Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Skipping location in API definition because it is out of scope.

Michael | Last updated: Dec 10, 2021 11:34AM UTC

Hi BurpSuite Support, I am evaluating the API Scanning functionality in BurpSuite Enterprise edition and have paid particular attention to the following page and this forum but I cannot find a solution to a problem that I am encountering. https://portswigger.net/burp/documentation/desktop/scanning/api-scanning I have published an OpenAPI 3 definition for my API in json format and entered that address as the 'Site URL' setting. I can tell from the event log that BurpSuite is finding the endpoints in my specification but it is not crawling them. In each case, the event log reports "DEBUG","UNSPECIFIED","Skipping location {MyURL} in API definition because it is out of scope.","December 10 2021 at 11:16:13","1" If I explicitly enter the URL of the API endpoint into the 'Enter URLs to include' field it does crawl the endpoint. I want BurpSuite to automatically crawl all endpoints in my openAPI 3 definition that meet the conditions specified in 'Prerequisites for API scanning' and 'Limitations for API scanning' in the linked document without having to explicitly list the endpoint(s). What am I missing here? Thanks and regards, M

Uthman, PortSwigger Agent | Last updated: Dec 10, 2021 11:55AM UTC

Hi Michael, It may be best to email us (support@portswigger.net) with more details on the in-scope and out-of-scope URLs along with the API definition file and screenshots of what is configured in Enterprise. Have you tried adding the URL of the definition as an Included URL and changing the main site URL to that of the application/site built on the API?

Michael | Last updated: Dec 10, 2021 12:17PM UTC

Hi Uthman, can you tell me if and where I can configure the in-scope and out-of-scope URLs in BurpSuite Enterprise? I cannot find any documentation pertaining to this. All documentation that I can find refers to BurpSuite Professional. What I can tell you is that I am running my API locally for evaluation purposes http://localhost/8082/my-base-path/resource-name I am also hosting the openApi specification at the same location and with the same base-url http://localhost/8082/my-base-path/v3/api-doc-json Does this setup interfere with the scanners ability to crawl?

Michael | Last updated: Dec 10, 2021 12:34PM UTC

Hi Uthman, I have resolved the issue for this scenario by adding the following to the 'Enter URLs to include' field. http://localhost:8082 Can you point me to where I can find the documentation that tells me that I must do this? It would be helpful for people like me who may not be intimate with BurpSuite Professional to add a note on this to the following page. https://portswigger.net/burp/documentation/desktop/scanning/api-scanning

Michael | Last updated: Dec 10, 2021 12:46PM UTC

Sorry about the typo above, all URLS should read http://localhost:8082/ and not http://localhost/8082/

Uthman, PortSwigger Agent | Last updated: Dec 10, 2021 01:06PM UTC

Hi Michael,

Thanks for the feedback.

Is the application itself that consumes the API also hosted at http://localhost:8082/? If so, you will need to just provide the scanner with the API definition URL (http://localhost/8082/my-base-path/v3/api-doc-json) and the URL of the main app or site e.g. http://localhost:8082/ if the application is hosted there.

Can you give this a try and let me know how you get on?

In terms of in-scope and out-of-scope, I am referring to the Included and Excluded URLs that can be configured when you create/edit a site. You can find out further information here:

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.