Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

REST API Scanning Using Burp Enterprise

Ranjith | Last updated: Apr 07, 2021 02:49PM UTC

Hi Team, APIs are not web apps where the crawler can be used to automatically discover various links, forms, sub directories and inputs fields. It's kind of point-and-shoot and it provides expected output for a given input. Just Scanning an endpoint URL similar to app will not add any value. If we have a Postman Collection JSON or OAS/Swagger JSON, will the scanner read the file and construct the requests automatically for scanning? I don't see any option to upload the JSON collection file in the enterprise edition? We understand that burp doesn't handle any authentication such as Oauth, and API key. Please also let us know if our understanding is correct. https://portswigger.net/burp/documentation/desktop/scanning/api-scanning Thanks Ranjith

Uthman, PortSwigger Agent | Last updated: Apr 07, 2021 02:58PM UTC

Hi Ranjith,

You cannot upload a JSON collection file or similar in Enterprise, unfortunately.

You will need to use the instructions in the article you have linked - i.e. create a site with a link to a hosted OpenAPI v3 definition file (e.g. https://petstore3.swagger.io/api/v3/openapi.json).

The scanner will then crawl the endpoints based on what is in the definition file and make subsequent audit requests during the audit. You are correct about the authentication for standard web applications, but it looks like you can define this in your definition file for an API matching the OpenAPI v3 specification:

Ranjith | Last updated: Apr 12, 2021 06:13PM UTC

Hi Uthman, That works. For open authentication it works fine. It would be great if we add " adding additional HTTP header to pass the creds/API Keys or Bearer JWT in future for authenticated scanning. Thanks for your support Thanks Ranjith

Uthman, PortSwigger Agent | Last updated: Apr 13, 2021 08:52AM UTC

Hi Ranjith, Thanks for the feedback! Adding additional headers should be coming very soon with the implementation of extensions in Enterprise. We will update this thread when that becomes available.

Cleverton | Last updated: Feb 09, 2022 07:43PM UTC

Hello All, Any update on custom headers?

Alex, PortSwigger Agent | Last updated: Feb 10, 2022 09:48AM UTC