burpai
Health Warn
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Pass
- Code scan — Scanned 3 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
No AI report is available for this listing yet.
Autonomous AI penetration testing agent for Burp Suite. Agentic pentesting with local/cloud LLMs (Ollama, Gemini, DeepSeek, OpenRouter) via Montoya API.
# burpai — Autonomous AI Pentest Agent for Burp Suite
A Burp Suite extension built on the Montoya API that embeds an autonomous AI penetration testing agent directly into Burp. All HTTP traffic flows through Burp's engine — every request the agent fires is visible in the HTTP history, and you can inspect it in Burp's native editors in real time.
Features at a Glance
| Feature | Description |
|---|---|
| AI Pentester | Autonomous agentic loop — probes targets, fires requests through Burp, confirms and reports vulnerabilities |
| 11 agent tools | HTTP requests, crawling, fuzzing, extraction, decoding, variable interpolation, site-map querying, reporting, run control |
| Multi-provider LLM | Ollama (local), Google Gemini, Anthropic Claude, DeepSeek, OpenAI, and OpenRouter |
| Focused task mode | "Find SSRF" tests only SSRF — 19 vulnerability classes auto-detected from your prompt |
| Timing-based detection | fuzz_parameter tracks response latency per payload — catches blind SSRF and blind CMDi |
| Integrated Token Map | Intelligent detection of JWT, UUID, API keys, and CSRF tokens across headers and cookies with automatic mirror detection |
| CSV Export | Export agent findings and HTTP history directly to CSV for external reporting |
| HTML reports | Structured findings report saved to ~/burpai_logs/ |
| Burp native reporting | Confirmed findings posted directly to the Burp Dashboard Issues pane — severity, confidence, PoC and evidence requests included |
| AI Personas | Task-focused personas (Auth, SSRF, Injection, etc.) sharpen the agent's strategy from iteration one |
| Vector memory | Per-target memory persists WAF info, endpoints, parameters and vuln history across runs |
| Repeater Copilot | AI suggestion panel embedded in every Repeater tab |


Requirements
- Burp Suite Community or Pro — 2023.x or newer
- Java 17+ — only required if building from source; the prebuilt JAR runs on Burp's bundled JRE (no separate Java install needed)
- LLM backend — one of:
- Ollama running locally (free, offline)
- Google Gemini API key (aistudio.google.com)
- Anthropic API key (console.anthropic.com)
- DeepSeek API key (platform.deepseek.com)
- OpenAI API key (platform.openai.com)
- OpenRouter API key (openrouter.ai)
Quick Start
Option A — Prebuilt JAR (recommended)
- Download the latest
burp-ai-pentester-*.jarfrom Releases - In Burp: Extensions → Installed → Add
Extension type:Java
Path: the downloaded.jar - The AI Pentester tab appears — configure and go
No Java installation required. Burp Suite ships its own JRE.
Option B — Build from source
.\gradlew.bat jar
Output: dist/burp-ai-pentester-*.jar
OneDrive users: If Gradle hangs on cache files, add
--no-build-cache --no-daemon
Then load dist/burp-ai-pentester-*.jar via Extensions → Installed → Add.
Set up your LLM
Ollama (local)
ollama serve
ollama pull glm-5:cloud # fast, reliable tool-calling
Cloud Providers
- Gemini: Get a free key at aistudio.google.com.
- Anthropic: Get an API key at console.anthropic.com.
- DeepSeek: Get an API key at platform.deepseek.com.
- OpenAI: Get an API key at platform.openai.com.
- OpenRouter: Get an API key at openrouter.ai.
Run the agent
- Open the AI Pentester tab in Burp
- Set Provider, Ollama URL / Gemini API key, and Model
- Enter a Target Base URL and a task prompt (e.g.
Find SSRF) - Optionally right-click any request in Burp → Send to AI Pentester to give the agent a starting request
- Click Start Agent
LLM Providers
Ollama (local)
Set Ollama URL to http://localhost:11434. Models with strong tool-calling give the best results:
| Model | Notes |
|---|---|
glm-5:cloud |
Fast, reliable — recommended default |
kimi-k2.5:cloud |
Strong reasoning |
minimax-m2.5:cloud |
General purpose |
deepseek-r1:32b |
Great reasoning model, high VRAM (~20 GB) |
The agent automatically falls back to text-mode tool parsing if the model returns HTTP 500 on the tool-calling endpoint — no manual configuration needed.
Gemini (Google)
- Get a free key at aistudio.google.com
- Select Gemini in the Provider dropdown
- Enter your API key
- Choose a model:
| Model | Notes |
|---|---|
gemini-3-flash-preview |
Latest Gemini 3 flash — recommended |
gemini-2.5-flash-preview |
Next-gen flash, strong reasoning |
gemini-2.0-flash |
Fast, cost-efficient |
gemini-1.5-pro |
Most capable Gemini 1.5 |
Anthropic Claude
- Get an API key at console.anthropic.com
- Select Anthropic in the Provider dropdown
- Enter your API key
- Choose a model:
| Model | Notes |
|---|---|
claude-sonnet-4-20250514 |
Latest Sonnet — recommended |
claude-opus-4-20250514 |
Most capable Claude model |
Agent Tools
The agent picks the right tool for each step, guided by the system prompt in src/main/resources/burp-ai-agent-prompt.md.
| Tool | When it is used |
|---|---|
execute_http_request |
Every HTTP request — GET, POST, custom headers and body, all routed through Burp |
spider_links |
Called immediately after any baseline request — extracts links, form actions, script URLs, JS API calls, and form_inputs (input field names) |
extract_from_response |
Regex-extract a value from a stored response and save it as {{variable}} (CSRF tokens, nonces, session IDs) |
set_variable / get_variable |
Manually store and retrieve named values across iterations |
fuzz_parameter |
Batch-test one parameter with a payload list. Locations: query, body, json_body, header, path. Reports status, body length, and response timing per payload |
decode_encode |
Local decode/encode without an HTTP round-trip: jwt_decode, base64_decode/encode, url_decode/encode, hex_decode/encode, html_decode/encode |
search_in_response |
Regex search a stored response body with configurable context lines |
get_sitemap |
Query Burp's site map and proxy history for a base URL — returns all seen paths and methods without making new requests |
finish_run |
Signal the agent loop to stop and emit a structured summary of findings, notes, and next actions |
report_vulnerability |
Submit a confirmed finding: severity, location, description, PoC, impact, remediation, evidence request IDs |
Variable interpolation
Use {{var_name}} in any URL or request body to inject a stored variable:
url: https://example.com/profile/{{user_id}}
body: csrf={{csrf_token}}&action=delete
Focused Task Mode
When your prompt names a specific vulnerability, the agent tests only that class and stops when done.
Supported vulnerability types (auto-detected from prompt):
| Prompt keywords | Vulnerability |
|---|---|
ssrf, server-side request |
SSRF — full surface discovery, fuzz all URL-accepting parameters |
sqli, sql injection |
SQL Injection — error, boolean-blind, time-blind, UNION-based |
xss, cross-site scripting |
XSS — reflected, stored, context-aware payloads |
rce, command injection |
Command Injection / RCE — separators, blind timing |
xxe, xml external |
XXE — entity injection, PHP wrappers, SVG |
idor, access control |
IDOR / Broken Access Control — ID tampering, privilege fields |
jwt |
JWT — alg:none, algorithm confusion, weak secret |
ssti, template injection |
SSTI — detection payloads, engine fingerprinting, RCE |
nosql, mongodb |
NoSQL Injection — MongoDB operators, timing |
cors, cross-origin |
CORS — wildcard, null origin, subdomain bypass |
csrf |
CSRF — token removal, SameSite check |
path traversal, lfi |
Path Traversal / LFI — ../, encoding variants, null byte |
file upload |
Unrestricted File Upload — extension/MIME bypass, shell upload |
open redirect |
Open Redirect — query param, protocol bypass |
graphql |
GraphQL — introspection, injection, IDOR |
deserialization |
Insecure Deserialization — Java RO, PHP, JSON type confusion |
race condition |
Race Condition — parallel identical requests |
mass assignment |
Mass Assignment — extra body fields |
llm, prompt injection, ai inject, jailbreak, system prompt |
LLM / Prompt Injection — direct injection, system prompt leakage, indirect injection, data exfiltration |
Off-target findings
In focused mode, if the agent notices a different potential vulnerability while testing (e.g. a SQL error while looking for SSRF), it does not investigate it — but notes it in the final message:
ADDITIONAL NOTES FOR FURTHER TESTING:
- /post/<id> — single quote caused SQLite error, likely SQL Injection
- /console — Werkzeug debugger exposed at this path
Timing-Based Detection
fuzz_parameter records duration_ms for every payload. A result is flagged timing_anomaly if:
- Response took > 3 seconds (absolute), or
- Response took > 3× the baseline request duration
This catches blind SSRF and blind command injection where the server reaches out internally but returns a generic response body.
Reports
Click Generate Report after a run. A styled HTML report is saved to ~/burpai_logs/report_<timestamp>.html:
- Summary table (name, severity, location)
- Full detail per finding (description, impact, PoC, remediation, evidence request IDs)

All agent output is also written to ~/burpai_logs/agent_<timestamp>.log — every iteration, tool call result, and vulnerability report — for offline review and evidence archiving.
Configuration
config/burp_ai_config.json — loaded at startup, all fields also editable in the UI:
{
"llm_provider": "ollama",
"ollama_base_url": "http://localhost:11434",
"ollama_model": "glm-5:cloud",
"gemini_api_key": "",
"gemini_model": "gemini-3-flash-preview",
"anthropic_api_key": "",
"target_base_url": "https://example.com/",
"log_enabled": true,
"max_iterations": 20
}
Persona and vector memory are configured in the UI, not in this file.
Persona: dropdown in the AI Pentester tab. Vector memory is automatic — no configuration needed.
System Prompt
The agent's full methodology is in src/main/resources/burp-ai-agent-prompt.md — a human-readable Markdown file bundled in the JAR. Edit it to customise attack strategies, add new vulnerability classes, or adjust tool usage rules without recompiling.
Feature: Repeater Copilot
An AI assistant embedded inside every Repeater tab — as an AI Copilot tab alongside Raw / Pretty / Hex.
Workflow:
- Send any request in Repeater — the copilot auto-triggers on each response
- The AI Copilot tab shows reasoning and a suggested next test request
- The suggestion is ready in the editor with all original auth headers preserved
- Click Approve → then Burp's Send to fire it
- Use Analyze Again for a fresh suggestion, or Reject to discard
Repo Layout
src/main/java/com/burpai/aipentester/
Extension.java — Montoya entrypoint; registers AgentTab and RepeaterCopilotEditor
agent/
AgentEngine.java — Thin facade wiring all agent services; public API consumed by AgentTab
AgentLoop.java — Orchestrates the agentic iteration loop (per-iteration LLM call + tool dispatch)
AgentStateSnapshot.java — Builds compact structured signals injected into each iteration's LLM prompt
AgentUtils.java — Pure static utilities shared across agent services
AgentLogger.java — Centralised logging to UI callback and timestamped log file
MemoryManager.java — Thread-safe per-run state (responseBodyStore, sessionVars, vulnStore, AttackGraph)
TargetMemoryStore.java — Persistent cross-session target memory (endpoints, params, WAF flags, vuln history)
clients/
OllamaClient.java — Ollama HTTP client with automatic text-mode fallback
GeminiClient.java — Gemini REST API client
DeepSeekClient.java — DeepSeek platform API client; supports deepseek-chat and deepseek-reasoner (R1/CoT)
OpenRouterClient.java — OpenRouter OpenAI-compatible client with automatic text-mode fallback
ClaudeClient.java — Anthropic Claude direct REST API client
OpenAIClient.java — OpenAI direct REST API client
llm/
LlmClient.java — LLM client interface (ConnResult, ToolCall, ChatResult)
LlmGateway.java — LLM client creation, system-prompt loading, persona overlays, tool schema
model/
AttackGraph.java — Deterministic graph of endpoints, parameters, tested payload types, extracted variables
EndpointNode.java — Single node in the attack graph
ReportService.java — Generates the HTML vulnerability report
VulnClass.java — String constants for vulnerability class names
tools/
ToolExecutor.java — Executes all 11 tool calls (HTTP, fuzz, spider, decode, sitemap, report, etc.)
CollaboratorManager.java — Manages Burp Collaborator OAST session; OOB payload generation and interaction polling
Imported.java — Immutable model of a request imported via Burp context menu
ToolResult.java — Tool call result model; serialises to JSON for LLM consumption
ui/
AgentTab.java — AI Pentester tab UI (provider selector, request log, editors)
RepeaterCopilot.java — Per-tab AI analysis engine (Repeater Copilot)
RepeaterCopilotEditor.java — ExtensionProvidedHttpRequestEditor implementation
src/main/resources/
burp-ai-agent-prompt.md — Agent system prompt (edit to customise without recompiling)
config/
burp_ai_config.json — Startup defaults (provider, model, target URL, API key)
Responsible Use
- Use only against systems you own or have explicit written permission to test
- Do not commit real API keys, session tokens, cookies, or target-specific data to this repository
- The agent can send many requests quickly — respect rate limits and applicable laws
License
This project is licensed under the MIT License.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found