Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Turn on REST API headless

Tristan | Last updated: Sep 29, 2021 03:20PM UTC

Hey, I am using the latest version of Burp Pro (jar) and I would like to use the API. Only thing is it is off by default and I have no GUI. I need to turn on the API and make an API key while headless. I tried to run the same jar on a machine that has a GUI and enabling the API there and created an API key, then saved the setting which created a json that I named restAPI.json. it looks kinda like this: { "user_options":{ "misc":{ "api":{ "address":"", "enabled":true, "insecure_mode":false, "keys":[ { "created":1632921657446, "enabled":true, "hashed_key":"<API hash>", "name":"<name>" } ], "listen_mode":"loopback_only", "port":1337 } } } } I then copied that file to the headless machine and ran java -Djava.awt.headless=true -jar burpsuite_pro_v2021.8.3.jar --config-file=restAPI.json I checked with lsof -i -P -n | grep LISTEN if there was a service running on 127.0.0.1:1337, but there wasn't. When performing running Burp this way on the machine that does have a GUI (and where the API is already enabled) the service does exist on 127.0.0.1:1337. On the machine with the GUI when omitting the config file but starting headless the service does not exist on 127.0.0.1:1337. How should I do this? java -version openjdk version "11.0.12" 2021-07-20 OpenJDK Runtime Environment (build 11.0.12+7-post-Debian-2) OpenJDK 64-Bit Server VM (build 11.0.12+7-post-Debian-2, mixed mode, sharing) Both machines run the same java version and both OS's are Debian 11

Tristan | Last updated: Sep 30, 2021 09:20AM UTC

I tested again and when omitting the config file on the machine with the GUI the API does work (as is expected and logical). On the headless machine I tried using --user-config-file instead of --config-file, but that made no difference.

Ben, PortSwigger Agent | Last updated: Sep 30, 2021 06:35PM UTC

Hi Tristan, Just to clarify, you are setting this up on a machine with a GUI so that the API service is running and only accessible with your created API key (and testing that you can access the API on this machine)? You are then saving the configured User options from the Burp -> User options -> Save user options menu option (and checking that the details for the configured API service have been captured in the configuration file) before launching a headless instance of Burp on your non-GUI machine using the exported option file? Having just performed a test using this same setup, this works for me. How are you trying to access the API on the non-GUI machine - are you using the URL http://127.0.0.1:1337/<API_Key> format with the correct API key value (not the name you have given to the key or the hashed version being stored in the options file)? Are you using the correct command to run the headless version of Burp with the configuration file - this should be something along the lines of the following: java -Djava.awt.headless=true -jar <path_to_burp_jar> --user-config-file=<path_to_user_config_file> Finally, are you seeing any errors on the command line or does it appear that the headless Burp is running but just not using the supplied configuration?

Tristan | Last updated: Oct 01, 2021 07:59AM UTC

"java -Djava.awt.headless=true -jar <path_to_burp_jar> --user-config-file=<path_to_user_config_file>" actually works, thank you! I do not know why it didn't yesterday. Yesterday port 1337 (the API) didn't show up, only some large port number that changes sometimes (that wasn't the API) and 8080 which is the proxy. Thanks again for your swift reply!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.