Professional
Scanning APIs
-
Last updated: March 1, 2024
-
Read time: 3 Minutes
Burp Scanner enables you to upload an OpenAPI definition to run a specific API scan.
To run an API scan, click New scan > API scan on the Dashboard. The API scan launcher opens. To configure your scan, complete the following steps in the API scan launcher:
Upload an API definition.
Review and configure endpoints.
Select a scan configuration.
Select a resource pool (optional).
Step 1: Upload API definition
To begin configuring your scan, upload a version 3.0.x OpenAPI definition. You can do this in two ways:
By providing a URL for the API definition. To do this, enter the URL in the Upload from URL field, then click Upload.
By uploading a definition file. To do this, drag and drop the API definition file into the Upload from file field.
Burp uploads the definition and analyzes it to identify the API details that will be used in the scan. To review the API endpoints, click Continue.
Note
Burp Scanner must be able to parse and validate definitions in order to upload them. For a full list of criteria that the definition is validated against, see Requirements for API scanning - API definition requirements.
Step 2: Review and configure endpoints
You can view API endpoints in the API details > Endpoints tab. These are automatically populated from your API definition. You can deselect or delete any endpoints that you don't want to scan.
Endpoints are listed in a table that contains the following columns:
- Checkbox - Whether the endpoint is selected for scanning. Burp Scanner only scans selected endpoints.
- Method - The HTTP method used by the endpoint.
- Content type - The format of the data that will be sent to the API server.
- Host - The protocol and server hostname.
- URL - The URL file path and query string.
By default, all endpoints are selected for scanning. To remove an endpoint from the scan, use the checkbox.
To permanently delete an endpoint, right-click it and select Delete.
You can filter the table by HTTP method or a specific term:
- To filter by the HTTP method, use the filter buttons.
- To filter by a specific term, click Search, then enter your search term.
Once you've filtered the table, you can deselect or select all filtered endpoints as a bulk action, using the top checkbox.
Note
Endpoints are only listed on the table if they meet the requirements for scanning. For information about the criteria, see Requirements for API scanning - API endpoint requirements.
Once you have finalized the endpoints you want to scan and reviewed the parameters, click Continue to select a scan configuration.
Step 3: Select a scan configuration
Scan configurations are groups of settings that define how a scan is performed. You must select a scan configuration before you run your scan. You have the following options:
- Select from library - Choose an existing configuration from your configuration library.
- New - Create a new configuration.
- Import - Import configurations from other installations of Burp Suite.
Once you've selected your scan configurations, click Scan to start the scan, or click on the Resource pool tab to choose a resource pool.
Related pages
For more information on how to create and import custom configurations, see Using custom configurations.
Step 4: Select a resource pool
A resource pool is a group of tasks that share a quota of network resources. The default resource pool is automatically selected. You can change this in the Resource pools tab:
To use a resource pool that already exists, select Use existing resource pool, then choose a pool from the list.
To set up a new resource pool, select Create new resource pool. For more information on how to configure the pool settings, see Tasks settings - Resource pools.
Related pages
Managing resource pools for scans - Gives information on the use cases for resource pools and how to configure them.