Burp Suite User Forum

Create new post

use burp rest api to automate the scan and generate report!

Ding | Last updated: Apr 22, 2020 10:53AM UTC

Hi, Currently we run automated security scans with zap by proxying our e2e tests. We want to try out burp suite and pick the best. I was not able to find much support on how to access the rest api documentation and how use the apis for controlling burp. Could you please let me know 1. Is rest api for burp available on professional and community editions ? or is it available only on enterprise edition ? 2. Where can I find the documentation on burp rest api. Thanks a ton.

Uthman, PortSwigger Agent | Last updated: Apr 22, 2020 12:41PM UTC

Hi, The REST API is available for both Pro and Enterprise. You can find more information on Pro here: https://portswigger.net/blog/burps-new-rest-api. The endpoints only allow you to retrieve issue definitions, run a new scan, and retrieve status about an existing scan. You cannot generate reports at the moment, although we may be adding this functionality in the future.

Ding | Last updated: Apr 23, 2020 10:33AM UTC

Thank you for quick response. I requested for trail license to spike on burpsuite. While I get license, could you please let me know "/knowledge_base/issue_definitions" returns issue definitions of issues found in active and passive scan or it returns all available issue definitions in burpsuites knowledge base? Thanks in advance.

Uthman, PortSwigger Agent | Last updated: Apr 23, 2020 11:03AM UTC

The issues specific to your scan can be retrieved by making a GET request to /scan/ with your task ID e.g. /scan/39. The full request would look like this: curl -vgw "\n" -X GET 'http://localhost:8080/api/<API-KEY>/v0.1/scan/39'. /knowledge_base/issue_definitions retrieves all the issues definitions found at https://portswigger.net/kb/issues.

Chaitanya | Last updated: Sep 06, 2023 02:31PM UTC

Is it still under development? and Do we have any alternatives for Reporting? We're using Burp Suite Pro and leveraging REST API for scans.

Ben, PortSwigger Agent | Last updated: Sep 07, 2023 09:06AM UTC

Hi Chaitanya, To confirm, the functionality available in the REST API is extremely limited. Fully fledged HTML or XML reports can only, natively, be generated via the UI in Burp Professional. As touched upon earlier in this forum thread, you can use the GET /scan/[task_id] endpoint to retrieve issue information but this is going to be in JSON format and is likely to need some manual finessing to be usable in a report.

Chaitanya | Last updated: Sep 26, 2023 11:56AM UTC

I'm trying to automate the same via Python, is there a way or an open source plugin that i could use to generate the report automatically? thanks.

Dominyque, PortSwigger Agent | Last updated: Sep 26, 2023 01:44PM UTC

Hi Chaitanya We have responded to your email about this. But to update the thread: Burp Suite Professional is not designed for large-scale automation, and as my colleagues stated above, the REST API has very little functionality as this is a legacy feature.

Chaitanya | Last updated: Sep 27, 2023 10:37AM UTC

Thanks but is there a way to get the task_id coz the /scan endpoint is not returning any data. the task_id is just being printed on the UI.

Dominyque, PortSwigger Agent | Last updated: Sep 27, 2023 12:39PM UTC

Hi Chaitanya You would need to launch a scan using the POST /scan endpoint. Under the 'Headers' section of that launched scan, you should see a value for location. For example: location: 5. Using the value from location (in this example, 5), for the GET /scan/[task_id: String], you will enter 5 for the task_id there. This should then bring up the details for that scan. I hope this helps.

Baibhab | Last updated: Oct 25, 2023 11:14AM UTC

Hi PortSwigger team, I have the same question but for the GraphQL API. Is the GraphQL API only available for Burp Suite Enterprise, or Pro as well? Thanks & Regards, Baibhab Kundu.

Dominyque, PortSwigger Agent | Last updated: Oct 25, 2023 12:51PM UTC

Hi Baibhab You might be interested in giving this a read: https://portswigger.net/burp/documentation/desktop/testing-workflow/session-management/working-with-graphql. GraphQL can be worked with in Professional using an extension from our BApp Store.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.