API-based architecture is only becoming more popular. The rise of Agile development and microservices ensures that. But security in this area is often poorly implemented and maintained. And to cap the problem, many web vulnerability scanners lack visibility when it comes to APIs. That means the organizations using them lack visibility too.
Burp Scanner's API security testing feature can help to solve this problem.
Burp Scanner can parse API definitions. This helps it to identify and test API endpoints that many other web vulnerability scanners can't.
By automatically parsing OpenAPI v3 REST API definitions written in JSON or YAML, Burp Scanner can help you to discover more potential attack surface. This process allows Burp Scanner to identify and security test many APIs not even intended for web browsers.
Because many organizations struggle to manage their APIs, Burp Scanner's API discovery and scanning capabilities can mean a real boost to attack surface visibility. What you can't see, you can't test - making visibility paramount in today's API-connected world.
See more customer storiesof surveyed organizations are concerned about finding vulnerabilities in APIs and microservices. Source: TechValidate survey of PortSwigger customers
As with all Burp Suite features, Burp Scanner is constantly evolving - enabling increased productivity and reliability for its users. This process is driven by demand. Given the rising popularity of microservice architectures, and the need for fast, reliable API security testing tools, users will notice Burp Scanner taking significant steps in the field of API testing.
These enhancements will include exciting changes to the way Burp Scanner detects and scans APIs when no API specification is available to it. This will further improve visibility, and make testing easier where an API specification has not been made publicly available.
Find out more about Burp ScannerDesigned by leading web security researchers, Burp Scanner aims to mirror the actions of a skilled manual tester. Benefit from PortSwigger's ongoing commitment to excellence.
Burp Scanner sits at the heart of both Burp Suite Enterprise Edition and Burp Suite Professional. It's the weapon of choice for over 70,000 users across more than 16,000 organizations - from pentesters to DevSecOps teams.
By using its advanced crawling algorithm to build up a profile of its target in a similar way to an expert tester, Burp Scanner can reveal more attack surface to exploit - without user intervention.
Burp Scanner can handle JavaScript-heavy web apps, employ user-defined login sequences, and parse many API definitions. It reveals more of the attack surface you need to see.
Automating parts of your API security testing workflow can increase resources available for manual testing. This increases productivity for both organizations and individual testers.
Benefit from the best security research team in the world. Burp Suite subscribers get unrivaled protection against new vulnerabilities, and enhanced API protection.
Scan for a huge list of vulnerabilities, and save custom scan configurations. Have the option to focus on specific classes of vulnerability relevant to APIs - like XXE, or SQL injection.
Find more vulnerabilities - and fewer false positives. Bring a whole new facet to your security testing with reliable automated OAST (out-of-band application security testing).
I have already chosen Burp against our recommended scanning tool. Considering the flexibility in config, customer support, effectiveness in catching bugs etc.
Balaji Govindan
Software Engineer
Automate Burp Scanner. Integrate with CI/CD and enable DevSecOps. Indefinite scalability.
Integrate Burp Scanner with manual pentesting workflows, apply custom scan checks, and much more.
Learn more about APIs and microservices. Why are they so popular right now, and why are they difficult to secure?