Burp API Parser for API Testing

By Philip Salire, Security Engineer at Bureau Veritas Cybersecurity

TL;DR: Bureau Veritas releases Burp API Parser, a Burp Suite extension to import API specs directly into Burp as ready-to-test requests. Send all your APIs to Repeater in one-click. No more juggling multiple tools to proxy requests into Burp, start testing immediately. Currently supporting widely used API specs: OpenAPI / Swagger, AWS JSON, Postman, and MCP.

Every API presents an entry point into the application and its backend, i.e. potential attack vectors. It is crucial for APIs to undergo thorough security assessments and penetration tests by independent security teams. This is where we come in – as security testers our goal is to uncover risks, vulnerabilities, and exploits before malicious actors do.

But there's a problem that slows us down before we even start testing.

The Problem: Integration Friction

One of the first steps of an API pentest is to establish how to construct the API requests. This sounds simple, however in practice it is often a major pain point.

Consider the difference in tooling between security and development teams. When testing APIs, security teams mostly rely on Burp Suite and security specific tools like automated fuzzers and vulnerability scanners, while development teams often rely on testing in code and API clients like Postman or Insomnia for one-off testing. As such, the process from the development team sharing the APIs to the APIs being ready for security testing is unfortunately not a simple “plug and play”.

In an ideal world, security teams would be provided the APIs as a ready-to-go Burp Suite project, with the APIs pre-populated in Repeater and Intruder, ready to test. But Burp is not a common tool outside of security circles and has a learning curve. Asking a development team to port APIs into Burp would be an impractical ask. Rather, it is necessary for us to adapt to customers’ unique environments and not the other way around. The goal is to solve the customer’s problems, not create new ones.

In software engineering terms, there is a missing adapter in this system. The initial setup of an API pentest often resembles a workaround rather than a defined, reproducible workflow.

The Current State: Manual Workarounds

The best-case scenario is when the development team provides complete documentation of the APIs with an exhaustive list of their parameters, inputs, and responses. Maybe the most effective way of doing this is with an OpenAPI spec. But Burp is an HTTP proxy, not an API client, so the concept of “importing” APIs is not inherent to Burp. Security testers approach this problem in different ways, all with drawbacks:

Load spec into Postman/Insomnia and proxy requests => Multiple tools, many potential points of failure
Manually craft API requests in Burp => Time-consuming and error-prone
Intercept requests from client-side interfaces => Not always available, potential for incomplete coverage

At best, it's tedious. At worst, it introduces errors and delays the actual security testing.

What We Built: Burp API Parser

Our Burp API Parser extension transforms API specs into ready-to-test requests in seconds. Import API specs directly into Burp, letting you start testing immediately. No more proxying, manual crafting, or additional tools.

https://github.com/bvcyber/Burp-API-Parser

Who it’s for: security engineers, penetration testers, API testers

API Parser has been used internally in our team for over a year and has dramatically reduced the manual effort needed to parse and set up APIs in Burp Suite.

Key Features

Intuitive UI

The Burp API Parser was designed with ease of use and a minimal learning curve in mind. Using it is easy:

Navigate to the API Parser tab in Burp
Open an API spec file
Select the APIs you’re interested in
View the serialized request and all spec definitions

Everything you need to know is displayed: the complete HTTP request, and API and parameter definitions from the spec.

Instant Integration

API Parser lets you import APIs with single click. Send the APIs to Repeater, Intruder, Organizer and start pentesting immediately:

Select the APIs you’re interested in
Click “Send to <Repeater/Intruder/Organizer >”

Full Coverage and Customization
An API definition in a spec file is not a one-to-one to the API request – it’s one-to-many relationship. An API can support a multitude of parameters, content types, authentication methods, and hosts in endless combinations. API Parser handles this:

Parameter Generation – all parameters are included in the request, whether it be in the query, header, or request body

Unique Serializers (content types) – API Parser creates multiple serializers for each API’s unique configurations and allows you to choose which serializer to use. For example, with OpenAPI specs you can select which content type and example to use (if examples exist in the spec)

Customize Auth – Select which authentication method defined in the spec to use

Supported API Specs
Currently, several widely used API specs on the internet are supported: OpenAPI (formerly Swagger), AWS JSON (botocore), and MCP.
For more information, see: https://github.com/bvcyber/Burp-API-Parser?tab=readme-ov-file#-supported-formats

Future Work
We designed API Parser with extensibility in mind and plan to continue iterating and expanding support. Development teams are working with countless formats to manage their APIs. It is important that we continue to implement support for common formats, including new and upcoming formats that are being adopted.
For example, the rapid adoption of AI has been accompanied by the creation of MCP, a new protocol that lets AIs discover and use external tools. API Parser provides the framework and extensibility to support new file formats like MCP. New API formats will continue to emerge, and API Parser provides a stable framework and extensibility needed for continued seamless integration for API testing in Burp Suite.

Conclusion
API Parser has been an invaluable tool for our team, and we’re excited to release it externally. We hope by open-sourcing it we can help make API testing in Burp a better experience for everyone and open it to contributions to make it even better. If you’d like support applying this in your environment or want feedback on your API testing approach, feel free to get in touch.

More information

Discover how cyber experts like Philip Salire Security Engineer and author of this article, can help secure your organization with AI Security Services. Fill out the form, and we’ll contact you within one business day.

First Name

Last Name

Company / Organization

Email

Phone Number

How can we help you?

I give permission to process my data as described in the Privacy Policy and agree to the Terms and Conditions.

I consent to let Bureau Veritas Cybersecurity use this data to provide me with additional information from their services, events or topics that may be of interest to me

Why choose Bureau Veritas Cybersecurity

Bureau Veritas Cybersecurity is your expert partner in cybersecurity. We help organizations identify risks, strengthen defenses and comply with cybersecurity standards and regulations. Our services cover people, processes and technology, ranging from awareness training and social engineering to security advice, compliance and penetration testing.

We operate across IT, OT and IoT environments, supporting both digital systems and connected products. With over 300 cybersecurity professionals worldwide, we combine deep technical expertise with a global presence. Bureau Veritas Cybersecurity is part of the Bureau Veritas Group, a global leader in testing, inspection and certification.

Burp API Parser - Streamlining API Testing from Spec

Why choose Bureau Veritas Cybersecurity