Burp Suite: Discovering REST APIs

TL;DR

Yes, Burp Suite can detect new REST APIs exposed on a server. This guide shows you how to configure Burp to automatically discover these APIs using its Spider and Scanner tools, plus manual techniques.

1. Configure Your Proxy

1. Start Burp Suite: Launch the Professional version of Burp Suite.
2. Proxy Settings: Go to ‘Proxy’ → ‘Options’. Ensure your proxy listener is running (default port 8080).
3. Browser Configuration: Configure your web browser to use Burp as its proxy. This usually involves setting the HTTP and HTTPS proxy to 127.0.0.1 and port 8080. Check your browser’s documentation for specific instructions.

2. Spidering Your Server

1. Target Scope: Go to ‘Target’ → ‘Scope’. Add the URL of your server (e.g., https://yourserver.com) and any relevant subdomains. This tells Burp what to scan.
2. Start Spidering: Right-click on your target in the ‘Target’ tab and select ‘Spider this host’.
3. Monitor Progress: The ‘Spider’ tab will show you URLs being crawled. Burp follows links, looking for new endpoints.

3. Active Scanning

1. Passive Scan First: After spidering, Burp has a basic understanding of your server’s structure. Start with a passive scan to identify potential issues without sending malicious requests.
2. Active Scan: Right-click on the target host in ‘Target’ and select ‘Actively scan this host’. Be cautious when scanning production environments as active scans can be disruptive.
3. Scan Configuration: In the scan configuration, choose a suitable profile (e.g., ‘Audit all vulnerabilities’). You can customize profiles to focus on specific API security tests.

4. Manual Exploration & Intruder

Sometimes Burp’s automatic tools miss things. Manual exploration is crucial.

1. Browse the Application: Use your browser to interact with the application as a normal user, while Burp intercepts all requests.
2. Identify API Endpoints: Look for URLs that follow RESTful conventions (e.g., /users, /products/{id}).
3. Send Requests to Repeater: Right-click on interesting requests in ‘Proxy’ → ‘HTTP History’ and select ‘Send to Repeater’.
4. Use Intruder: Select the request in Repeater, then click ‘Intruder’. Configure payload positions (e.g., for ID parameters) to test various inputs.

   payloads = @user_ids.txt

5. Using Burp Suite Extensions

Several extensions can help with API discovery:

• Param Miner: Identifies hidden parameters in requests.
• API Discovery: Attempts to automatically discover API endpoints based on common patterns.

6. Checking for OpenAPI/Swagger Definitions

1. Look for Common Paths: Burp can search for files like openapi.json, swagger.json or api-docs. Use the ‘Search’ function in Burp (Ctrl+F) and look for these paths within your target scope.
2. Import Definitions: If found, import the OpenAPI/Swagger definition into Burp to automatically map out all API endpoints and parameters. Go to ‘Target’ → ‘Site Map’, right-click on the host, and select ‘Import Swagger’.

7. Cyber security Considerations

Remember that scanning without permission is illegal. Always obtain explicit consent before testing any server you do not own.