Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Skipping location in API definition because it is out of scope.

Michael | Last updated: Dec 10, 2021 11:34AM UTC

Hi BurpSuite Support, I am evaluating the API Scanning functionality in BurpSuite Enterprise edition and have paid particular attention to the following page and this forum but I cannot find a solution to a problem that I am encountering. https://portswigger.net/burp/documentation/desktop/scanning/api-scanning I have published an OpenAPI 3 definition for my API in json format and entered that address as the 'Site URL' setting. I can tell from the event log that BurpSuite is finding the endpoints in my specification but it is not crawling them. In each case, the event log reports "DEBUG","UNSPECIFIED","Skipping location {MyURL} in API definition because it is out of scope.","December 10 2021 at 11:16:13","1" If I explicitly enter the URL of the API endpoint into the 'Enter URLs to include' field it does crawl the endpoint. I want BurpSuite to automatically crawl all endpoints in my openAPI 3 definition that meet the conditions specified in 'Prerequisites for API scanning' and 'Limitations for API scanning' in the linked document without having to explicitly list the endpoint(s). What am I missing here? Thanks and regards, M

Uthman, PortSwigger Agent | Last updated: Dec 10, 2021 11:55AM UTC

Hi Michael, It may be best to email us (support@portswigger.net) with more details on the in-scope and out-of-scope URLs along with the API definition file and screenshots of what is configured in Enterprise. Have you tried adding the URL of the definition as an Included URL and changing the main site URL to that of the application/site built on the API?

Michael | Last updated: Dec 10, 2021 12:17PM UTC

Hi Uthman, can you tell me if and where I can configure the in-scope and out-of-scope URLs in BurpSuite Enterprise? I cannot find any documentation pertaining to this. All documentation that I can find refers to BurpSuite Professional. What I can tell you is that I am running my API locally for evaluation purposes http://localhost/8082/my-base-path/resource-name I am also hosting the openApi specification at the same location and with the same base-url http://localhost/8082/my-base-path/v3/api-doc-json Does this setup interfere with the scanners ability to crawl?

Michael | Last updated: Dec 10, 2021 12:34PM UTC

Hi Uthman, I have resolved the issue for this scenario by adding the following to the 'Enter URLs to include' field. http://localhost:8082 Can you point me to where I can find the documentation that tells me that I must do this? It would be helpful for people like me who may not be intimate with BurpSuite Professional to add a note on this to the following page. https://portswigger.net/burp/documentation/desktop/scanning/api-scanning

Michael | Last updated: Dec 10, 2021 12:46PM UTC

Sorry about the typo above, all URLS should read http://localhost:8082/ and not http://localhost/8082/

Uthman, PortSwigger Agent | Last updated: Dec 10, 2021 01:06PM UTC