Running API-only scans

You can upload an OpenAPI definition or a SOAP WSDL to run a specific API scan.

Step 1: Configure scan type

To start an API-only scan:

1. Click New scan on the Dashboard. The scan launcher opens.
2. In the Scan type tab, select API-only scan.

Once you have specified scan details, select the API definition tab.

Step 2: Upload API definition

To begin configuring your scan, upload an OpenAPI definition or a SOAP WSDL in the API definition tab. You can do this in two ways:

• By providing a URL for the API definition. To do this, enter the URL in the Upload from URL field, then click Upload.

• By uploading a definition file. To do this, drag and drop the API definition file into the Upload from file field.

Burp uploads the definition and analyzes it to identify the API details that will be used in the scan. To review the API endpoints, click Next.

Step 3: Review and configure the API details

You can view API endpoints, authentication methods, and parameters in the API details tab. These are automatically populated from your API definition.

Viewing and configuring endpoints

API endpoints are listed in a table in the API details > Endpoints tab. The table contains the following columns:

• Checkbox - Marks whether the endpoint is selected for scanning. Burp Scanner only scans selected endpoints.

• Method -

  • For OpenAPI, the HTTP method used by the endpoint.

  • For SOAP, the name of the SOAP operation.

• Content type - The format of the data that will be sent to the API server.
• Host - The protocol and server hostname.
• URL - The URL file path and query string.

By default, all endpoints are selected for scanning. To remove an endpoint from the scan, use the checkbox.

To permanently delete an endpoint, right-click it and select Delete.

You can filter the table by HTTP method or a specific term:

• To filter by the HTTP method, use the filter buttons.
• To filter by a specific term, click Search, then enter your search term.

Once you've filtered the table, you can deselect or select all filtered endpoints as a bulk action, using the top checkbox.

Viewing and configuring authentication

For OpenAPI definitions, Burp automatically detects authentication methods when parsing the definition. These are listed in the API details > Authentication tab, where you can add credentials to enable Burp to use them during the scan. You can also add new authentication methods.

For SOAP WSDLs, Burp doesn't currently detect authentication methods. You'll need to add authentication methods and their credentials to enable Burp to use them during the scan.

For more information, see Configuring authentication for API scans.

Viewing parameters

API parameters for all selected endpoints are listed in a table in the API details > Parameters tab. You can review these to better understand the scope of your scan.

The table contains details of parameters in the following columns:

• Name - The name of the parameter as defined in the API definition.
• Values - One or more values taken from the example values for this parameter in the API definition. (If no values are specified in the API definition, Burp randomly generates them as needed during the scan. These generated values don't appear in the table)
• Description (OpenAPI only) - The parameter description from the API definition.
• Method (SOAP only) - The name of the method that the parameter belongs to.
• Location - Where the API parameter is located in an HTTP request, as defined in the API definition. For example, the request body, or query string.

Burp Scanner uses the parameter details to create requests when it audits an endpoint.

Once you have finalized the endpoints you want to scan and reviewed the parameters, click Next to select a scan configuration.

Step 4: Select a scan configuration

Scan configurations are groups of settings that define how a scan is performed. Click Scan to start the scan with the default configuration, or select a custom scan configuration. You have the following options:

• Select from library - Choose an existing configuration from your configuration library.
• New - Create a new configuration.
• Import - Import configurations from other installations of Burp Suite.

Once you've selected your scan configurations, click Scan to start the scan, or click on the Resource pool tab to choose a resource pool.

Step 5: Select a resource pool

A resource pool is a group of tasks that share a quota of network resources. The default resource pool is automatically selected. You can change this in the Resource pools tab:

• To use a resource pool that already exists, select Use existing resource pool, then choose a pool from the list.

• To set up a new resource pool, select Create new resource pool. For more information on how to configure the pool settings, see Tasks settings - Resource pools.