Listen to this Post
Automating API pentesting using Nuclei, Docker, and Burp Suite streamlines vulnerability detection by combining dynamic scanning with manual review. Below is a detailed breakdown of the process, including practical commands and configurations.
Automated API Scanning Pipeline
1. Running Nuclei in Docker
Nuclei is a fast, customizable vulnerability scanner. Running it in Docker ensures environment consistency.
docker pull projectdiscovery/nuclei:latest docker run -it projectdiscovery/nuclei -u https://target.com -t ~/nuclei-templates/
2. Parsing OpenAPI Documentation for Endpoints
Extract API endpoints from OpenAPI/Swagger docs for scanning:
python3 -m pip install openapi-parser
python3 -c "from openapi_parser import parse; endpoints = parse('swagger.json'); print([ep.path for ep in endpoints])" > endpoints.txt
3. Scanning Extracted Endpoints with Nuclei
Use Nuclei’s `-input-mode` to scan the parsed endpoints:
docker run -v $(pwd)/endpoints.txt:/endpoints.txt projectdiscovery/nuclei -l /endpoints.txt -input-mode list
4. Proxying Requests Through Burp Suite
Intercept and analyze Nuclei’s traffic in Burp:
docker run -e http_proxy=http://127.0.0.1:8080 -e https_proxy=http://127.0.0.1:8080 projectdiscovery/nuclei -l endpoints.txt -proxy-url http://127.0.0.1:8080
5. Injecting Authorization Headers/Cookies
Use Nuclei’s `-H` flag to inject auth tokens dynamically:
docker run projectdiscovery/nuclei -l endpoints.txt -H "Authorization: Bearer TOKEN" -H "Cookie: session=COOKIE_VALUE"
6. Combining with Burp Extensions
Enhance automation with Burp extensions like:
- Turbo Intruder (for custom payload attacks)
- Autorize (for auto-testing authorization flaws)
7. Reviewing Results
- Nuclei Console Output:
nuclei -l endpoints.txt -severity critical,high -silent
- Burp History: Manually inspect requests/responses for false positives.
You Should Know:
Essential Commands for API Pentesting
Linux/CLI Tools
Extract endpoints from JavaScript files grep -Eo "(https?|ftp)://[^/\"']+" target.js | sort -u Fuzz API parameters with FFUF ffuf -u https://target.com/api/FUZZ -w wordlist.txt -H "Authorization: Bearer TOKEN" Check for JWT flaws python3 jwt_tool.py <JWT_TOKEN> -C -d wordlist.txt
Windows/PowerShell
Test API rate limiting
1..100 | ForEach-Object { Invoke-RestMethod -Uri "https://target.com/api" -Headers @{ "Authorization" = "Bearer TOKEN" } }
Check for CORS misconfigurations
curl.exe -H "Origin: https://evil.com" -I https://target.com/api
Docker Automation
Schedule scans with cron echo "0 3 docker run projectdiscovery/nuclei -u https://target.com -t cves/" | crontab -
What Undercode Say
Automating API security testing with Nuclei and Burp Suite drastically improves efficiency, but manual validation remains crucial. Combining dynamic scanning with targeted fuzzing ensures deeper vulnerability discovery.
Expected Output:
- Nuclei JSON report (
-o results.json) - Burp project file with manual findings
- Curated list of high-risk endpoints for remediation
Prediction
As APIs dominate modern applications, automated scanning tools like Nuclei will evolve with AI-driven detection, reducing false positives and integrating deeper with CI/CD pipelines.
Relevant Course: SquareSec – API Scanning Automation
References:
Reported By: Aaandrei %F0%9D%90%88%F0%9D%90%9F – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
