Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Scan in Burp-Enterprise with a API-Key for authorisation

Thomas | Last updated: Dec 16, 2022 10:55AM UTC

Hello all, Is it possible to start a Burp Enterprise scan that uses an API key for authorisation ? Thanks for the help

Alex, PortSwigger Agent | Last updated: Dec 16, 2022 11:31AM UTC

Hi Thomas, Thanks for your post. Can I just clarify: - Are you wanting to create a scan that includes an auth header with an API key, to authorize against the target application/endpoint? - Or, are you wanting to initiate a scan via an API query that would therefore require authorization against your Enterprise server? Best regards,

Thomas | Last updated: Dec 16, 2022 12:14PM UTC

Hi Alex, exactly, I want to start a scan with an API key in the header to authenticate at the target application. In Burp Enterprise there is only the option "Add usernames and passwords" or "Upload recorded login sequences". Therefore I am looking for a way to send an API key for authorised scanning. Best regards Thomas

Alex, PortSwigger Agent | Last updated: Dec 16, 2022 12:40PM UTC

Hi Thomas, Thanks for clarifying. Whilst we intend to add this functionality natively to Burp Suite Enterprise, currently, this needs to be configured within Burp Suite Professional by navigating to Project Options > Sessions > Session Handling Rules. From here, you can create rule(s) for the “set a specific header value” option and also define the scope for your rule(s). Once created, you can save your rules as a JSON and import these into Burp Suite Enterprise for use as a scan configuration with your sites. The steps would be as follows: 1. In Burp Suite Pro, navigate to Project Options > Sessions > Sessions Handling Rules > Add 2. Under "Rule Actions", select "Add" and choose "Set a specific header value" 3. You can then add a name and value; also select "Add if not present." 4. Next, select the "Scope" tab, where you can either add a specific URL scope for the header(s) or include all URLs. 5. Once all the details are complete, add your rule. 6. Save the configuration file by selecting the cogwheel under the "Session Handling Rules" title 7. Once you have the saved JSON file, you can import this into Burp Suite Enterprise by navigating to Settings > Scan Configurations > Import. This will then be added to your scan configuration library for use with your sites. The JSON file can be edited and uploaded again if different details are required for specific sites. I hope that's clear; if you have any questions, just let me know. Best regards,

Thomas | Last updated: Dec 20, 2022 04:26PM UTC