Enterprise Edition
Adding new API definitions
-
Last updated: December 2, 2024
-
Read time: 5 Minutes
Burp Suite Enterprise Edition enables you to upload a SOAP WSDL or an OpenAPI definition to run a specific API scan. You can add new API definitions at any time.
API definitions are managed in the Sites menu. Each site can have only one API definition, but you can create unlimited sites to accommodate multiple definitions.
API definition format
Burp Suite Enterprise Edition enables you to provide a SOAP WSDL, or an OpenAPI definition file in JSON or YAML format.
You can add API definitions by either uploading a file or providing a URL. If you upload a file, you can view API endpoints in the Endpoints tab and authentication methods in the Authentication tab. This choice also impacts how Burp Suite Enterprise Edition handles authentication and updates.
Note
While many OpenAPI 3.1.x definitions are able to be scanned successfully, those that include specific 3.1.x features may not be supported. For best compatibility, we recommend using definitions that align closely with OpenAPI 3.0 standards.
Authentication
When you upload an OpenAPI definition file, Burp Suite Enterprise Edition automatically parses it and adds any detected authentication schemes to the Authentication tab. You can then add the necessary credentials.
If you link to the definition with a URL, you need to add both the authentication schemes and their associated credentials in the Authentication tab manually.
Updates
When you upload an API definition file, it is used for every scan until you update it by uploading a new version.
If you link to the definition with a URL, Burp Suite Enterprise Edition uses the latest version of the file each time it scans.
Adding an API definition
To add an API definition:
-
Select Sites > Add a new site to display the Create a new site page.
-
Select API from the Site type panel.
-
Enter a unique Site name.
-
To add the API to an existing folder, select from the Site folder drop-down menu. If you leave this field blank then the API is created at the top level of the site tree.
Select a method to provide the API definition:
For Host URL, enter the URL for your definition file.
For Upload file, click Upload file and select the definition file from the dialog. For OpenAPI definitions, Burp Suite Enterprise Edition parses the file and identifies its authentication schemes.
- For SOAP APIs, Burp Suite Enterprise Edition doesn't currently detect authentication methods. You need to add authentication methods and their credentials to enable Burp Scanner to use them.
-
If required, configure optional settings for your API. There are a wide range of available settings, including scan configurations, proxy, and cookie settings. For more information on the settings available, see Configuring site settings.
-
Click Save.
Burp Suite Enterprise Edition adds the new API to the site tree and prompts you to schedule a scan.
Configuring API authentication
You can configure endpoint authentication for API scans. This enables Burp Suite Enterprise Edition to access authenticated endpoints, increasing your scanning coverage.
Burp Suite Enterprise Edition supports Basic, Bearer Token, and API Key authentication. You can manage API authentication via the Authentication tab, which lists schemes from uploaded definitions and manually added credentials.
Note
For security reasons, API definitions should include authentication schemes but not the associated credentials. For example, a definition can define that a particular API key is needed, but it must not provide the API key.
This means that you need to add credentials for any detected schemes manually. Schemes that have been detected but not yet populated with credentials have a red notification dot next to them. To add a credential to a scheme, click its pencil icon.
To add new API credentials:
-
Click Add API credentials to display the Add Authentication dialog.
-
Select the Authentication type and add credentials. All fields are mandatory:
-
For Basic, enter the Username and Password.
-
For Bearer Token, enter the Token.
-
For API Key, select where the key should be added. The options are Query parameter, Cookie, or Header. Then enter a Name and the Key.
-
-
Enter a Label. This is a unique identifier for this set of credentials.
-
Click Save to save your changes and close the dialog.
To edit an existing authentication method, click its pencil icon.
To delete an existing authentication method, click its trash icon.
Note
In order to modify authentication details for an API site after the site has been saved, you need Edit site application logins
permission. This includes changing the specification upload method between a URL and a local file. Note that admin users have this permission by default.
If you have View site application logins
permission but not Edit site application login details
permission, you can see details of the authentication methods used in the specification and their credentials. However, you can't edit any of them, add new authentication, amend the selection of endpoints to scan, or change the API definition file or URL.
Viewing and configuring endpoints
If you uploaded your API definition as a local file you can view details of its endpoints in the Endpoints tab. Endpoints are automatically populated from your API definition when you upload the file.
The Endpoints tab contains the following information:
Method (OpenAPI only) - The HTTP method used by the endpoint.
Operation (SOAP API only) - The name of the SOAP operation.
Host - The protocol and server hostname.
Path and query - The URL file path and query string.
Content type - The format of the data that will be sent to the API server.
By default, all endpoints are selected for scanning. Use the checkbox to remove an endpoint from scans of the site.
Filtering endpoints
You can filter the endpoints that you see on the Endpoints tab:
To filter by a specific term, enter your search term in the Search for an endpoint field, and click the search icon.
For OpenAPI only, you can use the filter buttons to filter by HTTP method.
After filtering the table, click the top checkbox to select or deselect all filtered endpoints.
Note
Burp Suite Enterprise Edition can only scan endpoints that meet the requirements for scanning. For information about the criteria, see Requirements for API scanning - API endpoint requirements.
Optional settings for your API
When you add a new API site, you can configure the following additional settings:
-
Scan configuration
-
Connections
-
Headers and cookies
-
Extensions
-
Scanning pool
-
Notifications
For more information on configuring the optional settings for your API, see Configuring site settings.
Note
Although you can add as many APIs as you like to Burp Suite Enterprise Edition, you need to configure your network and firewall settings for scans to work correctly. For more information, see Configuring network and firewall settings for a site.
Related pages
- Managing scheduled scans - explains how to schedule scans for your new site.
- Defining scan configuration for a site - explains how to create and work with scan configurations.
- Configuring site settings - explains the optional scan settings you can configure for a site.
- Configuring your environment network and firewall settings.
- Burp Scanner built-in configurations - reference information on Burp Scanner's built-in scan configurations.