Burp Suite User Forum

Login to post

REST API Scanning Using Burp Enterprise

Ranjith | Last updated: Apr 07, 2021 02:49PM UTC

Hi Team, APIs are not web apps where the crawler can be used to automatically discover various links, forms, sub directories and inputs fields. It's kind of point-and-shoot and it provides expected output for a given input. Just Scanning an endpoint URL similar to app will not add any value. If we have a Postman Collection JSON or OAS/Swagger JSON, will the scanner read the file and construct the requests automatically for scanning? I don't see any option to upload the JSON collection file in the enterprise edition? We understand that burp doesn't handle any authentication such as Oauth, and API key. Please also let us know if our understanding is correct. https://portswigger.net/burp/documentation/desktop/scanning/api-scanning Thanks Ranjith

Uthman, PortSwigger Agent | Last updated: Apr 07, 2021 02:58PM UTC

Hi Ranjith,

You cannot upload a JSON collection file or similar in Enterprise, unfortunately.

You will need to use the instructions in the article you have linked - i.e. create a site with a link to a hosted OpenAPI v3 definition file (e.g. https:/petstore3.swagger.ioapiv3openapi.json).

The scanner will then crawl the endpoints based on what is in the definition file and make subsequent audit requests during the audit. You are correct about the authentication for standard web applications, but it looks like you can define this in your definition file for an API matching the OpenAPI v3 specification:

You need to Log in to post a reply. Or register here, for free.