Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more

Professional

Scanning APIs

  • Last updated: June 18, 2024

  • Read time: 4 Minutes

Burp Scanner enables you to upload an OpenAPI definition to run a specific API scan.

To run an API scan, click New scan > API scan on the Dashboard. The API scan launcher opens. To configure your scan, complete the following steps in the API scan launcher:

  • Upload an API definition.

  • Review and configure the API details.

  • Select a scan configuration.

  • Select a resource pool (optional).

Step 1: Upload API definition

To begin configuring your scan, upload a version 2.0 or 3.0.x OpenAPI definition. You can do this in two ways:

  • By providing a URL for the API definition. To do this, enter the URL in the Upload from URL field, then click Upload.

  • By uploading a definition file. To do this, drag and drop the API definition file into the Upload from file field.

Burp uploads the definition and analyzes it to identify the API details that will be used in the scan. To review the API endpoints, click Continue.

Note

Burp Scanner must be able to parse and validate definitions in order to upload them. For a full list of criteria that the definition is validated against, see Requirements for API scanning - API definition requirements.

Step 2: Review and configure the API details

You can view API endpoints, authentication methods, and parameters in the API details tab. These are automatically populated from your API definition.

Viewing and configuring endpoints

API endpoints are listed in a table in the API details > Endpoints tab. The table contains the following columns:

  • Checkbox - Whether the endpoint is selected for scanning. Burp Scanner only scans selected endpoints.
  • Method - The HTTP method used by the endpoint.
  • Content type - The format of the data that will be sent to the API server.
  • Host - The protocol and server hostname.
  • URL - The URL file path and query string.

By default, all endpoints are selected for scanning. To remove an endpoint from the scan, use the checkbox.

To permanently delete an endpoint, right-click it and select Delete.

You can filter the table by HTTP method or a specific term:

  • To filter by the HTTP method, use the filter buttons.
  • To filter by a specific term, click Search, then enter your search term.

Once you've filtered the table, you can deselect or select all filtered endpoints as a bulk action, using the top checkbox.

Note

Endpoints are only listed on the table if they meet the requirements for scanning. For information about the criteria, see Requirements for API scanning - API endpoint requirements.

Viewing and configuring authentication

Burp lists any endpoint authentication methods that it detects in the API definition in the API details > Authentication tab.

To use detected authentication methods, you'll need to add credentials. You can also add authentication methods that aren't included in the API definition.

For more information, see Configuring authentication for API scans.

Viewing parameters

API parameters for all selected endpoints are listed in a table in the API details > Parameters tab. You can review these to better understand the scope of your scan.

Note

If you deselect or delete an endpoint, Burp automatically removes any corresponding parameters from the Parameters tab.

The table contains details of parameters in the following columns:

  • Name - The name of the parameter as defined in the API definition.
  • Values - One or more values for the parameter. This is populated from the example values in the API definition. If the definition doesn't include example values, Burp Scanner creates them.
  • Description - A description of the parameter as defined in the API definition.
  • Location - Where the API parameter is located in an HTTP request, as defined in the API definition. For example, the request body, or query string.

Burp Scanner uses the parameter details to create requests when it audits an endpoint.

Once you have finalized the endpoints you want to scan and reviewed the parameters, click Continue to select a scan configuration.

Step 3: Select a scan configuration

Scan configurations are groups of settings that define how a scan is performed. Click Scan to start the scan with the default configuration, or select a custom scan configuration. You have the following options:

  • Select from library - Choose an existing configuration from your configuration library.
  • New - Create a new configuration.
  • Import - Import configurations from other installations of Burp Suite.

Once you've selected your scan configurations, click Scan to start the scan, or click on the Resource pool tab to choose a resource pool.

Related pages

For more information on how to create and import custom configurations, see Using custom configurations.

Step 4: Select a resource pool

A resource pool is a group of tasks that share a quota of network resources. The default resource pool is automatically selected. You can change this in the Resource pools tab:

  • To use a resource pool that already exists, select Use existing resource pool, then choose a pool from the list.

  • To set up a new resource pool, select Create new resource pool. For more information on how to configure the pool settings, see Tasks settings - Resource pools.

Related pages

Managing resource pools for scans - Gives information on the use cases for resource pools and how to configure them.

Was this article helpful?