{"id":47663403,"url":"https://github.com/secretsifter/secretsifter-burp","last_synced_at":"2026-04-02T11:45:50.378Z","repository":{"id":346480941,"uuid":"1190168031","full_name":"secretsifter/secretsifter-burp","owner":"secretsifter","description":"Burp Suite extension — passively detects secrets, API keys, credentials, JWTs \u0026 PII in HTTP traffic. 160+ detection rules, bulk scan, entropy analysis, HTML reports \u0026 more.","archived":false,"fork":false,"pushed_at":"2026-03-24T19:02:43.000Z","size":3641,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-25T03:42:48.145Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secretsifter.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-24T02:58:54.000Z","updated_at":"2026-03-24T19:02:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/secretsifter/secretsifter-burp","commit_stats":null,"previous_names":["secretsifter/secretsifter-burp"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/secretsifter/secretsifter-burp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsifter%2Fsecretsifter-burp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsifter%2Fsecretsifter-burp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsifter%2Fsecretsifter-burp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsifter%2Fsecretsifter-burp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secretsifter","download_url":"https://codeload.github.com/secretsifter/secretsifter-burp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsifter%2Fsecretsifter-burp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31305809,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T09:48:21.550Z","status":"ssl_error","status_checked_at":"2026-04-02T09:48:19.196Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-02T11:45:47.813Z","updated_at":"2026-04-02T11:45:50.363Z","avatar_url":"https://github.com/secretsifter.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SecretSifter — Burp Suite Extension\n\nA passive and active secret-detection extension for Burp Suite (Montoya API).\nDetects exposed API keys, credentials, PII, JWTs, and connection strings in HTTP traffic.\n\n\u003e **Community Edition note:** Passive scan check registration requires Burp Suite Professional.\n\u003e All other features (Bulk Scan, right-click rescan, sitemap sweep, proxy handler) work in\n\u003e Community Edition. Findings will appear in the Bulk Scan panel and via the context menu\n\u003e rather than in Dashboard → Issue Activity.\n\n---\n\n## Screenshots\n\n| Dashboard — Issue Activity | Bulk Scan tab with live results |\n|---|---|\n| ![Dashboard Issues](store-metadata/screenshots/01_dashboard_issues.png) | ![Bulk Scan Results](store-metadata/screenshots/02_bulk_scan_results.png) |\n\n| HTML Report | Settings Tab |\n|---|---|\n| ![HTML Report](store-metadata/screenshots/03_html_report.png) | ![Settings Tab](store-metadata/screenshots/04_settings_tab.png) |\n\n| Right-click Rescan |\n|---|\n| ![Context Menu Rescan](store-metadata/screenshots/05_context_menu_rescan.png) |\n\n---\n\n## Features\n\n| Feature | Detail |\n|---|---|\n| **Passive scanning** | Fires on every proxied response automatically; also sweeps existing sitemap on load |\n| **100+ anchored token rules** | GitHub, GitLab, AWS, Stripe, OpenAI, Slack, Shopify, Azure, GCP, Docker Hub, Clerk, and more |\n| **40+ context-gated rules** | Algolia, Cloudflare, Zendesk, Heroku, Datadog, Salesforce, Mistral, Cohere, Auth0, Supabase, and more |\n| **Request header scanning** | Detects credentials in custom headers (e.g. `App_key`, `Resource`, `Ocp-Apim-Subscription-Key`) |\n| **Generic KV \u0026 high-entropy scanner** | Catches unlisted keys using keyword + entropy heuristics |\n| **PII detection** | SSN, credit card numbers (Luhn-validated), credential-bearing URLs |\n| **Bulk Scan tab** | Paste/import URL lists; follows `\u003cscript src\u003e`, webpack chunks; 1–50 concurrent threads |\n| **HAR import** | Scan responses from a `.har` file directly — no live fetch needed (useful for auth-walled or offline targets) |\n| **Headless Browse** | Optionally launch Chrome/Chromium headless through Burp proxy to capture dynamic XHR/Fetch calls |\n| **Scope Monitor** | Capture passive proxy findings for watched hosts and route them into the Bulk Scan results table |\n| **HTML reports** | Per-scan all-in-one HTML report; per-domain ZIP (one file per hostname); CSV export |\n| **Scan tiers** | FAST / LIGHT / FULL — trade speed vs. coverage |\n| **Key name blocklist / allowlist** | Suppress FP-prone key patterns or force-report specific key names regardless of entropy |\n| **FP mitigations** | CDN blocklist, 60+ noise key filter, Angular/Vue directive filter, JWT suppression, UUID rejection |\n\n---\n\n## Requirements\n\n| Component | Version |\n|---|---|\n| Burp Suite Professional | 2024.7+ (Montoya API) |\n| Burp Suite Community | 2024.7+ (Bulk Scan, rescan, and proxy handler work; passive scan check skipped) |\n| Java | 17+ (bundled with Burp) |\n| OS | macOS (Intel / Apple Silicon), Windows (x64), or Linux |\n\n---\n\n## Installation\n\n### 1. Download the JAR\n\nDownload `secretsifter-1.0.0.jar` from the Releases page, or build it yourself (see below).\n\n### 2. Load into Burp\n\n1. Open Burp Suite → **Extensions** tab → **Installed** → **Add**\n2. Set **Extension type**: Java\n3. Browse to `secretsifter-1.0.0.jar`\n4. Click **Next** — the extension loads and a **Secret Sifter** tab appears in the main tab bar\n\n---\n\n## Usage\n\n### Passive Scanning (automatic)\n\nOnce loaded, the extension scans every response passing through the Burp proxy. Findings appear in:\n- **Dashboard → Issue Activity** (as Burp AuditIssues — Pro only)\n- The **Secret Sifter → Bulk Scan** results table (all editions)\n\nOn load, the extension also sweeps all responses already recorded in **Target → Site map** so that\nfindings appear immediately — even for traffic captured before the extension was installed.\n\nNo configuration required.\n\n### Right-click Rescan\n\nIn **Proxy → HTTP History** or **Repeater**, right-click any request → **Rescan for Secrets**.\nExpands to all site-map entries for the selected host(s). Optionally save an HTML report after the scan.\n\n### Bulk Scan Tab\n\n1. Navigate to **Secret Sifter → Bulk Scan**\n2. Paste one URL per line into the URL box (or import a `.txt` / `.csv` file, or import a `.har` file)\n3. Choose scan tier and thread count\n4. Click **▶ Start Scan**\n5. Results populate the table in real time\n6. Export as **CSV**, **HTML Report**, or **HTML Report (per domain)**\n\n**Bulk Scan options:**\n\n| Option | Description |\n|---|---|\n| Tier | FAST (anchored tokens only) / LIGHT (+ entropy) / FULL (+ PII, KV, SSR blobs) |\n| Threads | 1–50 concurrent URL workers (default 25) |\n| Follow script-src | Fetch and scan `\u003cscript src\u003e` URLs found in HTML responses |\n| Follow webpack chunks | Follow chunk references inside JS bundles (depth 1) |\n| Scope Monitor | Capture passive-scan findings from Burp proxy traffic for watched hosts |\n| Cross-origin APIs | Capture XHR/Fetch calls fired from a watched host to other domains |\n| Headless Browse | Launch Chrome/Chromium headless through Burp proxy to capture dynamic JS API calls |\n| Scan Site Map | Scan all JS/HTML responses already captured in Burp's site map |\n\n### Settings Tab\n\n| Setting | Description |\n|---|---|\n| Scan Tier | FAST / LIGHT / FULL |\n| Entropy Threshold | Minimum Shannon entropy for high-entropy scanner (default: 3.5 bits/char) |\n| PII Detection | Enable/disable SSN and credit card scanning |\n| Scan request headers | Scan custom request headers (e.g. `App_key`, `Resource`) for credentials |\n| CDN Blocklist | Hostnames to skip (one per line; pre-populated with common CDN/analytics domains) |\n| Key Name Blocklist | Substring patterns — matching key names are suppressed (e.g. `STATE_KEY_`, `NEXT_PUBLIC_`) |\n| Key Name Allowlist | Substring patterns — matching key names are always reported regardless of entropy |\n\n---\n\n## Scan Tiers\n\n| Tier | Rules Active | Use When |\n|---|---|---|\n| **FAST** | 100+ anchored vendor tokens | Quick recon, large site maps |\n| **LIGHT** | + High-entropy scanner + 40+ context-gated rules + DB strings | Standard pentest |\n| **FULL** | + PII (SSN, CC) + Generic KV + SSR state blobs + JSON walker + getter functions | Deep audit, bug bounty |\n\n---\n\n## Building from Source\n\n### Prerequisites\n\n- Java 17+\n- Gradle 8+ (or use `./gradlew`)\n\n### Build\n\n```bash\ngit clone https://github.com/secretsifter/secretsifter-burp\ncd secretsifter-burp\n./gradlew shadowJar\n```\n\nOutput: `build/libs/secretsifter-1.0.0.jar` (~430 KB)\n\n### Run tests\n\n```bash\n./gradlew test\n```\n\nTest report: `build/reports/tests/test/index.html`\n\n---\n\n## Severity Levels\n\n| Level | Meaning |\n|---|---|\n| **HIGH** | Confirmed active credentials — rotate immediately |\n| **MEDIUM** | Tokens that confirm a live service integration |\n| **LOW** | Identifiers or keys with limited standalone risk |\n| **INFORMATION** | Structural or schema-level findings |\n\n---\n\n## False Positive Reduction\n\nThe extension includes built-in noise filtering, entropy thresholds, CDN domain skipping, and structural validation (Luhn, SSN format checks) to keep results actionable.\nUser-configurable key name blocklist and allowlist are available in the Settings tab.\n\n---\n\n## Troubleshooting\n\n### Extension does not load\n- Verify Burp Suite version is 2024.7 or later\n- Check the **Extensions → Output** tab for error messages\n- Confirm you are loading the **shadow JAR** (`secretsifter-1.0.0.jar`), not the plain compile output\n\n### No findings appear for a known secret\n- Check **Settings → Scan Tier** — switch to FULL for maximum coverage\n- Verify the response is flowing through Burp's proxy (not directly)\n- For JS-heavy SPAs: use **Bulk Scan** with **Follow script-src** and **Follow webpack chunks** enabled,\n  or browse the target through Burp Browser first then use **Scan Site Map**\n- For secrets in request headers (e.g. `App_key`): confirm **Scan request headers** is enabled in Settings\n\n### Burp slows down during passive scan\n- Switch Scan Tier to **FAST** in Settings\n- Expand the CDN blocklist to skip high-volume analytics traffic\n- Disable PII scanning if not needed (Settings → PII Detection → Off)\n\n### Headless Browse does nothing / Chrome not found\n- Ensure Google Chrome or Chromium is installed and on `PATH`\n- On macOS: `/Applications/Google Chrome.app` is detected automatically\n- Check the **Extensions → Output** tab for `[Headless] Chrome/Chromium not found` messages\n- The feature routes all traffic through Burp proxy — ensure Burp is listening on the configured port\n\n\u003e **Security note:** Headless Browse is opt-in and requires explicit user consent on first use.\n\u003e All traffic is routed exclusively through Burp's local proxy — no data leaves your machine.\n\u003e Each scan uses an isolated Chrome profile (`--user-data-dir` in system temp) that is discarded after the scan.\n\n### Findings in Bulk Scan table but not in Dashboard\n- Dashboard → Issue Activity requires Burp Suite **Professional**\n- In Community Edition, all findings are available in the Bulk Scan table and HTML/CSV export\n\n---\n\n## Credits\n\nVendor token format specifications are publicly documented by their respective service providers.\nSee [NOTICE](NOTICE) for details.\n\n---\n\n## License\n\nMIT License — free to use, modify, and distribute. See [LICENSE](LICENSE) for full terms.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretsifter%2Fsecretsifter-burp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecretsifter%2Fsecretsifter-burp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretsifter%2Fsecretsifter-burp/lists"}