Enterprise Edition
Scanning APIs
-
Last updated: February 6, 2025
-
Read time: 3 Minutes
This section explains how to create sites to scan specific APIs in Burp Suite Enterprise Edition. To perform a scan, you need to provide an API definition and any authentication that may be required.
Adding API definitions
You can add API definitions by uploading a file or providing a URL. The supported formats are:
- SOAP WSDL.
- OpenAPI definition file in JSON or YAML format.
You can also scan GraphQL APIs, using introspection. To scan a GraphQL API, create a site for a web app and provide the URL for the GraphQL API. Make sure introspection is switched on. For more information, see Crawling GraphQL APIs.
Note
While many OpenAPI 3.1.x definitions can be scanned successfully, those that include specific 3.1.x features may not be supported. For best compatibility, we recommend using definitions that align closely with OpenAPI 3.0 standards.
When you upload an OpenAPI definition file, you can view API endpoints in the Endpoints tab. Burp Suite Enterprise Edition parses the file and adds any detected authentication schemes to the Authentication tab. You can then add the necessary credentials.
If you link to the definition with a URL, you need to manually add the authentication schemes and their credentials in the Authentication tab. Burp Suite Enterprise Edition uses the latest version of the file each time it scans.
If you upload an API definition file, it is used for every scan until you update it by uploading a new version.
Adding an API definition
To add an API definition:
-
Go to Sites and select Add a new site.
-
Select API from the Site type panel.
-
Enter a unique Site name.
-
To add the API to an existing folder, select from the Site folder drop-down menu. Leave the field blank to create the API at the top level of the site tree.
Select a method to provide the API definition:
-
For Host URL, enter the URL for your definition file.
-
For Upload file, click Upload file and select the definition file from the dialog.
-
For OpenAPI definitions, Burp Suite Enterprise Edition parses the file and identifies its authentication schemes.
- For SOAP APIs, add authentication methods and their credentials. Burp Suite Enterprise Edition doesn't currently detect authentication methods for SOAP APIs.
-
-
If required, configure optional settings for your API. There are a wide range of available settings, including scan configurations, proxy, and cookie settings. For more information on the settings available, see Configuring site settings.
-
Click Save.
Burp Suite Enterprise Edition adds the new API to the site tree and prompts you to schedule a scan.
Once you've added an API definition, you can configure authentication. For more information, see Configuring API authentication.
Optional settings for your API
When you add a new API site, you can configure the following additional settings:
-
Scan configuration
-
Connections
-
Headers and cookies
-
Extensions
-
Scanning pool
-
Notifications
For more information on configuring the optional settings for your API, see Configuring site settings.
Note
Although you can add as many APIs as you like to Burp Suite Enterprise Edition, you need to configure your network and firewall settings for scans to work correctly. For more information, see Configuring network and firewall settings for a site.