Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

What are the security test mandatory for webservices (Rest API)

Chandanu | Last updated: Jul 20, 2016 07:21PM UTC

Hi I would like to know what are the security test mandatory for web services (Rest API). I would like to know list of security test to be run on the web service(Manual & automatic scan ) using Burp tool.

Liam, PortSwigger Agent | Last updated: Jul 21, 2016 10:04AM UTC

Hi Chandanu Thanks for your message. Any mandatory testing is usually enforced by the governing body's of a specific commercial sector etc. Burp Scanner will check for all vulnerabilities listed in the Burp Knowledge Base - https://portswigger.net/KnowledgeBase/Issues/. Here is an example of a methodology for testing Rest APIs - https://www.owasp.org/index.php/REST_Security_Cheat_Sheet. Please let us know if you need any further assistance.

Liam, PortSwigger Agent | Last updated: Jul 28, 2016 02:07PM UTC

Hi Afser Thanks for your message. Just to clarify, do you wish to test an API or use Burp's API to enhance your testing?

Burp User | Last updated: Nov 28, 2016 01:51PM UTC

How to configure burp Suit on API for Security Testing.

Burp User | Last updated: Dec 16, 2016 07:34AM UTC

Hi, I want to test my API using Burp suite pro. is there any way to test my API in Burppro.

Liam, PortSwigger Agent | Last updated: Dec 16, 2016 08:57AM UTC

Hi Murthy Thanks for your message. You can use Burp to test web APIs, however you normally need to use the normal API client to generate suitable traffic, since Burp can’t read the API documentation and generate valid requests. Normally, you need to configure your client to use Burp as its proxy, then exercise all the API’s features, and capture the traffic in Burp. Then you can test the traffic in the normal way as you would for browser-generated traffic. If you require any further assistance testing your web infrastructure, please don’t hesitate to contact us.

PortSwigger Agent | Last updated: Dec 16, 2016 08:58AM UTC

Yes, you can configure a proxy within SOAP UI and point it at Burp. I've found some great bugs doing exactly that.

Burp User | Last updated: Jun 28, 2017 08:46AM UTC

Hi, Is it possible to connect Burp Suite with SOAP UI,for testing REST API ,with JSON input.

Burp User | Last updated: Jul 19, 2017 02:06PM UTC

why Unnecessarily use two tools? For API security testing can be done through soupUI Pro / Ready API.

PortSwigger Agent | Last updated: Jul 20, 2017 07:21AM UTC

soapUI is made for developers and QA testers. Burp is made for security. While you can get by with just one, you get value out of using both.

Burp User | Last updated: Nov 16, 2017 07:59PM UTC

hi I would like to test rest api using the burp suite please post what need to be done assets in hand 1)end point and auth token and json file which is coming from the UI any help would be appreciated ManyThanks TARUN.K

Liam, PortSwigger Agent | Last updated: Nov 17, 2017 09:50AM UTC

Have you checked out our support pages for testing Rest APIs? - https://support.portswigger.net/customer/portal/articles/2898121-using-burp-to-enumerate-a-rest-api - https://support.portswigger.net/customer/portal/articles/2898216-Methodology_API_REST.html Please let us know if you need any further assistance.

Burp User | Last updated: Dec 20, 2018 05:25AM UTC

Could you kindly suggest any API security checklist for third party and in house APIs?

PortSwigger Agent | Last updated: Dec 20, 2018 09:51AM UTC

Almost everything that applies to a web app also applies to an API. You can use a web app checklist like ASVS or OSSTMM.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.