Other BURPGPT | A BURP SUITE EXTENSION

[234]

This Extenstion Integrates OpenAI’s GPT To Perform An Additional Passive Scan

MORE ABOUT THIS EXTENSTION
burpgpt leverages the power of AI to detect security vulnerabilities that traditional scanners might miss. It sends web traffic to an OpenAI model specified by the user, enabling sophisticated analysis within the passive scanner. This extension offers customisable prompts that enable tailored web traffic analysis to meet the specific needs of each user. Check out the Example Use Cases 1 section for inspiration. The extension generates an automated security report that summarises potential security issues based on the user’s prompt and real-time data from Burp-issued requests. By leveraging AI and natural language processing, the extension streamlines the security assessment process and provides security professionals with a higher-level overview of the scanned application or endpoint. This enables them to more easily identify potential security issues and prioritise their analysis, while also covering a larger potential attack surface.
 Features

• Adds a 
  Code:

  passive scan check
  , allowing users to submit 
  
  Code:

  HTTP
   data to an 
  
  Code:

  OpenAI
  -controlled 
  
  Code:

  GPT model
   for analysis through a 
  
  Code:

  placeholder
   system.
  
• Leverages the power of 
  Code:

  OpenAI's GPT models
   to conduct comprehensive traffic analysis, enabling detection of various issues beyond just security vulnerabilities in scanned applications.
  
• Enables granular control over the number of 
  Code:

  GPT tokens
   used in the analysis by allowing for precise adjustments of the 
  
  Code:

  maximum prompt length
  .
  
• Offers users multiple 
  Code:

  OpenAI models
   to choose from, allowing them to select the one that best suits their needs.
  
• Empowers users to customise 
  Code:

  prompts
   and unleash limitless possibilities for interacting with 
  
  Code:

  OpenAI models
  .
  
• Integrates with 
  Code:

  Burp Suite
  , providing all native features for pre- and post-processing, including displaying analysis results directly within the Burp UI for efficient analysis.
  
• Provides troubleshooting functionality via the native 
  Code:

  Burp Event Log
  , enabling users to quickly resolve communication issues with the 
  
  Code:

  OpenAI API
  .
  

1. System requirements

• Operating System: Compatible with 
  Code:

  Linux
  , 
  
  Code:

  macOS
  , and 
  
  Code:

  Windows
   operating systems.
  
• Java Development Kit (JDK): 
  Code:

  Version 11
   or later.
  
• Burp Suite Professional or Community Edition: 
  Code:

  Version 2023.3.2
   or later.
  

2. Build tool

• Gradle: 
  Code:

  Version 6.9
   or later (recommended). The build.gradle file is provided in the project repository.
  

3. Environment variables

• Set up the 
  Code:

  JAVA_HOME
   environment variable to point to the 
  
  Code:

  JDK
   installation directory.
  

Please ensure that all system requirements, including a compatible version of 

Code:

Burp Suite

, are met before building and running the project. Note that the project’s external dependencies will be automatically managed and installed by 

Code:

Gradle

 during the build process. Adhering to the requirements will help avoid potential issues and reduce the need for opening new issues in the project repository.UsageTo start using burpgpt, users need to complete the following steps in the Settings panel, which can be accessed from the Burp Suite menu bar:

1. Enter a valid 
   Code:

   OpenAI API key
   .
   
2. Select a 
   Code:

   model
   .
   
3. Define the 
   Code:

   max prompt size
   . This field controls the maximum 
   
   Code:

   prompt
    length sent to 
   
   Code:

   OpenAI
    to avoid exceeding the 
   
   Code:

   maxTokens
    of 
   
   Code:

   GPT
    models (typically around 
   
   Code:

   2048
    for 
   
   Code:

   GPT-3
   ).
   
4. Adjust or create custom prompts according to your requirements.
   

Prompt Configuration 

Code:

burpgpt

 enables users to tailor the 

Code:

prompt

 for traffic analysis using a 

Code:

placeholder

 system. To include relevant information, we recommend using these 

Code:

placeholders

, which the extension handles directly, allowing dynamic insertion of specific values into the 

Code:

prompt

:  

Code:

{REQUEST}

The scanned request.

Code:

{URL}

The URL of the scanned request.

Code:

{METHOD}

The HTTP request method used in the scanned request.

Code:

{REQUEST_HEADERS}

The headers of the scanned request.

Code:

{REQUEST_BODY}

The body of the scanned request.

Code:

{RESPONSE}

The scanned response.

Code:

{RESPONSE_HEADERS}

The headers of the scanned response.

Code:

{RESPONSE_BODY}

The body of the scanned response.

Code:

{IS_TRUNCATED_PROMPT}

A 

Code:

boolean

 value that is programmatically set to 

Code:

true

 or 

Code:

false

 to indicate whether the 

Code:

prompt

 was truncated to the 

Code:

Maximum Prompt Size

 defined in the 

Code:

Settings

.These 

Code:

placeholders

 can be used in the custom 

Code:

prompt

 to dynamically generate a request/response analysis 

Code:

prompt

 that is specific to the scanned request.Example Use CasesThe following list of example use cases showcases the bespoke and highly customisable nature of 

Code:

burpgpt

, which enables users to tailor their web traffic analysis to meet their specific needs.

• Identifying potential vulnerabilities in web applications that use a crypto library affected by a specific CVE:
  

 

Code:

[code]
 
[code]
Analyse the request and response data for potential security vulnerabilities related to the {CRYPTO_LIBRARY_NAME} crypto library affected by CVE-{CVE_NUMBER}: Web Application URL: {URL} Crypto Library Name: {CRYPTO_LIBRARY_NAME} CVE Number: CVE-{CVE_NUMBER} Request Headers: {REQUEST_HEADERS} Response Headers: {RESPONSE_HEADERS} Request Body: {REQUEST_BODY} Response Body: {RESPONSE_BODY} Identify any potential vulnerabilities related to the {CRYPTO_LIBRARY_NAME} crypto library affected by CVE-{CVE_NUMBER} in the request and response data and report them.

 
[/code]
[/code]

• Scanning for vulnerabilities in web applications that use biometric authentication by analysing request and response data related to the authentication process:
  

 

Code:

[code]
 
[code]
Analyse the request and response data for potential security vulnerabilities related to the biometric authentication process: Web Application URL: {URL} Biometric Authentication Request Headers: {REQUEST_HEADERS} Biometric Authentication Response Headers: {RESPONSE_HEADERS} Biometric Authentication Request Body: {REQUEST_BODY} Biometric Authentication Response Body: {RESPONSE_BODY} Identify any potential vulnerabilities related to the biometric authentication process in the request and response data and report them.

 
[/code]
[/code]

• Analysing the request and response data exchanged between serverless functions for potential security vulnerabilities:
  

 

Code:

[code]
 
[code]
Analyse the request and response data exchanged between serverless functions for potential security vulnerabilities: Serverless Function A URL: {URL} Serverless Function B URL: {URL} Serverless Function A Request Headers: {REQUEST_HEADERS} Serverless Function B Response Headers: {RESPONSE_HEADERS} Serverless Function A Request Body: {REQUEST_BODY} Serverless Function B Response Body: {RESPONSE_BODY} Identify any potential vulnerabilities in the data exchanged between the two serverless functions and report them.

 
[/code]
[/code]

• Analysing the request and response data for potential security vulnerabilities specific to a Single-Page Application (SPA) framework:
  

 

Code:

[code]
 
[code]
Analyse the request and response data for potential security vulnerabilities specific to the {SPA_FRAMEWORK_NAME} SPA framework: Web Application URL: {URL} SPA Framework Name: {SPA_FRAMEWORK_NAME} Request Headers: {REQUEST_HEADERS} Response Headers: {RESPONSE_HEADERS} Request Body: {REQUEST_BODY} Response Body: {RESPONSE_BODY} Identify any potential vulnerabilities related to the {SPA_FRAMEWORK_NAME} SPA framework in the request and response data and report them.

[/code]
[/code]
Roadmap

• Add a new field to the 
  Code:

  Settings
   panel that allows users to set the 
  
  Code:

  maxTokens
   limit for requests, thereby limiting the request size. ← Exclusive to the Pro edition of BurpGPT 2.
  
• Add support for connecting to a local instance of the 
  Code:

  AI model
  , allowing users to run and interact with the model on their local machines, potentially improving response times and data privacy. ← Exclusive to the Pro edition of BurpGPT 2.
  
• Retrieve the precise 
  Code:

  maxTokens
   value for each 
  
  Code:

  model
   to transmit the maximum allowable data and obtain the most extensive 
  
  Code:

  GPT
   response possible.
  
• Implement persistent configuration storage to preserve settings across 
  Code:

  Burp Suite
   restarts. ← Exclusive to the Pro edition of BurpGPT 2.
  
• Enhance the code for accurate parsing of 
  Code:

  GPT
   responses into the 
  
  Code:

  Vulnerability model
   for improved reporting. ← Exclusive to the Pro edition of BurpGPT 2.
  

Show ContentSpoiler:

Hidden Content

You must register or login to view this content.

[130]

thanks for sharing

[32]

thank you my good man

[125]

This Extenstion Integrates OpenAI’s GPT To Perform An Additional Passive Scan

MORE ABOUT THIS EXTENSTION
burpgpt leverages the power of AI to detect security vulnerabilities that traditional scanners might miss. It sends web traffic to an OpenAI model specified by the user, enabling sophisticated analysis within the passive scanner. This extension offers customisable prompts that enable tailored web traffic analysis to meet the specific needs of each user. Check out the Example Use Cases 1 section for inspiration. The extension generates an automated security report that summarises potential security issues based on the user’s prompt and real-time data from Burp-issued requests. By leveraging AI and natural language processing, the extension streamlines the security assessment process and provides security professionals with a higher-level overview of the scanned application or endpoint. This enables them to more easily identify potential security issues and prioritise their analysis, while also covering a larger potential attack surface.
 Features

• Adds a 
  Code:

  passive scan check
  , allowing users to submit 
  
  Code:

  HTTP
   data to an 
  
  Code:

  OpenAI
  -controlled 
  
  Code:

  GPT model
   for analysis through a 
  
  Code:

  placeholder
   system.
  
• Leverages the power of 
  Code:

  OpenAI's GPT models
   to conduct comprehensive traffic analysis, enabling detection of various issues beyond just security vulnerabilities in scanned applications.
  
• Enables granular control over the number of 
  Code:

  GPT tokens
   used in the analysis by allowing for precise adjustments of the 
  
  Code:

  maximum prompt length
  .
  
• Offers users multiple 
  Code:

  OpenAI models
   to choose from, allowing them to select the one that best suits their needs.
  
• Empowers users to customise 
  Code:

  prompts
   and unleash limitless possibilities for interacting with 
  
  Code:

  OpenAI models
  .
  
• Integrates with 
  Code:

  Burp Suite
  , providing all native features for pre- and post-processing, including displaying analysis results directly within the Burp UI for efficient analysis.
  
• Provides troubleshooting functionality via the native 
  Code:

  Burp Event Log
  , enabling users to quickly resolve communication issues with the 
  
  Code:

  OpenAI API
  .
  

1. System requirements

• Operating System: Compatible with 
  Code:

  Linux
  , 
  
  Code:

  macOS
  , and 
  
  Code:

  Windows
   operating systems.
  
• Java Development Kit (JDK): 
  Code:

  Version 11
   or later.
  
• Burp Suite Professional or Community Edition: 
  Code:

  Version 2023.3.2
   or later.
  

2. Build tool

• Gradle: 
  Code:

  Version 6.9
   or later (recommended). The build.gradle file is provided in the project repository.
  

3. Environment variables

• Set up the 
  Code:

  JAVA_HOME
   environment variable to point to the 
  
  Code:

  JDK
   installation directory.
  

Please ensure that all system requirements, including a compatible version of 

Code:

Burp Suite

, are met before building and running the project. Note that the project’s external dependencies will be automatically managed and installed by 

Code:

Gradle

 during the build process. Adhering to the requirements will help avoid potential issues and reduce the need for opening new issues in the project repository.UsageTo start using burpgpt, users need to complete the following steps in the Settings panel, which can be accessed from the Burp Suite menu bar:

1. Enter a valid 
   Code:

   OpenAI API key
   .
   
2. Select a 
   Code:

   model
   .
   
3. Define the 
   Code:

   max prompt size
   . This field controls the maximum 
   
   Code:

   prompt
    length sent to 
   
   Code:

   OpenAI
    to avoid exceeding the 
   
   Code:

   maxTokens
    of 
   
   Code:

   GPT
    models (typically around 
   
   Code:

   2048
    for 
   
   Code:

   GPT-3
   ).
   
4. Adjust or create custom prompts according to your requirements.
   

Prompt Configuration 

Code:

burpgpt

 enables users to tailor the 

Code:

prompt

 for traffic analysis using a 

Code:

placeholder

 system. To include relevant information, we recommend using these 

Code:

placeholders

, which the extension handles directly, allowing dynamic insertion of specific values into the 

Code:

prompt

:  

Code:

{REQUEST}

The scanned request.

Code:

{URL}

The URL of the scanned request.

Code:

{METHOD}

The HTTP request method used in the scanned request.

Code:

{REQUEST_HEADERS}

The headers of the scanned request.

Code:

{REQUEST_BODY}

The body of the scanned request.

Code:

{RESPONSE}

The scanned response.

Code:

{RESPONSE_HEADERS}

The headers of the scanned response.

Code:

{RESPONSE_BODY}

The body of the scanned response.

Code:

{IS_TRUNCATED_PROMPT}

A 

Code:

boolean

 value that is programmatically set to 

Code:

true

 or 

Code:

false

 to indicate whether the 

Code:

prompt

 was truncated to the 

Code:

Maximum Prompt Size

 defined in the 

Code:

Settings

.These 

Code:

placeholders

 can be used in the custom 

Code:

prompt

 to dynamically generate a request/response analysis 

Code:

prompt

 that is specific to the scanned request.Example Use CasesThe following list of example use cases showcases the bespoke and highly customisable nature of 

Code:

burpgpt

, which enables users to tailor their web traffic analysis to meet their specific needs.

• Identifying potential vulnerabilities in web applications that use a crypto library affected by a specific CVE:
  

 

Code:

[code]
 
[code]
Analyse the request and response data for potential security vulnerabilities related to the {CRYPTO_LIBRARY_NAME} crypto library affected by CVE-{CVE_NUMBER}: Web Application URL: {URL} Crypto Library Name: {CRYPTO_LIBRARY_NAME} CVE Number: CVE-{CVE_NUMBER} Request Headers: {REQUEST_HEADERS} Response Headers: {RESPONSE_HEADERS} Request Body: {REQUEST_BODY} Response Body: {RESPONSE_BODY} Identify any potential vulnerabilities related to the {CRYPTO_LIBRARY_NAME} crypto library affected by CVE-{CVE_NUMBER} in the request and response data and report them.

 
[/code]
[/code]

• Scanning for vulnerabilities in web applications that use biometric authentication by analysing request and response data related to the authentication process:
  

 

Code:

[code]
 
[code]
Analyse the request and response data for potential security vulnerabilities related to the biometric authentication process: Web Application URL: {URL} Biometric Authentication Request Headers: {REQUEST_HEADERS} Biometric Authentication Response Headers: {RESPONSE_HEADERS} Biometric Authentication Request Body: {REQUEST_BODY} Biometric Authentication Response Body: {RESPONSE_BODY} Identify any potential vulnerabilities related to the biometric authentication process in the request and response data and report them.

 
[/code]
[/code]

• Analysing the request and response data exchanged between serverless functions for potential security vulnerabilities:
  

 

Code:

[code]
 
[code]
Analyse the request and response data exchanged between serverless functions for potential security vulnerabilities: Serverless Function A URL: {URL} Serverless Function B URL: {URL} Serverless Function A Request Headers: {REQUEST_HEADERS} Serverless Function B Response Headers: {RESPONSE_HEADERS} Serverless Function A Request Body: {REQUEST_BODY} Serverless Function B Response Body: {RESPONSE_BODY} Identify any potential vulnerabilities in the data exchanged between the two serverless functions and report them.

 
[/code]
[/code]

• Analysing the request and response data for potential security vulnerabilities specific to a Single-Page Application (SPA) framework:
  

 

Code:

[code]
 
[code]
Analyse the request and response data for potential security vulnerabilities specific to the {SPA_FRAMEWORK_NAME} SPA framework: Web Application URL: {URL} SPA Framework Name: {SPA_FRAMEWORK_NAME} Request Headers: {REQUEST_HEADERS} Response Headers: {RESPONSE_HEADERS} Request Body: {REQUEST_BODY} Response Body: {RESPONSE_BODY} Identify any potential vulnerabilities related to the {SPA_FRAMEWORK_NAME} SPA framework in the request and response data and report them.

[/code]
[/code]
Roadmap

• Add a new field to the 
  Code:

  Settings
   panel that allows users to set the 
  
  Code:

  maxTokens
   limit for requests, thereby limiting the request size. ← Exclusive to the Pro edition of BurpGPT 2.
  
• Add support for connecting to a local instance of the 
  Code:

  AI model
  , allowing users to run and interact with the model on their local machines, potentially improving response times and data privacy. ← Exclusive to the Pro edition of BurpGPT 2.
  
• Retrieve the precise 
  Code:

  maxTokens
   value for each 
  
  Code:

  model
   to transmit the maximum allowable data and obtain the most extensive 
  
  Code:

  GPT
   response possible.
  
• Implement persistent configuration storage to preserve settings across 
  Code:

  Burp Suite
   restarts. ← Exclusive to the Pro edition of BurpGPT 2.
  
• Enhance the code for accurate parsing of 
  Code:

  GPT
   responses into the 
  
  Code:

  Vulnerability model
   for improved reporting. ← Exclusive to the Pro edition of BurpGPT 2.
  

Show ContentSpoiler:

Thanks

[145]

ok

[19]

tnx