Started by Peter DanielsSep 24, 2021

How to pentest rest apis using burpsuite?


I want to pen test rest apis, the use case I have is a client(desktop app with username and password) connecting to a server. So I am confused from where to start and how to configure burp. Usually I use burp to pen test websites, which is quite easier to configure, you only set the proxy and intercept in the browser, but now the use case is different. Furthermore, I did some search on google I noticed postman is mentioned many times, I know it's a tool for building apis, but is it also used in the pentesting with the burp?

1 Replies

Techiio-commentatorNeel Dey replied 7 months ago0 likes0 dislikes

It may be useful to first confirm that the application is communicating via HTTP/HTTPS to ensure Burp is the right tool to use.

Postman is only useful for penetration testing if you already have Postman docs. It doesn't sound like that's the case here so I wouldn't worry about that.

Assuming the desktop app does use HTTP, there are two things you will need to do:

Change system-level proxy settings to point to Burp (

Install and trust the Burp CA Certificate (available locally from http://burp:8080).

In some cases, you might need to enable 'invisible proxying' in Burp.

Depending on the type of client, this may not always work at first, but if the client supports a proxy, you should see the traffic in your Burp window. Please do pay attention to your Dashboard in Burp, if you see TLS warnings, it may be an indicator the client uses certificate pinning, and some reverse engineering may be needed on the client.

You must be Logged in to reply

Techiio is on the journey to build an ocean of technical knowledge, scouring the emerging stars in process and proffering them to the corporate world.

Follow us on:

Subscribe to get latest updates

You can unsubscribe anytime from getting updates from us
Developed and maintained by Wikiance
Developed and maintained by Wikiance