Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Clarification on Webservices scanning

Karthik Aravind Jul 07, 2015 03:07PM UTC

I have some clarifications on web service testing.

Question 1:
Is burp suite capable of performing testing webservices against all known vulnerabilities associated with web services ?
All scanning options present under Active Scanning areas are applicable for web service testing ? or it is limited to subset of those ?

Question 2:
I browsed a website and it captured a webservice URL (and many sub URLs)
In the target, I expanded one of the URLs and in the right hand side I see the method as GET
But in the Request pane in the bottom, I can see the request going as OPTIONS and not get.
(All the webservice URLs show the same behavior)
Why does it go with a OPTIONS instead of a GET ?

Question 3:
For the above scenario, the response code is HTTP/1.1 204 No Content and Content-Length is 0
But if I take the URL and paste it in browser (Request goes as GET instead of OPTIONS) there is a HTTP/1.1 200 OK response with content-length greater than 0 and there is a valid data in the response.

Could you please clarify ?


Dafydd Stuttard Jul 08, 2015 08:05AM UTC Support Center agent

1. Burp can scan web services / SOAP requests but it doesn’t natively parse WSDL files and generate SOAP requests. You have two options: (a) use a tool like soapUI to generate SOAP requests and proxy the traffic via Burp, then test it in the normal way; (b) try the Wsdler extension in the BApp Store, which does parse WSDL files and generate suitable requests.

2. There was a bug like this in the site map a while ago but it has been fixed. Are you using the latest Pro version?

3. OPTIONS and GET requests do very different things, and so typically receive different responses. You can copy the URL and in Repeater choose “Paste URL as request” from the context menu, to send a suitable GET request within Burp, which should receive a normal response.


Karthik Aravind Jul 08, 2015 01:12PM UTC
Thanks for the response. The Webservice used the REST format.

So, is it supported via BURP ?

Dafydd Stuttard Jul 08, 2015 03:12PM UTC Support Center agent

Yes, Burp can work with REST endpoints. If you access these in the normal way via Burp, Burp can scan and test the resulting requests in the normal way.

Note that if the application places data parameters into the URL file path, then you need to enable “REST-style URL parameters” at Scanner / Options / Attack insertion points.


Sabir Shaikh Apr 26, 2017 10:30AM UTC
How to scan the REST webservices which is using SSL (HTTPS).

Dafydd Stuttard Apr 26, 2017 01:35PM UTC Support Center agent

There is no difference in the approach to testing for services using HTTPS as opposed to plain HTTP.


kalyan Jul 04, 2018 05:49AM UTC
As per you saying like this " OPTIONS and GET requests do very different things, and so typically receive different responses. You can copy the URL and in Repeater choose “Paste URL as request” from the context menu, to send a suitable GET request within Burp, which should receive a normal response"

->after getting response in burp Repeater how to test vulnerabilities.

Paul Johnston Jul 04, 2018 09:07AM UTC Support Center agent

Hi Kalyan,

Once you have a valid request in Repeater, the first step is to do an active scan.

You may also want to do some manual investigation – modifying some parts of the request and reviewing the application’s response. Manual testing requires considerable skill and experience. If you are interested there are many books, online materials, and vulnerable applications for training purposes.


Post Your public answer

Your name
Your email address
Answer