A Burp Suite extension built on the Montoya API that embeds an autonomous AI penetration testing agent directly into Burp. All HTTP traffic flows through Burp's engine — every request the agent fires is visible in the HTTP history, and you can inspect it in Burp's native editors in real time.
| Feature | Description |
|---|---|
| AI Pentester | Autonomous agentic loop — probes targets, fires requests through Burp, confirms and reports vulnerabilities |
| 11 agent tools | HTTP requests, crawling, fuzzing, extraction, decoding, variable interpolation, site-map querying, reporting, run control |
| Multi-provider LLM | Ollama (local), Google Gemini, Anthropic Claude, DeepSeek, OpenAI, and OpenRouter |
| Focused task mode | "Find SSRF" tests only SSRF — 19 vulnerability classes auto-detected from your prompt |
| Timing-based detection | fuzz_parameter tracks response latency per payload — catches blind SSRF and blind CMDi |
| Integrated Token Map | Intelligent detection of JWT, UUID, API keys, and CSRF tokens across headers and cookies with automatic mirror detection |
| CSV Export | Export agent findings and HTTP history directly to CSV for external reporting |
| HTML reports | Structured findings report saved to ~/burpai_logs/ |
| Burp native reporting | Confirmed findings posted directly to the Burp Dashboard Issues pane — severity, confidence, PoC and evidence requests included |
| AI Personas | Task-focused personas (Auth, SSRF, Injection, etc.) sharpen the agent's strategy from iteration one |
| Vector memory | Per-target memory persists WAF info, endpoints, parameters and vuln history across runs |
| Repeater Copilot | AI suggestion panel embedded in every Repeater tab |
- Burp Suite Community or Pro — 2023.x or newer
- Java 17+ — only required if building from source; the prebuilt JAR runs on Burp's bundled JRE (no separate Java install needed)
- LLM backend — one of:
- Ollama running locally (free, offline)
- Google Gemini API key (aistudio.google.com)
- Anthropic API key (console.anthropic.com)
- DeepSeek API key (platform.deepseek.com)
- OpenAI API key (platform.openai.com)
- OpenRouter API key (openrouter.ai)
- Download the latest
burp-ai-pentester-*.jarfrom Releases - In Burp: Extensions → Installed → Add
Extension type:Java
Path: the downloaded.jar - The AI Pentester tab appears — configure and go
No Java installation required. Burp Suite ships its own JRE.
.\gradlew.bat jarOutput: dist/burp-ai-pentester-*.jar
OneDrive users: If Gradle hangs on cache files, add
--no-build-cache --no-daemon
Then load dist/burp-ai-pentester-*.jar via Extensions → Installed → Add.
Ollama (local)
ollama serve
ollama pull glm-5:cloud # fast, reliable tool-callingCloud Providers
- Gemini: Get a free key at aistudio.google.com.
- Anthropic: Get an API key at console.anthropic.com.
- DeepSeek: Get an API key at platform.deepseek.com.
- OpenAI: Get an API key at platform.openai.com.
- OpenRouter: Get an API key at openrouter.ai.
- Open the AI Pentester tab in Burp
- Set Provider, Ollama URL / Gemini API key, and Model
- Enter a Target Base URL and a task prompt (e.g.
Find SSRF) - Optionally right-click any request in Burp → Send to AI Pentester to give the agent a starting request
- Click Start Agent
Set Ollama URL to http://localhost:11434. Models with strong tool-calling give the best results:
| Model | Notes |
|---|---|
glm-5:cloud |
Fast, reliable — recommended default |
kimi-k2.5:cloud |
Strong reasoning |
minimax-m2.5:cloud |
General purpose |
deepseek-r1:32b |
Great reasoning model, high VRAM (~20 GB) |
The agent automatically falls back to text-mode tool parsing if the model returns HTTP 500 on the tool-calling endpoint — no manual configuration needed.
- Get a free key at aistudio.google.com
- Select Gemini in the Provider dropdown
- Enter your API key
- Choose a model:
| Model | Notes |
|---|---|
gemini-3-flash-preview |
Latest Gemini 3 flash — recommended |
gemini-2.5-flash-preview |
Next-gen flash, strong reasoning |
gemini-2.0-flash |
Fast, cost-efficient |
gemini-1.5-pro |
Most capable Gemini 1.5 |
- Get an API key at console.anthropic.com
- Select Anthropic in the Provider dropdown
- Enter your API key
- Choose a model:
| Model | Notes |
|---|---|
claude-sonnet-4-20250514 |
Latest Sonnet — recommended |
claude-opus-4-20250514 |
Most capable Claude model |
The agent picks the right tool for each step, guided by the system prompt in src/main/resources/burp-ai-agent-prompt.md.
| Tool | When it is used |
|---|---|
execute_http_request |
Every HTTP request — GET, POST, custom headers and body, all routed through Burp |
spider_links |
Called immediately after any baseline request — extracts links, form actions, script URLs, JS API calls, and form_inputs (input field names) |
extract_from_response |
Regex-extract a value from a stored response and save it as {{variable}} (CSRF tokens, nonces, session IDs) |
set_variable / get_variable |
Manually store and retrieve named values across iterations |
fuzz_parameter |
Batch-test one parameter with a payload list. Locations: query, body, json_body, header, path. Reports status, body length, and response timing per payload |
decode_encode |
Local decode/encode without an HTTP round-trip: jwt_decode, base64_decode/encode, url_decode/encode, hex_decode/encode, html_decode/encode |
search_in_response |
Regex search a stored response body with configurable context lines |
get_sitemap |
Query Burp's site map and proxy history for a base URL — returns all seen paths and methods without making new requests |
finish_run |
Signal the agent loop to stop and emit a structured summary of findings, notes, and next actions |
report_vulnerability |
Submit a confirmed finding: severity, location, description, PoC, impact, remediation, evidence request IDs |
Use {{var_name}} in any URL or request body to inject a stored variable:
url: https://example.com/profile/{{user_id}}
body: csrf={{csrf_token}}&action=delete
When your prompt names a specific vulnerability, the agent tests only that class and stops when done.
Supported vulnerability types (auto-detected from prompt):
| Prompt keywords | Vulnerability |
|---|---|
ssrf, server-side request |
SSRF — full surface discovery, fuzz all URL-accepting parameters |
sqli, sql injection |
SQL Injection — error, boolean-blind, time-blind, UNION-based |
xss, cross-site scripting |
XSS — reflected, stored, context-aware payloads |
rce, command injection |
Command Injection / RCE — separators, blind timing |
xxe, xml external |
XXE — entity injection, PHP wrappers, SVG |
idor, access control |
IDOR / Broken Access Control — ID tampering, privilege fields |
jwt |
JWT — alg:none, algorithm confusion, weak secret |
ssti, template injection |
SSTI — detection payloads, engine fingerprinting, RCE |
nosql, mongodb |
NoSQL Injection — MongoDB operators, timing |
cors, cross-origin |
CORS — wildcard, null origin, subdomain bypass |
csrf |
CSRF — token removal, SameSite check |
path traversal, lfi |
Path Traversal / LFI — ../, encoding variants, null byte |
file upload |
Unrestricted File Upload — extension/MIME bypass, shell upload |
open redirect |
Open Redirect — query param, protocol bypass |
graphql |
GraphQL — introspection, injection, IDOR |
deserialization |
Insecure Deserialization — Java RO, PHP, JSON type confusion |
race condition |
Race Condition — parallel identical requests |
mass assignment |
Mass Assignment — extra body fields |
llm, prompt injection, ai inject, jailbreak, system prompt |
LLM / Prompt Injection — direct injection, system prompt leakage, indirect injection, data exfiltration |
In focused mode, if the agent notices a different potential vulnerability while testing (e.g. a SQL error while looking for SSRF), it does not investigate it — but notes it in the final message:
ADDITIONAL NOTES FOR FURTHER TESTING:
- /post/<id> — single quote caused SQLite error, likely SQL Injection
- /console — Werkzeug debugger exposed at this path
fuzz_parameter records duration_ms for every payload. A result is flagged timing_anomaly if:
- Response took > 3 seconds (absolute), or
- Response took > 3× the baseline request duration
This catches blind SSRF and blind command injection where the server reaches out internally but returns a generic response body.
Click Generate Report after a run. A styled HTML report is saved to ~/burpai_logs/report_<timestamp>.html:
- Summary table (name, severity, location)
- Full detail per finding (description, impact, PoC, remediation, evidence request IDs)
All agent output is also written to ~/burpai_logs/agent_<timestamp>.log — every iteration, tool call result, and vulnerability report — for offline review and evidence archiving.
config/burp_ai_config.json — loaded at startup, all fields also editable in the UI:
{
"llm_provider": "ollama",
"ollama_base_url": "http://localhost:11434",
"ollama_model": "glm-5:cloud",
"gemini_api_key": "",
"gemini_model": "gemini-3-flash-preview",
"anthropic_api_key": "",
"target_base_url": "https://example.com/",
"log_enabled": true,
"max_iterations": 20
}Persona and vector memory are configured in the UI, not in this file. Persona: dropdown in the AI Pentester tab. Vector memory is automatic — no configuration needed.
The agent's full methodology is in src/main/resources/burp-ai-agent-prompt.md — a human-readable Markdown file bundled in the JAR. Edit it to customise attack strategies, add new vulnerability classes, or adjust tool usage rules without recompiling.
An AI assistant embedded inside every Repeater tab — as an AI Copilot tab alongside Raw / Pretty / Hex.
Workflow:
- Send any request in Repeater — the copilot auto-triggers on each response
- The AI Copilot tab shows reasoning and a suggested next test request
- The suggestion is ready in the editor with all original auth headers preserved
- Click Approve → then Burp's Send to fire it
- Use Analyze Again for a fresh suggestion, or Reject to discard
src/main/java/com/burpai/aipentester/
Extension.java — Montoya entrypoint; registers AgentTab and RepeaterCopilotEditor
agent/
AgentEngine.java — Thin facade wiring all agent services; public API consumed by AgentTab
AgentLoop.java — Orchestrates the agentic iteration loop (per-iteration LLM call + tool dispatch)
AgentStateSnapshot.java — Builds compact structured signals injected into each iteration's LLM prompt
AgentUtils.java — Pure static utilities shared across agent services
AgentLogger.java — Centralised logging to UI callback and timestamped log file
MemoryManager.java — Thread-safe per-run state (responseBodyStore, sessionVars, vulnStore, AttackGraph)
TargetMemoryStore.java — Persistent cross-session target memory (endpoints, params, WAF flags, vuln history)
clients/
OllamaClient.java — Ollama HTTP client with automatic text-mode fallback
GeminiClient.java — Gemini REST API client
DeepSeekClient.java — DeepSeek platform API client; supports deepseek-chat and deepseek-reasoner (R1/CoT)
OpenRouterClient.java — OpenRouter OpenAI-compatible client with automatic text-mode fallback
ClaudeClient.java — Anthropic Claude direct REST API client
OpenAIClient.java — OpenAI direct REST API client
llm/
LlmClient.java — LLM client interface (ConnResult, ToolCall, ChatResult)
LlmGateway.java — LLM client creation, system-prompt loading, persona overlays, tool schema
model/
AttackGraph.java — Deterministic graph of endpoints, parameters, tested payload types, extracted variables
EndpointNode.java — Single node in the attack graph
ReportService.java — Generates the HTML vulnerability report
VulnClass.java — String constants for vulnerability class names
tools/
ToolExecutor.java — Executes all 11 tool calls (HTTP, fuzz, spider, decode, sitemap, report, etc.)
CollaboratorManager.java — Manages Burp Collaborator OAST session; OOB payload generation and interaction polling
Imported.java — Immutable model of a request imported via Burp context menu
ToolResult.java — Tool call result model; serialises to JSON for LLM consumption
ui/
AgentTab.java — AI Pentester tab UI (provider selector, request log, editors)
RepeaterCopilot.java — Per-tab AI analysis engine (Repeater Copilot)
RepeaterCopilotEditor.java — ExtensionProvidedHttpRequestEditor implementation
src/main/resources/
burp-ai-agent-prompt.md — Agent system prompt (edit to customise without recompiling)
config/
burp_ai_config.json — Startup defaults (provider, model, target URL, API key)
- Use only against systems you own or have explicit written permission to test
- Do not commit real API keys, session tokens, cookies, or target-specific data to this repository
- The agent can send many requests quickly — respect rate limits and applicable laws
This project is licensed under the MIT License.