Suite; 5. Launch Burp Suite again with --unpause-spider-and-scanner command line option; 6. Scan status poll fails with HTTP 400: {"type":"ClientError","error":"Task ID not found"} Expected behavior: Burp Suite stores taskID in project file/temporary directory and allows to poll scan status even after Burp Suite restart.

Liam, PortSwigger Agent | Last updated: Nov 20, 2019 03:51PM UTC

You should be able to find the Task ID in the "location" header. Please let us know if you need any further assistance.

Liam, PortSwigger Agent | Last updated: Nov 20, 2019 03:55PM UTC

To view the task_id of an item, you can: 1) Note the value of the location header that is returned when you start the scan. 2) Look at the Burp Dashboard tab. 3) Configure a callback URL and note the task_id in the body of the request.

Burp User | Last updated: Nov 20, 2019 04:26PM UTC

I know where to find task ID, but the report isn't about it. Say, you received a response to POST request and saved task ID from 'Location' HTTP header, then you can perform HTTP GET requests with this task ID to obtain scan status and all works just fine until... After Burp Suite restart you will not able to poll scan status because Burp Suite responds with HTTP 400: {"type":"ClientError","error":"Task ID not found"} whatever you give it as a task ID. Read my steps to reproduce carefully, please.

Burp User | Last updated: Nov 21, 2019 01:32AM UTC

Dear Support, This issue has a significant impact on the way we are trying to utilize Burp Pro 2.x via API. In our case, the some targets we test are not available 24x7, so we have to deal with suspending the scan & audit and resuming it later. However, doing that via API does not work as the TaskID is not recognized by Burp Pro after the restart. Please advise. Thanks, Alex.

Liam, PortSwigger Agent | Last updated: Nov 21, 2019 02:55PM UTC

Sasha, we reproduced the behavior you are having an issue with. We'll discuss this with the appropriate product team and get back to you.

Burp User | Last updated: Nov 25, 2019 07:59PM UTC

It's great news, Liam, thank you! Please keep me posted or let me know otherwise what we can do to get the fix for this behavior prioritized /expedited. Sasha.

Michelle, PortSwigger Agent | Last updated: Nov 26, 2019 01:15PM UTC

Hi We've raised this as a bug with our product team, we don't have an ETA for the fix as yet.

Synack | Last updated: Feb 17, 2020 10:07PM UTC

Hi, do you have and updates on this issue? Thanks, Sasha.

Michelle, PortSwigger Agent | Last updated: Feb 18, 2020 10:33AM UTC

Hi Sasha This issue is in our backlog, we don't have an ETA as yet, but we've linked this thread so we can post an update when there's news.

Prateek | Last updated: Sep 11, 2020 04:41PM UTC

Hi Team, while trying to use Burp rest API to perform scans, we are gtting back 400 Bad Request for few domain urls. Please advise { "type": "ClientError", "code": 1101, "error": "Unknown host: example.domain.com" }

Michelle, PortSwigger Agent | Last updated: Sep 14, 2020 07:51AM UTC

An 'Unknown Host' error means that the hostname entered in the REST API command cannot be resolved so the scan cannot be started. Can you connect to the site from the machine running Burp?

Prateek | Last updated: Sep 14, 2020 08:32PM UTC

Hi Team, We are able to access the urls using BURP proxy(which means browsing the application with Burp proxy in the browser) and able to scan these urls by selecting the urls from Http History tab. But, we are not able to submit a scan request using REST API, which is returning as Bad Request "Unknown Host" Could you please advise on the workaround to resolve this issue. As every host need may not be resolvable using ping and these may be hosted in internet and cloud (eg: Azure, ecp). ping will fail for many other sites too..

Michelle, PortSwigger Agent | Last updated: Sep 15, 2020 07:47AM UTC

Can you send us a copy of the command you are sending via the REST API so we can take a closer look, please? You can share this directly via email if you prefer using the address support@portswigger.net

Prateek | Last updated: Sep 16, 2020 03:58PM UTC

As an example using an internet site Bank Of America curl -vgw "\n" -X POST 'http://localhost:1337/v0.1/scan' -d '{"urls":["http://bankofamerica.com"]}' { "type": "ClientError", "code": 1101, "error": "Unknown host: bankofamerica.com" }

Prateek | Last updated: Sep 16, 2020 03:59PM UTC

We are seeing the same error for other internet applications as well

Uthman, PortSwigger Agent | Last updated: Sep 17, 2020 09:35AM UTC

Thanks for the feedback. Our development team is working on a fix and we will update this thread when that has been implemented.

Prateek | Last updated: Sep 18, 2020 04:45AM UTC

Thanks, meanwhile is there a workaround to skip this check for ping to proceed with scan request

Uthman, PortSwigger Agent | Last updated: Sep 18, 2020 07:49AM UTC

Sorry, Prateek. It looks like your issue is different from the issues in the main thread. There is no ping. Burp will perform a DNS lookup of the host from the machine you are scanning from (or the machine the REST API is running from, in this case). Do you have any issues launching a scan on the HTTPS version? Do you have an upstream proxy set up? Can you send us further details via email, please?

You need to Log in to post a reply. Or register here, for free.