Burp Suite API automation integrates Burp scanning, crawling, reporting, and workflow control into CI/CD pipelines and DevSecOps environments. Instead of running Burp Suite manually, the Burp REST API allows you to trigger scans, manage projects, pull issues, configure settings, and automate dynamic testing against running applications. This turns Burp Suite into a powerful automated DAST engine usable across pipelines, scripts, and cloud environments.
Understanding Burp Suite API
The Burp Suite REST API is available in Burp Suite Professional and Burp Suite Enterprise. It provides automation capabilities for:
• scanning URLs and entire applications
• configuring scan settings
• triggering multiple scans programmatically
• reading scan progress
• exporting vulnerability results
• generating HTML/XML reports
• integrating with GitHub, GitLab, and Jenkins
• running Burp headless
• interacting with Burp’s site map, issues, and proxy history
Burp’s API gives you full automation control over dynamic scanning.
Why Use Burp Suite API
Manual Burp usage is powerful but slow. Automation allows:
• scalable scanning
• predictable results
• continuous testing
• automatic scanning during CI/CD
• easy integration with pipelines
• full control without GUI
• quick retesting of incremental code changes
Burp API is essential for automated DevSecOps workflows.
Types of Burp APIs
Burp Suite Professional API
Runs locally on your machine with Burp Pro. Used for:
• headless scans
• scripting
• CI jobs
• launching scans in containers
API available through:
• REST API
• Extensions (Python, Java, Ruby)
Burp Suite Enterprise API
Cloud-scale scanning for large orgs. Used for:
• multi-team workflows
• large scan fleets
• dashboard reporting
Provides:
• REST API
• GraphQL API
Both versions support automation, but Burp Enterprise is designed for large-scale orchestration.
Starting Burp API
Launch Burp with API enabled:
burpsuite --project-file=test.burp --config-file=config.json --auto-repair --headless --port 1337
Typical API endpoint:
http://127.0.0.1:1337/v0.1/
You can now trigger scans, check progress, and export results.
Authenticating to the API
Set API key in Burp configuration.
Use:
Authorization: Bearer <API_KEY>
All API calls require this header.
Burp API Core Capabilities
Launching Scans
Trigger scans for full sites or specific URLs.
Managing Scan Configurations
Choose scan types:
• Passive
• Light active
• Full active
• Customized scanning
Monitoring Scan Progress
Track:
• crawl percentage
• audit percentage
• time remaining
• issue count
Exporting Results
Download:
• issues
• HTML report
• XML report
• JSON results
Stopping or Pausing Scans
Stop long scans programmatically.
Integrating With CI/CD
Use Burp API in:
• GitHub Actions
• GitLab CI
• Jenkins
• Azure DevOps
Triggering a Burp Scan via API
Example request:
POST /v0.1/scan
{
"urls": ["https://target.com"],
"application_logins": [],
"scan_configuration": {
"name": "fast"
}
}
Burp returns:
{
"scan_id": "abcd-1234"
}
Use scan_id for further queries.
Checking Scan Status
GET /v0.1/scan/abcd-1234/status
Response:
• crawling progress
• auditing progress
• issues found
Fetching Vulnerability Issues
GET /v0.1/scan/abcd-1234/issues
List includes severity, URL, parameter, evidence, and remediation guidance.
Exporting Report
GET /v0.1/scan/abcd-1234/report/html
or
GET /v0.1/scan/abcd-1234/report/xml
Download file for dashboards or pipeline artifacts.
Authenticating Targets in Burp API
Burp supports automated auth:
• cookie-based
• header-based
• form-login
• bearer token
• session cookies
• automatic re-authentication
Example config:
{
"application_logins": [
{
"username": "admin",
"password": "admin123",
"login_url": "https://target.com/login"
}
]
}
Burp API + CI/CD Integration
Add step in GitHub Actions:
- name: Run Burp Scan
run: |
curl -X POST http://localhost:1337/v0.1/scan \
-H "Authorization: Bearer $API_KEY" \
-d '{"urls":["https://target.com"]}'
Block merge if high-severity findings exist.
Burp API Scripting With Python
Install library:
pip install requests
Example:
import requests
headers = {"Authorization": "Bearer API_KEY"}
start = requests.post(
"http://localhost:1337/v0.1/scan",
json={"urls":["https://target.com"]},
headers=headers
)
scan_id = start.json()["scan_id"]
issues = requests.get(
f"http://localhost:1337/v0.1/scan/{scan_id}/issues",
headers=headers
).json()
print(issues)
Use loops to poll status until scan finishes.
Burp Enterprise API Example
Trigger scan:
POST /api/v0/scans
{
"site_id": 1,
"configuration_id": 2
}
Fetch issues:
GET /api/v0/scans/<scan_id>/issues
Enterprise API supports huge-scale parallel scanning.
Advanced Burp API Use Cases
Automated Baseline Scans
Run fast passive scans after every commit.
Full DAST Nightly Scans
Run deep scans with all checks enabled.
Targeted Scans
Scan only:
• admin panel
• sensitive endpoints
• newly deployed microservices
API Security
Use pre-provided OpenAPI/Swagger spec for API scans.
Custom Scan Logic
Script custom automation:
• re-scan only changed URLs
• auto-retry failed scans
• detect forgotten vulnerabilities
Alerting
Export issues to:
• Slack
• Jira
• SIEM
Hybrid DAST
Burp API + ZAP API for redundancy.
Full-Length Practical Section
Extensive practicals to fully master Burp API.
Practical 1: Enable Burp API
Start headless Burp:
burpsuite --headless --port 1337 --api-key MYKEY \
--project-file=project.burp
Verify:
curl -H "Authorization: Bearer MYKEY" http://127.0.0.1:1337/v0.1/
Practical 2: Trigger First Scan
curl -X POST http://127.0.0.1:1337/v0.1/scan \
-H "Authorization: Bearer MYKEY" \
-d '{"urls":["https://test.com"]}'
Practical 3: Poll Scan Status
Use:
GET /scan/<id>/status
Track scan completion via polling.
Practical 4: Fetch Issues as JSON
curl \
-H "Authorization: Bearer MYKEY" \
http://127.0.0.1:1337/v0.1/scan/<id>/issues
Practical 5: Export HTML Report
curl -o report.html \
-H "Authorization: Bearer MYKEY" \
http://127.0.0.1:1337/v0.1/scan/<id>/report/html
Practical 6: Automate Authenticated Scans
Include login payload in scan configuration.
Test against authenticated pages.
Practical 7: Automate OpenAPI Scans
Upload openapi.json to Burp.
Trigger API-specific scanning.
Practical 8: Use Python Script to Automate Full Scan
Write Python script to:
• start scan
• monitor
• export results
• store report
Practical 9: Add Burp Scan to Jenkins Pipeline
Create Jenkins stage:
curl ... /scan
Fail job if high severity issues appear.
Practical 10: Run Burp Scan in Docker
docker run -p 1337:1337 \
-v project:/burp \
burp-pro-image
Trigger scans from pipeline.
Practical 11: Auto-Retest Vulnerabilities
Script re-scan for specific URLs with issues.
Practical 12: Parallel Scanning
Launch multiple scans simultaneously by launching multiple Burp instances.
Practical 13: Multi-URL Bulk Scanning
Submit array of URLs to scan multiple microservices at once.
Practical 14: Sync Site Map With CI
Fetch sitemap for regression testing.
Practical 15: Severity Threshold Enforcement
Download issues → check severity → fail pipeline.
Practical 16: Auto-Notify Devs
Send JSON issues to:
• Slack
• Microsoft Teams
• Jira
Practical 17: Store Reports in S3
Script to upload artifacts.
Practical 18: Container-Based Burp Automation
Build custom container with API enabled for pipelines.
Practical 19: Compare Two Scan Reports Programmatically
Detect regressions by comparing JSON issues.
Practical 20: Build Full Burp API Automation Architecture
Include:
• headless Burp Pro / Enterprise
• API-driven scans in CI/CD
• authenticated scanning
• OpenAPI-based API testing
• regression scanning
• threshold gates
• automatic issue export
• Slack/Jira integrations
• nightly full scans
• pipeline-embedded fast scans
• multi-environment scanning
This architecture provides full automated DAST for modern DevSecOps.
Intel Dump
• Burp Suite API automates crawling, scanning, and reporting
• Use headless mode, REST API, Docker, and scripting
• Supports authenticated scans, OpenAPI tests, CI/CD pipelines
• Practicals cover triggering scans, polling status, exporting issues, regression testing, Docker-based automation, and full integration into DevSecOps workflows