Elevate Your API Security Game: Integrate Akto into Burp Suite

Ismail Tasdelen
7 min readMay 29, 2024

--

Akto.io

I want to say hello to everyone after a long break. As you know, API tests are found in every application structure and security tests of these structures are vital. I am aware that everyone has a different testing perspective and method. But if you want to take API Security tests to the next level together, I would like to tell you about Akto.

In today’s fast-paced digital landscape, securing APIs is paramount for safeguarding sensitive data and ensuring robust cybersecurity measures. Enter Akto, an innovative open-source platform designed to streamline API security processes with unparalleled efficiency.

With Akto, getting started is a breeze, taking a mere 60 seconds to set up and begin fortifying your API infrastructure. Targeted towards security teams, Akto offers a comprehensive suite of features aimed at maintaining a continuous inventory of APIs, identifying vulnerabilities, and pinpointing runtime issues.

One of Akto’s standout features is its exhaustive coverage of security testing, encompassing all OWASP Top 10 and HackerOne Top 10 categories. Whether it’s BOLA, authentication flaws, SSRF, XSS, or security configurations, Akto’s robust testing capabilities ensure that no stone is left unturned in the pursuit of airtight API security.

What sets Akto apart is its sophisticated testing engine, which goes beyond traditional methods by analyzing API traffic patterns. By leveraging this approach, Akto significantly reduces false positives, providing security teams with accurate and actionable insights.

Moreover, Akto boasts seamless integration with a variety of traffic sources, including Burp Suite, AWS, Postman, GCP, and gateways. This versatility allows organizations to effortlessly incorporate Akto into their existing workflows, enhancing overall security posture without disrupting operations.

In essence, Akto represents a paradigm shift in API security, empowering organizations to proactively mitigate risks and fortify their defenses against evolving threats. With its intuitive interface, comprehensive testing capabilities, and rapid deployment, Akto is poised to redefine the way security teams approach API security in the digital age.

Step by step installation of Akto.io Plugin to Burp Suite Pro tool:

1. Download akto’s burp extension.

2. Open Burp and add the downloaded jar file in extension tab.

3. Once the plugin is loaded click on “options” tab inside the plugin.

4. Copy the AKTO_IP and AKTO_TOKEN and paste in the options tab.

AKTO_IP: https://app.akto.io

AKTO_TOKEN: XXXXXXXXXXXXXXXXXXXXXXXX

5. Start Burp proxy and browse any website. You will see traffic in Burp collection.

1. How can I send data related to only a particular domain example.com to Akto via Burp?

Scope settings in burp

Step 1: In Burp Suite, open Target tab, click on Scope settings.

Add target scope

Step 2: Inside the Scope settings popup, click on Add button inside the Target scope section and add the prefix of the url i.e. https://example.com.

Add prefix
Add scope

Step 3: Now scroll down to Out-of-scope request handling section and select the Drop all out of scope requests checkbox. Note: this option will not allow the proxy browser to access any other urls and hence data related to no other urls will be sent to Akto.

Drop all out of scope requests

2. What should I do if my API key has expired or is invalid?

If you encounter a situation where your API key has either expired or is deemed invalid, you will be presented with a dialog box displaying the error message “Invalid API key.” To resolve this issue, please follow the steps outlined below:

Step 1: Begin by opening the Akto dashboard on your system.

Step 2: Once in the dashboard, navigate to the path Settings > Integrations > Burp.

Step 3: Generate a new token within this section and copy it to your clipboard.

Step 4: Open the Burp Suite application and paste the newly generated token into the “Options” tab under the field labeled AKTO_TOKEN.

By following these steps, you will replace the expired or invalid API key with a new one, ensuring uninterrupted functionality.

3. Does the Akto Burp plugin process all the network calls passing through the proxy?

The Akto plugin for Burp Suite is designed to process only API traffic. It specifically excludes other types of network calls, such as those made to retrieve media files. This selective processing helps in focusing on relevant API traffic without being bogged down by unnecessary data.

4. How to pause sending data to Akto?

If you need to temporarily halt the automatic sending of data to Akto, you can do so easily within Burp Suite:

Step 1: Go to the Akto tab in Burp Suite.

Step 2: Click on the Options tab.

Step 3: Disable the setting labeled “Send data to Akto automatically.”

This will pause the data transmission, giving you control over when and what data is sent.

5. I want to re-export the same data in a different collection. How can I do this in Burp using the Akto plugin?

To re-export the same data into a different collection using the Akto plugin within Burp Suite, follow these detailed steps:

Step 1: Open Burp Suite and navigate to the Akto tab.

Step 2: In the Akto tab, locate the “Options” tab.

Step 3: Within the “Options” tab, you will find a field where you can specify a new collection name.

Step 4: Enter your desired collection name in this field. The changes will be saved automatically.

Step 5: Proceed to re-export the data, which will now be saved under the newly specified collection name. This allows you to organize and manage your data more effectively within Burp Suite.

6. Can I import ZAP traffic into Akto?

Yes, importing ZAP (Zed Attack Proxy) traffic into Akto is possible using the Akto plugin. Here’s how you can do it:

Step 1: Open the Akto tab in your Burp Suite environment.

Step 2: Navigate to the Options tab within the Akto tab.

Step 3: In the Options tab, you will find a feature that allows you to import ZAP traffic.

Step 4: Follow the on-screen instructions to complete the import process.

By leveraging this feature, you can integrate ZAP traffic data into Akto, enabling comprehensive monitoring and analysis alongside other data sources.

Troubleshooting Guide

If you face connectivity issues with the Akto server, here are steps to troubleshoot and resolve them:

Issue 1: “Connection to localhost failed: Connection refused.”

If you see this error message, it means the Akto server is not reachable from your Burp instance. To ensure the server is reachable, follow these steps:

Step 1: Launch a web browser on the same machine where Burp is installed.

Step 2: In the browser’s address bar, enter the URL or IP address that corresponds to the Akto server as configured in the “AKTO_IP” setting within the Burp plugin.

Step 3: Press Enter or click “Go” to navigate to the Akto server’s URL.

Step 4: Observe the server’s response. If it loads successfully, it confirms connectivity. If not, there may be an issue with the server’s availability or your network configuration.

Issue 2: “I can’t see all my APIs in the Burp collection.”

If certain APIs are not visible in the Burp collection, check the following:

Ensure that the traffic in your Burp API Collection has a 2xx status code, as Akto ignores non-2xx API traffic data. Verify the response codes for the requests you are monitoring to confirm they are within the accepted range.

Issue 3: “Why are rows highlighted in black within the Akto Burp plugin’s table view, and how can I resolve this issue?”

If rows in the Akto Burp plugin’s table view are highlighted in black, it indicates a conflict with another plugin, likely LoggerPlusPlus. To resolve this:

Step 1: Remove the LoggerPlusPlus plugin from your Burp Suite installation.

Step 2: Refresh the table view within the Akto Burp plugin. This may involve closing and reopening the plugin or performing any specified refresh actions.

Issue 4: “Akto extension unable to send data after I reinstalled it in Burp for a different Akto account.”

To address this issue:

Step 1: Load the Akto extension in Burp Suite and open the Akto tab. Click on Options and then click on Reset All Settings.

Step 2: Click on Extensions, then reload the Akto extension by unchecking and rechecking the checkbox. This action should load the new settings for the Akto extension.

Thank you for your time with Akto and for using akto.io. Take care, and see you in my next article.

References:

For more detailed guidance and documentation, please visit: Akto Documentation

--

--

Ismail Tasdelen
Ismail Tasdelen

Written by Ismail Tasdelen

I'm Ismail Tasdelen. I have been working in the cyber security industry for +7 years. Don't forget to follow and applaud to support my content.