When Burp Scanner detects a problem, it will report an issue. GET /scan/: allows you to retrieve the progress of the scan you created.POST /scan: allows you to create a new scan.GET /knowledge_base/issue_definitions: allows you to retrieve a list of all issues that can be detected by Burp Scanner.
As I mentioned before, there are currently three endpoints: Your browser should list all of the available REST API endpoints. The remainder of this post will assume that your version is v0.1. You’ll want to make a note of this API version, as you’ll need when you make an API request. As of the time of this writing, it is v0.1. Your browser will redirect you to the REST API documentation for the latest API version supported by your installation of Burp. To access the REST API, open your web browser to the following URL, replacing with the API key created in the previous section. You can view these API endpoints directly in your browser. Dissecting the REST APIĬurrently the Burp REST API is very simple, offering only three primary functions. You will now be able to invoke the REST API. Note that Once you dismiss this dialog, you will no longer be able to retrieve the API key. Click the Copy key to clipboard button and store the API key in a safe place, such as LastPass, 1Password, or some other key vault technology.In the New API key dialog, enter the name for the new API key.This will open the New API key dialog to allow you to create an API key. The remainder of this post will assume that you are leaving the default port of 1337. If you need to change the port, click the Change… button. Check the Service running checkbox to enable the service.In this section, perform the following steps: Scroll down and you will find the REST API section. To enable the REST API, launch Burp and navigate to the User options tab. Also, you should create an API key and use that key to access the API. For security reasons, PortSwigger has disabled Burp’s API by default. In order to utilize the Burp REST API, you must enable and configure it. Integrating this into a development process will put your security practices well above average. Although you can’t do everything with Burp using the REST API, you can at least create scans and retrieve the results of those scans. Burp Community edition offers a large number of features for free, so it seemed to me that this could be a great starting point for a development team. There are a plethora of Dynamic Application Security Testing (DAST) tools on the market. Well, thankfully, the Burp REST API will allow us to perform some operations programmatically. I personally had never used Burp in that capacity, so I thought would be neat to look into.
I was recently asked if it was possible to integrate Burp into a development pipeline, so that a development team could automatically audit a web application that was in development. Burp Suite is my go-to tool for performing penetration tests against web applications.