+π [Website](https://stalin-143.github.io/BURP-AI/) β’ π [Security](SECURITY.md) β’ π [Issues](https://github.com/Stalin-143/BURP-AI/issues)
---
-## π― Overview
+## What is BurpAI?
-BurpAI seamlessly integrates **multi-model AI analysis** into Burp Suite, providing intelligent vulnerability detection directly in your pentesting workflow. Instantly analyze HTTP requests and get actionable security insights with zero friction.
-
-**Perfect for:** Security Researchers β’ Penetration Testers β’ Bug Bounty Hunters β’ Security Teams
+BurpAI integrates multi-model AI directly into Burp Suite for intelligent vulnerability detection. Analyze HTTP requests in real-time and get actionable security insights instantly.
---
## β¨ Features
-| Feature | Description |
-|---------|-------------|
-| π§ **Multi-Model AI** | 11 AI models with automatic failover (Kimi, DeepSeek, GLM, Qwen, LLaMA, Mistral, etc.) |
-| β‘ **Real-time Analysis** | Background threadingβzero UI lag during analysis |
-| π **Smart Detection** | Priority detection for P1/P2 vulnerabilities (RCE, IDOR, SQLi, Auth bypass) |
-| π **Native Repeater** | Built-in request/response editing with Burp's native editors |
-| π **Request History** | Automatic tracking of 1000+ requests with full context |
-| ποΈ **Easy Configuration** | One-click API key setup, model selection dropdown |
-| π¬ **Interactive Chat** | Custom prompts for targeted security analysis |
-| π **Security First** | HTTPS-only, no telemetry, local-only data storage |
+- **π§ Multi-Model AI** - 11 models with automatic failover
+- **β‘ Real-time Analysis** - Zero UI lag, background threading
+- **π Smart Detection** - RCE, IDOR, SQLi, Auth bypass, XSS, and more
+- **π Native Repeater** - Built-in request/response editing
+- **π Request History** - Tracks 1000+ requests automatically
+- **π¬ Interactive Chat** - Ask custom security questions
---
## π Quick Start
-### 1οΈβ£ Install
```bash
-# In Burp Suite: Extensions β Add β Select burpaai.py
+# 1. Get DigitalOcean AI API key
+# https://cloud.digitalocean.com
+
+# 2. Load in Burp Suite
+# Extensions β Add β Select burpaai.py
+
+# 3. Configure API key in BurpAI tab β Save
+
+# 4. Analyze requests
+# Load any request β Click "Analyze with AI"
```
-### 2οΈβ£ Configure
-- Go to **BurpAI** tab
-- Enter your DigitalOcean AI API key β **Save**
-
-### 3οΈβ£ Analyze
-- Load a request in **Repeater**
-- Click **"Analyze with AI"**
-- Review vulnerability report in chat panel
-
---
## π Requirements
-| Requirement | Details |
-|-------------|---------|
-| **Burp Suite** | Pro or Community Edition (latest) |
-| **API Key** | DigitalOcean AI (free tier available) |
-| **Java** | 8+ (included with Burp) |
-| **Network** | HTTPS outbound to AI API |
+| Item | Details |
+|------|---------|
+| Burp Suite | Pro or Community (latest) |
+| API Key | DigitalOcean AI |
+| Java | 8+ (included with Burp) |
+| Network | HTTPS outbound |
---
-## π§ Supported Models
+## π§ Supported Models
-```
-β Alibaba Qwen 3 (32B)
-β DeepSeek R1 (70B)
-β GLM-5
-β Kimi K2.5
-β LLaMA 3 & 3.3 (8B-70B)
-β Mistral Nemo (2407)
-β NVIDIA Nemotron (120B)
-β OpenAI GPT OSS (20B-120B)
-```
-
-Automatic failover if primary model unavailable.
+- Alibaba Qwen 3 (32B)
+- DeepSeek R1 (70B)
+- GLM-5
+- Kimi K2.5
+- LLaMA 3 & 3.3 (8B-70B)
+- Mistral Nemo (2407)
+- NVIDIA Nemotron (120B)
+- OpenAI GPT OSS (20B-120B)
---
-## π‘οΈ Security & Compliance
+## π‘οΈ Security & Privacy
-β **HTTPS-only** API communication
-β **No telemetry** or tracking
-β **Local-only** data storage
-β **API keys** user-managed
-β **Open-source** for transparency
+β HTTPS-only API calls
+β No telemetry or tracking
+β Local-only data storage
+β User-managed API keys
+β Open-source codebase
-π [Security Policy](SECURITY.md) β’ [Vulnerability Reporting](SECURITY.md#reporting-security-vulnerabilities) β’ [Advisory](SECURITY_ADVISORY.md)
+### Report Security Vulnerabilities
+
+**β οΈ DO NOT** open public issues for security vulnerabilities.
+
+Use [GitHub Security Advisory](https://github.com/Stalin-143/BURP-AI/security/advisories):
+1. Click "Report a vulnerability"
+2. Provide details privately
+3. Maintainers respond within 24-48 hours
---
## π Documentation
-| Document | Purpose |
-|----------|---------|
-| [SECURITY.md](SECURITY.md) | Security policy & best practices |
-| [SECURITY_ADVISORY.md](SECURITY_ADVISORY.md) | Release security assessment |
-| [CHANGELOG.md](CHANGELOG.md) | Version history & fixes |
-| [COLLABORATION.md](COLLABORATION.md) | Contributing guidelines |
-| [DISCLAIMER.md](DISCLAIMER.md) | Legal notices & warranty |
+- [Security Policy](SECURITY.md)
+- [Contributing Guide](COLLABORATION.md)
+- [Changelog](CHANGELOG.md)
+- [License](LICENSE)
+- [Disclaimer](DISCLAIMER.md)
---
-## π Support & Security
+## π₯ Download
-### Report Issues
-- **Bugs & Features**: [GitHub Issues](https://github.com/Stalin-143/BURP-AI/issues)
-- **General Discussion**: [GitHub Discussions](https://github.com/Stalin-143/BURP-AI/discussions)
-
-### π Report Security Vulnerabilities
-**β οΈ DO NOT open public issues for security vulnerabilities**
-
-Instead, use **GitHub Security Advisory**:
-1. Go to [GitHub Security Advisory](https://github.com/Stalin-143/BURP-AI/security/advisories)
-2. Click **"Report a vulnerability"**
-3. Provide detailed information:
- - Vulnerability description
- - Steps to reproduce
- - Potential impact
- - Suggested fix (if applicable)
-4. Submit privately to maintainers
-
-**Or email the maintainers** (See [SECURITY.md](SECURITY.md#reporting-security-vulnerabilities) for contact)
-
-**Thank you for helping keep BurpAI secure!** π
+[Download v1.0](https://github.com/Stalin-143/BURP-AI/releases/tag/v1.0) β’ [GitHub](https://github.com/Stalin-143/BURP-AI) β’ [Issues](https://github.com/Stalin-143/BURP-AI/issues)
---
-## π License
-
-Licensed under **Apache License 2.0** β See [LICENSE](LICENSE) for details.
-
-**Disclaimer**: For authorized security testing only. See [DISCLAIMER.md](DISCLAIMER.md)
-
----
-
-## π₯ Contributors
-
-Special thanks to the security community for feedback and contributions.
-
-**Want to contribute?** See [COLLABORATION.md](COLLABORATION.md)
-
----
-
-
-
-**Built for the modern security toolkit** | [v1.0](https://github.com/Stalin-143/BURP-AI/releases/tag/v1.0) | March 2026
-
-
-
-### Critical (P1) - Automatic Detection
-- **RCE** - Remote code execution, command injection
-- **IDOR** - Insecure direct object reference
-- **SSRF** - Server-side request forgery
-- **SQLi** - SQL injection
-- **Auth Bypass** - Session hijacking, weak auth
-
-### High (P2)
-- XSS, CSRF, XXE, Header Injection
-- Cookie/credential handling flaws
-- Privilege escalation
-
-### Medium & Low
-- Missing security headers
-- CORS misconfiguration
-- Information disclosure
-- Weak configuration
-
----
-
-## AI Models
-
-The extension uses DigitalOcean's inference models and automatically falls back through this chain:
-
-1. alibaba-qwen3-32b
-2. deepseek-r1-distill-llama-70b
-3. glm-5
-4. kimi-k2.5
-5. llama3-8b-instruct
-6. llama3.3-70b-instruct
-7. minimax-m2.5
-8. mistral-nemo-instruct-2407
-9. nvidia-nemotron-3-super-120b
-10. openai-gpt-oss-120b
-11. openai-gpt-oss-20b
-
-If the selected model fails, the next model in the chain is automatically tried.
-
----
-
----
-
-## π§ Setup
-
-**Get API Key**: [DigitalOcean AI](https://cloud.digitalocean.com)
-**Add Extension**: Burp Suite β Extensions β Add β Select `burpaai.py`
-**Configure**: Enter API key in BurpAI tab β Save
-**Start**: Analyze requests or enable Auto-Analyze
-
----
-
-## π Found a Vulnerability?
-
-### Security Reporting β οΈ
-
-**Please DO NOT create a public GitHub issue for security vulnerabilities.**
-
-Use one of these secure reporting methods:
-
-#### Method 1: GitHub Security Advisory (Recommended)
-1. Visit: [GitHub Security Advisory - Report](https://github.com/Stalin-143/BURP-AI/security/advisories/new)
-2. Click **"Report a vulnerability"** button
-3. Fill in the form with:
- - **Vulnerability Title**: Brief description
- - **Vulnerability Description**: Detailed explanation
- - **Steps to reproduce**: How to trigger the issue
- - **Impact**: Potential damage/risk
- - **CVSS Score**: If you have one
-4. Submit privately to maintainers
-
-#### Method 2: Private Email
-- See [SECURITY.md](SECURITY.md#reporting-security-vulnerabilities) for maintainer contact
-
-**Response Timeline:**
-- 24-48 hours: Initial acknowledgment
-- 7 days: Targeted fix or timeline provided
-- 30 days: Security patch release
-
-**Your privacy will be respected, and you'll be credited in the fix** π
-
----
-
-## π Example Scenarios
-
-| Scenario | Action |
-|----------|--------|
-| Find SQLi vulnerabilities | Load request β Click "Analyze" β Review results |
-| Custom analysis prompt | Use chat box to ask specific questions |
-| Auto-analyze requests | Enable checkbox β Requests auto-analyzed when captured |
-| Switch AI models | Change dropdown β New model selected immediately |
-
----
-
-## β‘ API Integration
-
-**Endpoint**: `https://inference.do-ai.run/v1/chat/completions`
-**Models**: 11 AI models with automatic failover
-**Response Time**: < 15 seconds per analysis
-**Timeout Handling**: Automatic retry chain
-
----
-
-## π What Others Love
-
-β Zero configuration complexity
-β Instant integration with existing workflow
-β Enterprise-grade AI models
-β No performance impact on Burp
-β Privacy-first architecture
-
----
-
-## π Learn More
-
-Dive into the detailed docs:
-- [Installation & Setup](README.md#-quick-start)
-- [Security Guidelines](SECURITY.md)
-- [Contribution Guide](COLLABORATION.md)
-- [Release Notes](CHANGELOG.md)
-
----
-
-
-
-### Ready to analyze like a pro?
-
-[β Star on GitHub](https://github.com/Stalin-143/BURP-AI) β’ [π’ Report Issue](https://github.com/Stalin-143/BURP-AI/issues) β’ [π¬ Discuss](https://github.com/Stalin-143/BURP-AI/discussions)
-
-Built with β€οΈ for the security community
-
-
+**License:** Apache 2.0 | **Status:** Production Ready | **For authorized security testing only**
diff --git a/SECURITY_ADVISORY.md b/SECURITY_ADVISORY.md
index 6628702..1002e5c 100644
--- a/SECURITY_ADVISORY.md
+++ b/SECURITY_ADVISORY.md
@@ -1,253 +1,85 @@
# Security Advisory - BurpAI v1.0
-## Advisory Information
-
**Product:** BurpAI (Burp Suite AI Extension)
**Version:** 1.0
**Release Date:** March 23, 2026
-**Advisory Type:** Initial Release Security Statement
**Status:** ACTIVE
-## Summary
-
-BurpAI v1.0 is released with security best practices implemented. This advisory documents the security posture at release and any known considerations.
-
-## Security Assessment
-
-### Overall Risk Level: LOW
-
-BurpAI v1.0 has been developed with security as a core principle:
-
-β **SECURE:**
-- All API communications use HTTPS with certificate validation
-- No hardcoded credentials or secrets
-- Input validation on all user inputs
-- Error handling to prevent information disclosure
-- No remote code execution capabilities
-- No arbitrary file system access
-- Local-only data storage with user-controlled permissions
-
-β οΈ **REQUIRES ATTENTION:**
-- Chat history stored in plaintext locally (user responsibility)
-- API keys stored in user home directory (requires user discretion)
-- Jython 2.7 has older dependencies (sandboxed by Burp Suite)
-- AI-generated content not validated (user responsibility)
-
-## Known Issues at Release
-
-### No Critical Vulnerabilities Found
-
-Comprehensive review revealed no critical security vulnerabilities in v1.0.
-
-### Recommendations for Users
-
-#### Mandatory
-1. **Secure API Keys**
- - Never share your API configuration file
- - Treat API keys like passwords
- - Use separate keys for development/production
-
-2. **Verify AI Analysis**
- - Do not blindly trust AI-generated recommendations
- - Have security professionals review findings
- - Understand the limitations of AI analysis
-
-3. **Network Security**
- - Only use on trusted networks
- - Don't intercept production traffic through untrusted proxies
- - Ensure Burp Suite is installed on trusted systems
-
-#### Recommended
-4. **Regular Updates**
- - Keep Burp Suite up to date
- - Keep Java runtime updated
- - Monitor for BurpAI updates
-
-5. **Audit Trail**
- - Monitor API usage for suspicious activity
- - Review chat history periodically
- - Check extension logs for errors
-
-6. **Data Hygiene**
- - Clear sensitive chat history when no longer needed
- - Rotate API keys monthly
- - Use unique keys for different environments
-
-## Deployment Considerations
-
-### Safe Deployment Practices
-
-```
-β DO:
-- Deploy on secure, managed systems
-- Use firewall rules to restrict network access
-- Run with principle of least privilege
-- Monitor resource usage (memory, network)
-- Keep audit logs of analysis performed
-
-β DON'T:
-- Deploy on shared/untrusted systems
-- Use in air-gapped networks without isolation
-- Share API keys between users
-- Run with elevated privileges
-- Disable SSL/TLS verification
-```
-
-### Configuration Security
-
-```ini
-# Secure configuration location
-~/.burpaai/config.json
-
-Recommended permissions: 600 (rw-------)
-Owner: Current user
-Group: User's primary group
-```
-
-## API Security
-
-### DigitalOcean (Recommended Provider)
-
-- Established security record
-- SOC 2 Type II certified
-- DDoS protection included
-- Rate limiting enforced
-- TLS 1.2+ required
-
-**Key Management:**
-- Generate API-specific keys (not account keys)
-- Use IP whitelisting if available
-- Monitor key usage in provider dashboard
-- Rotate keys quarterly
-
-### Other Providers
-
-- Alibaba Cloud: Enterprise security features
-- AWS Bedrock: Comprehensive monitoring
-- Google Cloud: Strong data privacy practices
-- OpenAI: Model safety guidelines
-
-**General:** Review each provider's security documentation.
-
-## Incident Response
-
-### If You Suspect a Compromise
-
-1. **Immediate:**
- - Stop using the extension
- - Revoke/rotate API keys
- - Check API usage logs
-
-2. **Investigation:**
- - Review Burp Suite proxy logs
- - Check system logs for unauthorized access
- - Audit what data was accessed
-
-3. **Reporting:**
- - Report to BurpAI team via SECURITY.md process
- - Notify your API provider
- - Report to system administrator
-
-## Security Update Process
-
-### Timeline for Issues
-
-| Severity | Response | Fix | Public Disclosure |
-|----------|----------|-----|-------------------|
-| Critical | 2 hours | 24 hours | 30 days |
-| High | 4 hours | 1 week | 60 days |
-| Medium | 24 hours | 2 weeks | 90 days |
-| Low | 72 hours | 1 month | 6 months |
-
-### Patch Delivery
-
-- Published as new releases on GitHub
-- Announced in CHANGELOG.md
-- Changelog will note security patches
-- Automatic URL check (if implemented)
-
-## Compliance Notes
-
-### Standards Compliance
-
-- OWASP Top 10 Awareness
-- CWE/SANS Top 25 Mitigation
-- Secure Coding Practices
-- Privacy by Design
-
-### NOT Compliant With
-
-- PCI DSS (not a payment processor)
-- HIPAA (not healthcare data)
-- SOC 2 (not audited at this time)
-
-## Testing & Validation
-
-### Security Testing Performed
-
-β Code review for common vulnerabilities
-β Input validation testing
-β HTTPS/TLS verification
-β Jython compatibility testing
-β Error handling verification
-β Memory management review
-
-### Testing NOT Performed
-
-β Formal security audit
-β Penetration testing
-β Fuzzing analysis
-β Cryptographic review
-
-## Future Security Work
-
-### Planned Improvements
-
-- [ ] Formal security audit (Q2 2026)
-- [ ] Encrypted local storage option
-- [ ] Key rotation automation
-- [ ] Advanced threat detection
-- [ ] Security scanning integration
-
-### Community Involvement
-
-- Open source for community security review
-- Bug bounty program (future consideration)
-- Regular security updates
-- Transparent vulnerability handling
-
-## Support & Questions
-
-### For Security Questions
-
-Contact via: See SECURITY.md for vulnerability reporting
-Response Time: 24-48 hours
-
-### For General Questions
-
-Use: GitHub Issues and Discussions
-Community Support: Check README.md
-
-## Acknowledgments
-
-Special thanks to:
-- PortSwigger for Burp Suite API documentation
-- Security community for best practice guidance
-- Contributors and testers
-
-## References
-
-- [OWASP Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
-- [CWE/SANS Top 25](https://cwe.mitre.org/top25/)
-- [CERT Secure Coding](https://www.securecoding.cert.org/)
-- [PortSwigger Security Guide](https://portswigger.net/research)
-
---
-**Advisory ID:** BURPAAI-2026-001
-**Published:** March 23, 2026
-**Version:** 1.0
-**Status:** ACTIVE
-**Next Review:** June 23, 2026
+## Overview
-For the latest information, visit: https://github.com/Stalin-143/BURP-AI
+BurpAI v1.0 is production-ready with no known critical vulnerabilities.
+
+---
+
+## Risk Assessment
+
+**Overall Level: LOW**
+
+**Secure:**
+- β HTTPS-only API communication
+- β No hardcoded secrets
+- β Input validation
+- β Local-only data storage
+- β No RCE or file system access
+
+**User Responsibility:**
+- β οΈ Chat history stored in plaintext (manage yourself)
+- β οΈ API keys in home directory (keep secure)
+- β οΈ AI-generated content (verify independently)
+
+---
+
+## Security Practices
+
+**Mandatory:**
+1. Secure API keys - treat like passwords
+2. Verify AI findings independently
+3. Use on trusted networks only
+
+**Recommended:**
+4. Keep Burp Suite and Java updated
+5. Monitor API usage
+6. Rotate keys monthly
+
+---
+
+## Deployment
+
+- Use secure, managed systems
+- Apply firewall rules
+- Run with least privilege
+- Keep audit logs
+- Monitor resource usage
+
+---
+
+## Known Limitations
+
+- Jython 2.7 uses older dependencies
+- AI analysis depends on model quality
+- API rate limits apply
+- Chat history not encrypted locally
+
+---
+
+## Incident Response
+
+**If compromised:**
+1. Revoke/rotate API keys immediately
+2. Check API usage logs
+3. Report to maintainers
+4. Notify API provider
+
+---
+
+## Security Contacts
+
+See [SECURITY.md](SECURITY.md) for vulnerability reporting and contacts.
+
+---
+
+**Status:** Production Ready β
+**Security Review:** No critical vulnerabilities found
+**Last Updated:** March 23, 2026
diff --git a/index.html b/index.html
new file mode 100644
index 0000000..9b54b70
--- /dev/null
+++ b/index.html
@@ -0,0 +1,566 @@
+
+
+
+
+
+ BurpAI - AI-Powered Security Analysis
+
+
+
+
+
+
+
+
π€ BURPAI
+
AI-Powered Security Analysis for Burp Suite
+
Version 1.0 β’ Production Ready
+
+
+
+
+
+
+
+
+
+ BurpAI brings the power of multi-model AI to your security testing workflow.
+ Analyze HTTP requests in real-time and identify vulnerabilities with enterprise-grade AI models.
+