Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

REST API Scanning

Rui | Last updated: Jul 31, 2024 05:32PM UTC

Hopefully I am not missing something (the documentation is somewhat sparse) but, after loading the OpenAPI file from disk, ... 1) Burp chooses its own sample parameter values for use during the scan. There seems to be no way to change these values to be more relevant to the API being tested, and adding examples to the original OpenAPI specification file would be onerous and time-consuming (assuming they would actually be used by Burp). There is also no way to configure the scanner to remove parameters from the scan; *** Above all else, this is the issue that makes API scanning next to useless as it currently stands*** 2) Some API requests are automatically deselected by Burp Proxy and cannot be re-enabled. This is likely because such requests are using non-standard parameters such as ({BenefitRuleSid}). But it seems there is no way to edit this request in Burp, short of editing the original OpenAPI file and reloading it (which would probably cause the request to fail during the scan anyway). 3) One cannot select requests by string match (such as all PBenefit* requests), but must deselect and select requests individually. The available available string search only finds requests, but does not select them for actual scanning. If not currently supported then treat this as a feature request? Thanks Rui

Syed, PortSwigger Agent | Last updated: Aug 01, 2024 02:47PM UTC