BurpGPT is a Burp Suite extension that leverages OpenAI's GPT models to perform advanced passive security scanning. It targets security professionals and researchers by enabling highly customized vulnerability detection through user-defined prompts and analysis of web traffic, aiming to uncover bespoke issues missed by traditional scanners.

How It Works

BurpGPT integrates with Burp Suite's passive scanner, sending HTTP requests and responses to a selected OpenAI GPT model. Users can define custom prompts using placeholders for request/response details, allowing for tailored analysis. The extension manages token limits and displays findings within the Burp UI, generating an automated report. This approach allows for flexible, AI-driven vulnerability discovery beyond signature-based methods.

Quick Start & Requirements

• Installation: Clone the repository, build the shadowJar using Gradle (./gradlew shadowJar), and load the resulting JAR file into Burp Suite via the Extensions tab.
• Prerequisites: Java Development Kit (JDK) 11+, Burp Suite Professional or Community Edition 2023.3.2+, Gradle 6.9+. Ensure JAVA_HOME is set.
• Configuration: Requires an OpenAI API key, model selection, and max prompt size configuration within Burp Suite's settings.
• Documentation: Example Use Cases

Highlighted Details

• Adds a passive scan check for AI-driven analysis.
• Supports multiple OpenAI models and custom prompt engineering.
• Integrates seamlessly with Burp Suite's UI and Event Log for troubleshooting.
• Offers granular control over token usage and prompt length.

Maintenance & Community

The project welcomes contributions and feedback via GitHub issues and pull requests. Sponsorship is encouraged to support development.

Licensing & Compatibility

The project license is available in the LICENSE file. Compatibility for commercial use or closed-source linking is not explicitly detailed but depends on the underlying OpenAI API terms and the chosen license.

Limitations & Caveats

The community edition is no longer maintained; users are encouraged to upgrade to Pro. The extension sends data to OpenAI, raising privacy concerns for sensitive applications. Results require manual triaging due to potential false positives, and effectiveness is highly dependent on prompt quality.