Swurg is a Burp Suite extension designed for OpenAPI testing.
The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service.
Use cases for machine-readable API definition documents include, but are not limited to: interactive documentation; code generation for documentation, clients, and servers; and automation of test cases. OpenAPI documents describe an API’s services and are represented in either YAML or JSON formats. These documents may either be produced and served statically or be generated dynamically from an application.
– OpenAPI Initiative
Performing security assessment of OpenAPI-based APIs can be a tedious task due to Burp Suite (industry standard) lacking native OpenAPI parsing capabilities. A solution to this situation, is to use third-party tools (e.g.
SOAP-UI) or to implement custom scripts (often on a per engagement basis) to handle the parsing of OpenAPI documents and integrate/chain the results to Burp Suite to use its first class scanning capabilities.
Swurg is an OpenAPI parser that aims to streamline this entire process by allowing security professionals to use Burp Suite as a standalone tool for security assessment of OpenAPI-based APIs.
- OpenAPI documents can be parsed either from a supplied file or URL. The extension can fetch OpenAPI documents directly from a URL using the
Send to Swagger Parserfeature under the
Target -> Site mapcontext menu.
- Parse OpenAPI documents, formerly known as the
Swagger specification, fully compliant with OpenAPI 2.0/3.0 Specifications (OAS).
- Requests can be directly viewed/edited within the extension prior to sending them to other Burp tools.
- Requests can be sent to the
Comparer, Intruder, Repeater, Scanner, Site map and ScopeBurp tools.
- Requests matching specific criterias (detailed in the ‘Parameters’ tab) can be intercepted to automatically match and replace the parsed parameters default values defined in the ‘Parameters’ tab. This feature allows for fine-tuning of the requests prior to sending them to other Burp tools (e.g., scanner). Edited requests can be viewed within the ‘Modified Request (OpenAPI Parser)’ tab of Burp’s message editor.
- Row highlighting allowing pentesters to highlight “interesting” API calls and/or colour code them for reporting purposes.
- Supports both JSON and YAML formats.
- Install and configure Gradle (https://gradle.org/) on your system.
- Download/clone this repository
$ git clone https://github.com/aress31/swurg
$ cd .\swurg\
Create the standalone jar:
$ gradle fatJar
Loading the extension into the Burp Suite
In Burp Suite, under the
Extender/Options tab, click on the
Add button and load the
swurg-all jar file located in the
Alternatively, you can now directly install/load this extension from the
Note: The version distributed on the
BApp Store might be behind the version available on this repository.
- Beautify the graphical user interface.
- Deep parsing of OpenAPI schemas to collect all nested parameters along with their example/type.
- Code simplification/refactoring.
- Enable cells editing to change API calls directly from the GUI.
- Further optimise the source code.
- Implement support for authenticated testing (via user-supplied API-keys).
- Improve the Param column by adding the type of parameters (e.g. inquery, inbody, etc.).
- Implement the tables and context menus.
- Increase the extension verbosity (via the bottom panel).