Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

More Burp 2 Beta API Key Issues

Seth | Last updated: Dec 06, 2018 02:29PM UTC

When "Allow access without API key" is enabled if an invalid API key is used the API does not return an "Unauthorized" error message or the proper HTTP status code. For example if a valid API key is "valid" and the API key "test" does not exist: GET http://127.0.0.1:1337/valid/v0.1/knowledge_base/issue_definitions will return the issue definitions while: GET http://127.0.0.1:1337/test/v0.1/knowledge_base/issue_definitions will return: 400 "Invalid API version" it should return: 401 "Unauthorized" If the "Allow access without an API key" option is disabled the API will return: 401 "Unauthorized" for bad keys as expected.

PortSwigger Agent | Last updated: Dec 06, 2018 03:04PM UTC

Thanks for letting us know about this. We'll investigate including a fix in a future beta.

Mike, PortSwigger Agent | Last updated: Dec 06, 2018 03:52PM UTC

We have this issue logged in our development backlog. Unfortunately, we can't provide an ETA on when this will be added.

Burp User | Last updated: Aug 15, 2019 04:42PM UTC

Any updates on this? Appears to still be present in 2.1.03.

Ben, PortSwigger Agent | Last updated: Aug 16, 2019 01:37PM UTC

We have released an update (Burp Professional Version 2020.1) that incorporates your feedback. We try our best to use the feedback that adds value to all our users. Sometimes the request may be partially fulfilled or we solved the problem differently to your suggestion. Please feel free to update and provide us with any new feedback to help improve the product further.

Burp User | Last updated: Sep 26, 2019 06:25PM UTC

Ok. Thanks for the update!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.