{"id":13422575,"url":"https://github.com/aress31/burpgpt","last_synced_at":"2025-05-15T14:06:26.385Z","repository":{"id":152299932,"uuid":"625308923","full_name":"aress31/burpgpt","owner":"aress31","description":"A Burp Suite extension that integrates OpenAI's GPT to perform an additional passive scan for discovering highly bespoke vulnerabilities and enables running traffic-based analysis of any type.","archived":false,"fork":false,"pushed_at":"2024-06-09T20:40:29.000Z","size":199,"stargazers_count":2104,"open_issues_count":15,"forks_count":252,"subscribers_count":35,"default_branch":"main","last_synced_at":"2025-04-11T22:38:08.912Z","etag":null,"topics":["ai","burp-extensions","burp-plugin","burpsuite","burpsuite-extender","cybersecurity","gpt","gpt-3","openai","openai-api","pentesting","security","security-automation","webapp"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aress31.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-08T17:58:26.000Z","updated_at":"2025-04-10T14:02:53.000Z","dependencies_parsed_at":null,"dependency_job_id":"4c3a8714-9dfa-4770-a7c0-cabd88ec88ac","html_url":"https://github.com/aress31/burpgpt","commit_stats":{"total_commits":76,"total_committers":1,"mean_commits":76.0,"dds":0.0,"last_synced_commit":"56c079cf21235a433467603b3458d9ba014a8189"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fburpgpt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fburpgpt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fburpgpt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fburpgpt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aress31","download_url":"https://codeload.github.com/aress31/burpgpt/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254355335,"owners_count":22057354,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","burp-extensions","burp-plugin","burpsuite","burpsuite-extender","cybersecurity","gpt","gpt-3","openai","openai-api","pentesting","security","security-automation","webapp"],"created_at":"2024-07-30T23:00:48.107Z","updated_at":"2025-05-15T14:06:21.368Z","avatar_url":"https://github.com/aress31.png","language":"Java","funding_links":["https://github.com/sponsors/aress31"],"categories":["Uncategorized","Java","Browser-extensions","扫描器、资产收集、子域名","资源列表","Tools","Attack Techniques \u0026 Red Teaming","Pentest \u0026 Red Teaming Agents"],"sub_categories":["Uncategorized","网络服务_其他","项目","Offensive","AI-Assisted Offensive Security"],"readme":"\u003e [!IMPORTANT]\n\u003e Announcing the launch of [BurpGPT Pro](https://burpgpt.app/), the edition specifically tailored to meet the needs of professionals and cyber boutiques. Discover a host of powerful features and a user-friendly interface that enhances your capabilities and ensures an optimal user experience. To access these benefits, visit our [website](https://burpgpt.app/) and read the [documentation](https://docs.burpgpt.app/) for more information.\n\n\u003e [!WARNING]\n\u003e Please note that the Community edition is no longer maintained or functional. To continue receiving updates, new features, bug fixes, and improvements, consider upgrading to the [Pro edition](https://burpgpt.app/). **It is no longer useful to log `Issues` for the Community edition.**\n\n# burpgpt\n\n[![Java CI with Gradle](https://github.com/aress31/burpgpt/actions/workflows/gradle-build.yml/badge.svg)](https://github.com/aress31/burpgpt/actions/workflows/gradle-build.yml)\n\n`burpgpt` leverages the power of `AI` to detect security vulnerabilities that traditional scanners might miss. It sends web traffic to an `OpenAI` `model` specified by the user, enabling sophisticated analysis within the passive scanner. This extension offers customisable `prompts` that enable tailored web traffic analysis to meet the specific needs of each user. Check out the [Example Use Cases](#example-use-cases) section for inspiration.\n\nThe extension generates an automated security report that summarises potential security issues based on the user's `prompt` and real-time data from `Burp`-issued requests. By leveraging `AI` and natural language processing, the extension streamlines the security assessment process and provides security professionals with a higher-level overview of the scanned application or endpoint. This enables them to more easily identify potential security issues and prioritise their analysis, while also covering a larger potential attack surface.\n\n\u003e [!WARNING]\n\u003e Data traffic is sent to `OpenAI` for analysis. If you have concerns about this or are using the extension for security-critical applications, it is important to carefully consider this and review [OpenAI's Privacy Policy](https://openai.com/policies/privacy-policy) for further information.\n\n\u003e [!WARNING]\n\u003e While the report is automated, it still requires triaging and post-processing by security professionals, as it may contain false positives.\n\n\u003e [!WARNING]\n\u003e The effectiveness of this extension is heavily reliant on the [quality and precision of the prompts](#prompt-configuration) created by the user for the selected `GPT` model. This targeted approach will help ensure the `GPT model` generates accurate and valuable results for your security analysis.\n\n## Features\n\n- Adds a `passive scan check`, allowing users to submit `HTTP` data to an `OpenAI`-controlled `GPT model` for analysis through a `placeholder` system.\n- Leverages the power of `OpenAI's GPT models` to conduct comprehensive traffic analysis, enabling detection of various issues beyond just security vulnerabilities in scanned applications.\n- Enables granular control over the number of `GPT tokens` used in the analysis by allowing for precise adjustments of the `maximum prompt length`.\n- Offers users multiple `OpenAI models` to choose from, allowing them to select the one that best suits their needs.\n- Empowers users to customise `prompts` and unleash limitless possibilities for interacting with `OpenAI models`. Browse through the [Example Use Cases](#example-use-cases) for inspiration.\n- Integrates with `Burp Suite`, providing all native features for pre- and post-processing, including displaying analysis results directly within the Burp UI for efficient analysis.\n- Provides troubleshooting functionality via the native `Burp Event Log`, enabling users to quickly resolve communication issues with the `OpenAI API`.\n\n## Requirements\n\n### 1. System requirements\n\n- Operating System: Compatible with `Linux`, `macOS`, and `Windows` operating systems.\n- Java Development Kit (JDK): `Version 11` or later.\n- Burp Suite Professional or Community Edition: `Version 2023.3.2` or later.\n\n \u003e [!IMPORTANT]\n \u003e Please note that using any version lower than `2023.3.2` may result in a [java.lang.NoSuchMethodError](https://forum.portswigger.net/thread/montoya-api-nosuchmethoderror-275048be). It is crucial to use the specified version or a more recent one to avoid this issue.\n\n### 2. Build tool\n\n- Gradle: `Version 6.9` or later (recommended). The [build.gradle](https://github.com/aress31/burpgpt/blob/main/lib/build.gradle) file is provided in the project repository.\n\n### 3. Environment variables\n\n- Set up the `JAVA_HOME` environment variable to point to the `JDK` installation directory.\n\nPlease ensure that all system requirements, including a compatible version of `Burp Suite`, are met before building and running the project. Note that the project's external dependencies will be automatically managed and installed by `Gradle` during the build process. Adhering to the requirements will help avoid potential issues and reduce the need for opening new issues in the project repository.\n\n## Installation\n\n### 1. Compilation\n\n1. Ensure you have [Gradle](https://gradle.org/) installed and configured.\n\n2. Download the `burpgpt` repository:\n\n ```bash\n git clone https://github.com/aress31/burpgpt\n cd .\\burpgpt\\\n ```\n\n3. Build the standalone `jar`:\n\n ```bash\n ./gradlew shadowJar\n ```\n\n### 2. Loading the Extension Into `Burp Suite`\n\nTo install `burpgpt` in `Burp Suite`, first go to the `Extensions` tab and click on the `Add` button. Then, select the `burpgpt-all` jar file located in the `.\\lib\\build\\libs` folder to load the extension.\n\n## Usage\n\nTo start using burpgpt, users need to complete the following steps in the Settings panel, which can be accessed from the Burp Suite menu bar:\n\n1. Enter a valid `OpenAI API key`.\n2. Select a `model`.\n3. Define the `max prompt size`. This field controls the maximum `prompt` length sent to `OpenAI` to avoid exceeding the `maxTokens` of `GPT` models (typically around `2048` for `GPT-3`).\n4. Adjust or create custom prompts according to your requirements.\n\n\u003cimg src=\"https://user-images.githubusercontent.com/11601622/230922492-6434ff25-0f2e-4435-8f4d-b3dd6b7ac9c6.png\" alt=\"burpgpt UI\" width=\"75%\" height=\"75%\"\u003e\n\nOnce configured as outlined above, the `Burp passive scanner` sends each request to the chosen `OpenAI model` via the `OpenAI API` for analysis, producing `Informational`-level severity findings based on the results.\n\n\u003cimg src=\"https://user-images.githubusercontent.com/11601622/230796361-2907580f-1993-4cf0-8ac7-f6bae448499d.png\" alt=\"burpgpt finding\" width=\"75%\" height=\"75%\"\u003e\n\n### Prompt Configuration\n\n`burpgpt` enables users to tailor the `prompt` for traffic analysis using a `placeholder` system. To include relevant information, we recommend using these `placeholders`, which the extension handles directly, allowing dynamic insertion of specific values into the `prompt`:\n\n| Placeholder | Description |\n| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `{REQUEST}` | The scanned request. |\n| `{URL}` | The URL of the scanned request. |\n| `{METHOD}` | The HTTP request method used in the scanned request. |\n| `{REQUEST_HEADERS}` | The headers of the scanned request. |\n| `{REQUEST_BODY}` | The body of the scanned request. |\n| `{RESPONSE}` | The scanned response. |\n| `{RESPONSE_HEADERS}` | The headers of the scanned response. |\n| `{RESPONSE_BODY}` | The body of the scanned response. |\n| `{IS_TRUNCATED_PROMPT}` | A `boolean` value that is programmatically set to `true` or `false` to indicate whether the `prompt` was truncated to the `Maximum Prompt Size` defined in the `Settings`. |\n\nThese `placeholders` can be used in the custom `prompt` to dynamically generate a request/response analysis `prompt` that is specific to the scanned request.\n\n\u003e [!NOTE] \u003e `Burp Suite` provides the capability to support arbitrary `placeholders` through the use of [Session handling rules](https://portswigger.net/support/configuring-burp-suites-session-handling-rules) or extensions such as [Custom Parameter Handler](https://portswigger.net/bappstore/a0c0cd68ab7c4928b3bf0a9ad48ec8c7), allowing for even greater customisation of the `prompts`.\n\n### Example Use Cases\n\nThe following list of example use cases showcases the bespoke and highly customisable nature of `burpgpt`, which enables users to tailor their web traffic analysis to meet their specific needs.\n\n- Identifying potential vulnerabilities in web applications that use a crypto library affected by a specific CVE:\n\n ```\n Analyse the request and response data for potential security vulnerabilities related to the {CRYPTO_LIBRARY_NAME} crypto library affected by CVE-{CVE_NUMBER}:\n\n Web Application URL: {URL}\n Crypto Library Name: {CRYPTO_LIBRARY_NAME}\n CVE Number: CVE-{CVE_NUMBER}\n Request Headers: {REQUEST_HEADERS}\n Response Headers: {RESPONSE_HEADERS}\n Request Body: {REQUEST_BODY}\n Response Body: {RESPONSE_BODY}\n\n Identify any potential vulnerabilities related to the {CRYPTO_LIBRARY_NAME} crypto library affected by CVE-{CVE_NUMBER} in the request and response data and report them.\n ```\n\n- Scanning for vulnerabilities in web applications that use biometric authentication by analysing request and response data related to the authentication process:\n\n ```\n Analyse the request and response data for potential security vulnerabilities related to the biometric authentication process:\n\n Web Application URL: {URL}\n Biometric Authentication Request Headers: {REQUEST_HEADERS}\n Biometric Authentication Response Headers: {RESPONSE_HEADERS}\n Biometric Authentication Request Body: {REQUEST_BODY}\n Biometric Authentication Response Body: {RESPONSE_BODY}\n\n Identify any potential vulnerabilities related to the biometric authentication process in the request and response data and report them.\n ```\n\n- Analysing the request and response data exchanged between serverless functions for potential security vulnerabilities:\n\n ```\n Analyse the request and response data exchanged between serverless functions for potential security vulnerabilities:\n\n Serverless Function A URL: {URL}\n Serverless Function B URL: {URL}\n Serverless Function A Request Headers: {REQUEST_HEADERS}\n Serverless Function B Response Headers: {RESPONSE_HEADERS}\n Serverless Function A Request Body: {REQUEST_BODY}\n Serverless Function B Response Body: {RESPONSE_BODY}\n\n Identify any potential vulnerabilities in the data exchanged between the two serverless functions and report them.\n ```\n\n- Analysing the request and response data for potential security vulnerabilities specific to a Single-Page Application (SPA) framework:\n\n ```\n Analyse the request and response data for potential security vulnerabilities specific to the {SPA_FRAMEWORK_NAME} SPA framework:\n\n Web Application URL: {URL}\n SPA Framework Name: {SPA_FRAMEWORK_NAME}\n Request Headers: {REQUEST_HEADERS}\n Response Headers: {RESPONSE_HEADERS}\n Request Body: {REQUEST_BODY}\n Response Body: {RESPONSE_BODY}\n\n Identify any potential vulnerabilities related to the {SPA_FRAMEWORK_NAME} SPA framework in the request and response data and report them.\n ```\n\n## Roadmap\n\n- [x] Add a new field to the `Settings` panel that allows users to set the `maxTokens` limit for requests, thereby limiting the request size. \u003c- Exclusive to the [Pro edition of BurpGPT](https://burpgpt.app).\n- [x] Add support for connecting to a local instance of the `AI model`, allowing users to run and interact with the model on their local machines, potentially improving response times and **data privacy**. \u003c- Exclusive to the [Pro edition of BurpGPT](https://burpgpt.app).\n- [ ] Retrieve the precise `maxTokens` value for each `model` to transmit the maximum allowable data and obtain the most extensive `GPT` response possible.\n- [x] Implement persistent configuration storage to preserve settings across `Burp Suite` restarts. \u003c- Exclusive to the [Pro edition of BurpGPT](https://burpgpt.app).\n- [x] Enhance the code for accurate parsing of `GPT` responses into the `Vulnerability model` for improved reporting. \u003c- Exclusive to the [Pro edition of BurpGPT](https://burpgpt.app).\n\n## Project Information\n\nThe extension is currently under development and we welcome feedback, comments, and contributions to make it even better.\n\n## Sponsor 💖\n\nIf this extension has saved you time and hassle during a security assessment, consider showing some love by sponsoring a cup of coffee ☕ for the developer. It's the fuel that powers development, after all. Just hit that shiny Sponsor button at the top of the page or [click here](https://github.com/sponsors/aress31) to contribute and keep the caffeine flowing. 💸\n\n## Reporting Issues\n\nDid you find a bug? Well, don't just let it crawl around! Let's squash it together like a couple of bug whisperers! 🐛💪\n\nPlease report any issues on the [GitHub issues tracker](https://github.com/aress31/burpgpt/issues). Together, we'll make this extension as reliable as a cockroach surviving a nuclear apocalypse! 🚀\n\n## Contributing\n\nLooking to make a splash with your mad coding skills? 💻\n\nAwesome! Contributions are welcome and greatly appreciated. Please submit all PRs on the [GitHub pull requests tracker](https://github.com/aress31/burpgpt/pulls). Together we can make this extension even more amazing! 🚀\n\n## License\n\nSee [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faress31%2Fburpgpt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faress31%2Fburpgpt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faress31%2Fburpgpt/lists"}