Documentation
  • 🍻Intro
    • Why API Security is Critical?
    • Pynt at a Glance
    • Who Should Use Pynt?
  • 👩‍💻API Security Testing
    • Security Testing Overview
    • Prerequisites for Running Pynt Scans
    • How to Install Pynt CLI
    • How to install Pynt Binary (Linux only)
    • Pynt CLI Modes
      • 🔵Pynt Command CLI Mode
      • 🔵Pynt Listen CLI Mode
    • Pynt Security Tests Coverage
      • Business Logic Tests
      • Injection Tests
      • Authentication Bypass Tests
      • Mass Assignment Tests
      • Server-Side Request Forgery Tests
      • Stack Trace In Response
      • Lack of Resources and Rate Limiting
      • File Path Manipulation
      • GraphQL Introspection Vulnerability
      • GraphQL Alias Overloading
      • LLM APIs Vulnerabilities
      • Insecure Transport Scheme
      • Basic Authentication
      • HTTP Desynchronization (Desync) Attack
    • Sensitive Data Exposure Detection
    • Pynt Scans Troubleshooting
      • Pynt CLI Troubleshooting
      • Pynt for Postman Troubleshooting
        • Troubleshoot Pynt Container not Running Error
        • Troubleshoot Empty API Key Error
        • Troubleshoot Unauthorized API Key Error
        • Troubleshoot Collection Not Found Error
        • Troubleshoot Non-Unique Collection Name Error
        • Troubleshoot Empty Collection Identifier Error
        • Troubleshoot Unreachable Target Error
        • Troubleshoot Target Responds with Errors Error
        • Troubleshoot Unresolved Target Domain Error
        • Troubleshoot Unresolved Variable Error
        • Troubleshoot TLS Handshake Fail Error
        • Troubleshoot Few Requests Error
        • Troubleshoot One User Only Error
        • Troubleshoot Failed Assertions Error
    • How To
      • How to Run Business Logic Tests with Pynt
      • How to associate a Pynt scan to an Application in Pynt Dashboard
      • How to tag a scan in Pynt
    • Benchmarks
      • Pynt vs OWASP crAPI
  • 🤲Security Testing Integrations
    • 🟠Pynt with API Testing Tools
      • 🔘Pynt for Postman
        • Fork Pynt Collection
        • Run Pynt Container
        • Run Pynt in Postman
        • View Scan Results in Postman
      • 🔘Pynt for Insomnia
      • 🔘Pynt for ReadyAPI
    • 🟠Pynt with API Testing CLIs
      • 🔘Pynt for Newman (Postman CLI)
      • 🔘Pynt for TestRunner (ReadyAPI CLI)
    • 🟠Pynt with Testing Frameworks
      • 🔘Pynt for .NET (xUnit)
      • 🔘Pynt for Selenium
      • 🔘Pynt for Rest Assured
      • 🔘Pynt for Jest
      • 🔘Pynt for pytest
      • 🔘Pynt for Go
      • 🔘Pynt for JMeter
    • 🟠Pynt on CI/CD
      • ❗How to get Pynt ID for CI/CD Authentication
      • 🔘Pynt for GitHub Actions
      • 🔘Pynt for Azure DevOps Pipelines
      • 🔘Pynt for GitLab
      • 🔘Pynt for Jenkins
    • 🟠Pynt with Burp Suite
    • 🟠Pynt with Browsers
      • 🔘Pynt for Firefox Browser
    • 🟠Live Traffic Connectors
      • 🔘eBPF
        • 🔘Key Components
      • 🔘Traffic Mirroring
    • 🟠Advanced Pynt Examples
      • 🔘Pynt as a Standalone Container
      • 🔘Pynt with Prerecorded Har Files
      • 🔘Pynt with cURL
  • 🈸Applications View
    • Application View Overview
    • Manage Applications
      • Add Application
      • Delete Application
      • Rename Application
    • Manage Sources for API Discovery
      • Add Source
      • Delete Source
      • View Source Info
      • Source Categories
        • API Documentation
          • Swagger
          • Postman Collection
        • API Gateways
          • AWS API Gateway
          • Azure API Gateway
          • Kong API Gateway
          • GCP API Gateway
          • Gravitee API Gateway
        • Testing (API Security Scans)
        • Live Traffic
          • Data Collection with eBPF
          • ALB Traffic Capture with AWS Traffic Mirroring
        • Code Repository
    • Application Dashboard
    • Generate Pentest Report
  • 📚API Catalog
    • API Catalog Overview
    • Navigate API Catalog
      • Filtering API Catalog by Application
      • API Catalog Customization
      • API Related Info
      • APIs at Risk
    • Manage API Source Gaps
      • New APIs
      • Untested APIs
      • Shadow APIs
      • Undocumented APIs
    • View Detailed Endpoint Info
  • ⏪Scan History
    • Scan History Overview
    • Navigate Scan History
      • Associating Scans with Specific Application
      • Filtering by Application
      • Scan Related Info
      • Scan History Customization
    • View Detailed Scan Info
    • Associate Vulnerabilities to Tickets with JIRA
  • Account Management
    • Single Sign-On (SSO)
      • Setting up Okta
      • Setting up Entra ID
Powered by GitBook
On this page
  • What is Burp Suite?
  • Pynt's integration with Burp Suite
  • Run Pynt on Burp suite XML traffic output
  • Basic usage
  • Required arguments
  • Optional arguments
  • Example
  • Use Pynt listen as an upstream proxy of Burp
  1. Security Testing Integrations

Pynt with Burp Suite

Enhance Burp Suite with Pynt for advanced API security testing. Integrate Pynt to automate and extend your security testing capabilities within Burp Suite.

PreviousPynt for JenkinsNextPynt with Browsers

Last updated 8 months ago

What is Burp Suite?

💡 is a leading web vulnerability scanner used by security professionals for penetration testing of web applications. It provides tools for scanning, testing, and analyzing vulnerabilities, and supports both manual and automated security testing workflows. Burp Suite is widely used for identifying issues such as injection flaws, authentication vulnerabilities, and other security concerns in web applications.


Pynt's integration with Burp Suite

Integrating Pynt with Burp Suite enhances your API security testing by adding automated context-aware security scans to your testing process. With Pynt, you can automate vulnerability assessments within Burp Suite, ensuring that your APIs are continuously monitored and protected against emerging threats. Pynt's integration with Burp Suite provides detailed security reports, helping you quickly identify and address critical vulnerabilities in your APIs. This powerful combination of tools enables you to maintain a secure and resilient API environment, streamline your testing workflow, and deliver secure applications with confidence.


Two ways of integrating Pynt with Burp Suite:

Run Pynt on Burp suite XML traffic output

One of the most straightforward ways to leverage Pynt for efficient API security testing with Burp Suite is by saving the web application's traffic as an XML file. This process involves capturing the traffic using Burp Suite and then exporting it to an XML format. Once you have the XML file, you can then run Pynt against this file to analyze the captured traffic for potential security issues.

To do this, follow these steps within Burp Suite:

1. Go to the **Proxy** tab and then to the **HTTP history** tab.
2. Select the traffic you are interested in analyzing.
3. Make sure that the requests are ordered correctly, Burp tend to sort by params
4. Right-click the selected traffic and choose **Save items**.
5. In the Save dialog, select Base64-encode requests and responses
6. In the Save dialog, select **XML** as the file format and choose a location to save your file.
7. Run Pynt by specifying the saved XML file as input.

Basic usage

pynt burp --xml <burp_output_file.xml>

Required arguments

--captured-domains - Pynt will scan only these domains and subdomains. For all domains write "*"

Optional arguments

    --port - Set the port pynt will listen to (DEFAULT: 5001)
    --ca-path - The path to the CA file in PEM format
    --proxy-port - Set the port proxied traffic should be routed to (DEFAULT: 6666)
    --report - If present will save the generated report in this path.
    --insecure - use when target uses self signed certificates
    --host-ca - path to the CA file in PEM format to enable SSL certificate verification for pynt when running through a VPN.
    --return-error - 'all-findings' (warnings, or errors), 'errors-only', 'never' (default), 

Example

Here is an example of running Pynt against XML output of traffic to goat application:

pynt burp --xml goat_burp.xml

Use Pynt listen as an upstream proxy of Burp

Run pynt listen and set it to capture the domains of the traffic that you want Pynt to scan:

pynt listen --captured-domains <domains>

Setting Upstream Proxy in Burp Suite

To configure Burp Suite to use an upstream proxy, follow these steps:

  1. Open Burp Suite and navigate to the Proxy tab.

  2. Click on the Options sub-tab.

  3. Scroll down to the Upstream Proxy Servers section.

  4. Click on the Add button.

  5. In the dialog that appears, enter the details of the upstream proxy:

    • Destination host: Leave this as * to apply to all destinations, or specify specific hosts.

    • Proxy host: Enter the IP address of Pynt listen 127.0.0.1

    • Proxy port: Enter the port number of Pynt listen 6666

  6. Click OK to save your upstream proxy configuration.

Now, Burp Suite will route all external traffic through Pynt proxy. Hit enter to trigger Pynt scan.


As part of its , Pynt allows seamless integration with Burp.

Download file and run:

💡 Pynt CLI Troubleshooting: If you're encountering issues with Pynt's CLI, visit the for solutions and troubleshooting tips.

💡 Still Need Help? For any questions or troubleshooting, reach out to the .

🤲
🟠
API security testing
goat_burp.xml
Pynt CLI Troubleshooting Guide
Pynt Community Support
Burp Suite
Burp Suite
Burp XML output
Pynt for Burp