API security testing

Scan for API security vulnerabilities

Burp Scanner's API security testing increases coverage of modern web apps and microservices.

API security testing represented by a torch

API security is more important now than ever before

API-based architecture is only becoming more popular. The rise of Agile development and microservices ensures that. But security in this area is often poorly implemented and maintained. And to cap the problem, many web vulnerability scanners lack visibility when it comes to APIs. That means the organizations using them lack visibility too.

Burp Scanner's API security testing feature can help to solve this problem.

Improved visibility of APIs means more endpoints scanned

Burp Scanner can parse API definitions. This helps it to identify and test API endpoints that many other web vulnerability scanners can't.

By automatically parsing OpenAPI v3 REST API definitions written in either JSON or YAML, Burp Scanner can help you to discover more potential attack surface. This process allows Burp Scanner to identify and security test many APIs not even intended for web browsers.

Because many organizations struggle to manage their APIs, Burp Scanner's API discovery and scanning capabilities can mean a real boost to attack surface visibility. What you can't see, you can't test - making visibility paramount in today's API-connected world.

93 percent graph

of surveyed organizations are concerned about finding vulnerabilities in APIs and microservices. Source: TechValidate survey of PortSwigger customers

See more customer stories

Burp Scanner's API scanning capabilities are continually evolving

As with all Burp Suite features, Burp Scanner is constantly evolving - enabling increased productivity and reliability for its users. This process is driven by demand. Given the rising popularity of microservice architectures, and the need for fast, reliable API security testing tools, users will notice Burp Scanner taking significant steps in the field of API testing.

These enhancements will include exciting changes to the way Burp Scanner detects and scans APIs when no API specification is available to it. This will further improve visibility, and make testing easier where an API specification has not been made publicly available.

Find out more about Burp Scanner

A vulnerability scanner built with the modern web - and microservices - in mind

Designed by leading web security researchers, Burp Scanner aims to mirror the actions of a skilled manual tester. Benefit from PortSwigger's ongoing commitment to excellence.

Burp Scanner sits at the heart of both Burp Suite Enterprise Edition and Burp Suite Professional. It's the weapon of choice for over 52,000 users across more than 13,000 organizations - from pentesters to DevSecOps teams.

Reveal more

By using its advanced crawling algorithm to build up a profile of its target in a similar way to an expert tester, Burp Scanner can reveal more attack surface to exploit - without user intervention.

Scan it all

Burp Scanner can handle JavaScript-heavy web apps, employ user-defined login sequences, and parse many API definitions. It reveals more of the attack surface you need to see.

Save more time

Automating parts of your API security testing workflow can increase resources available for manual testing. This increases productivity for both organizations and individual testers.

Find critical bugs

Benefit from the best security research team in the world. Burp Suite subscribers get unrivaled protection against new vulnerabilities, and enhanced API protection.

Configure everything

Scan for a huge list of vulnerabilities, and save custom scan configurations. Have the option to focus on specific classes of vulnerability relevant to APIs - like XXE, or SQL injection.

Reliability you can trust

Find more vulnerabilities - and fewer false positives. Bring a whole new facet to your security testing with reliable automated OAST (out-of-band application security testing).

Block quote

I have already chosen Burp against our recommended scanning tool. Considering the flexibility in config, customer support, effectiveness in catching bugs etc.

See more customer stories

Cisco logo

Balaji Govindan

Software Engineer