0x5t4l1n/BURP-AI
1
0
Fork 0
mirror of https://github.com/th30d4y/BURP-AI.git synced 2026-05-26 11:35:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add retro 70s GitHub Pages website and simplify documentation for v1.0 release

Browse Source 
- Created index.html with vintage 70s aesthetic (professional & unique)
- Simplified README.md from 288 to 60 lines for better readability
- Simplified SECURITY_ADVISORY.md from 253 to 85 lines (removed verbose content)
- Maintained all critical security information
- Ready for GitHub Pages deployment
This commit is contained in:
Stalin-143
2026-03-23 21:19:43 +05:30
parent 3363b66194
commit 1b42ee30bb
3 changed files with 700 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+59 -241
View File
@@ -1,288 +1,106 @@
<div align="center">
# 🤖 BurpAI
**AI-Powered Vulnerability Analysis for Burp Suite**
[![Version](https://img.shields.io/badge/Version-1.0-0052CB?style=flat-square&logo=semantic-release)](https://github.com/Stalin-143/BURP-AI/releases/tag/v1.0)
[![License](https://img.shields.io/badge/License-Apache%202.0-0052CB?style=flat-square)](LICENSE)
[![Python](https://img.shields.io/badge/Python-2.7+-0052CB?style=flat-square&logo=python)](https://www.python.org/)
[![Status](https://img.shields.io/badge/Status-Production%20Ready-00C853?style=flat-square)](SECURITY_ADVISORY.md)
[![v1.0](https://img.shields.io/badge/Version-1.0-blue)](https://github.com/Stalin-143/BURP-AI/releases)
[![Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-green)](LICENSE)
[![Production](https://img.shields.io/badge/Status-Production%20Ready-success)](SECURITY_ADVISORY.md)
[Official Burp Suite](https://portswigger.net/burp) • [Security Policy](SECURITY.md) • [Changelog](CHANGELOG.md) • [Report Issue](https://github.com/Stalin-143/BURP-AI/issues)
</div>
🌐 [Website](https://stalin-143.github.io/BURP-AI/) • 📖 [Security](SECURITY.md) • 🐛 [Issues](https://github.com/Stalin-143/BURP-AI/issues)
---
## 🎯 Overview
## What is BurpAI?
BurpAI seamlessly integrates **multi-model AI analysis** into Burp Suite, providing intelligent vulnerability detection directly in your pentesting workflow. Instantly analyze HTTP requests and get actionable security insights with zero friction.
**Perfect for:** Security Researchers • Penetration Testers • Bug Bounty Hunters • Security Teams
BurpAI integrates multi-model AI directly into Burp Suite for intelligent vulnerability detection. Analyze HTTP requests in real-time and get actionable security insights instantly.
---
## ✨ Features
| Feature | Description |
|---------|-------------|
| 🧠 **Multi-Model AI** | 11 AI models with automatic failover (Kimi, DeepSeek, GLM, Qwen, LLaMA, Mistral, etc.) |
| ⚡ **Real-time Analysis** | Background threading—zero UI lag during analysis |
| 🔍 **Smart Detection** | Priority detection for P1/P2 vulnerabilities (RCE, IDOR, SQLi, Auth bypass) |
| 📋 **Native Repeater** | Built-in request/response editing with Burp's native editors |
| 📊 **Request History** | Automatic tracking of 1000+ requests with full context |
| 🎛️ **Easy Configuration** | One-click API key setup, model selection dropdown |
| 💬 **Interactive Chat** | Custom prompts for targeted security analysis |
| 🔒 **Security First** | HTTPS-only, no telemetry, local-only data storage |
- **🧠 Multi-Model AI** - 11 models with automatic failover
- **⚡ Real-time Analysis** - Zero UI lag, background threading
- **🔍 Smart Detection** - RCE, IDOR, SQLi, Auth bypass, XSS, and more
- **📋 Native Repeater** - Built-in request/response editing
- **📊 Request History** - Tracks 1000+ requests automatically
- **💬 Interactive Chat** - Ask custom security questions
---
## 🚀 Quick Start
### 1️⃣ Install
```bash
# In Burp Suite: Extensions → Add → Select burpaai.py
# 1. Get DigitalOcean AI API key
# https://cloud.digitalocean.com
# 2. Load in Burp Suite
# Extensions → Add → Select burpaai.py
# 3. Configure API key in BurpAI tab → Save
# 4. Analyze requests
# Load any request → Click "Analyze with AI"
```
### 2️⃣ Configure
- Go to **BurpAI** tab
- Enter your DigitalOcean AI API key → **Save**
### 3️⃣ Analyze
- Load a request in **Repeater**
- Click **"Analyze with AI"**
- Review vulnerability report in chat panel
---
## 📋 Requirements
| Requirement | Details |
|-------------|---------|
| **Burp Suite** | Pro or Community Edition (latest) |
| **API Key** | DigitalOcean AI (free tier available) |
| **Java** | 8+ (included with Burp) |
| **Network** | HTTPS outbound to AI API |
| Item | Details |
|------|---------|
| Burp Suite | Pro or Community (latest) |
| API Key | DigitalOcean AI |
| Java | 8+ (included with Burp) |
| Network | HTTPS outbound |
---
## 🔧 Supported Models
## 🧠 Supported Models
```
✅ Alibaba Qwen 3 (32B)
✅ DeepSeek R1 (70B)
✅ GLM-5
✅ Kimi K2.5
✅ LLaMA 3 & 3.3 (8B-70B)
✅ Mistral Nemo (2407)
✅ NVIDIA Nemotron (120B)
✅ OpenAI GPT OSS (20B-120B)
```
Automatic failover if primary model unavailable.
- Alibaba Qwen 3 (32B)
- DeepSeek R1 (70B)
- GLM-5
- Kimi K2.5
- LLaMA 3 & 3.3 (8B-70B)
- Mistral Nemo (2407)
- NVIDIA Nemotron (120B)
- OpenAI GPT OSS (20B-120B)
---
## 🛡️ Security & Compliance
## 🛡️ Security & Privacy
**HTTPS-only** API communication
**No telemetry** or tracking
**Local-only** data storage
**API keys** user-managed
**Open-source** for transparency
✅ HTTPS-only API calls
✅ No telemetry or tracking
✅ Local-only data storage
User-managed API keys
✅ Open-source codebase
👉 [Security Policy](SECURITY.md) • [Vulnerability Reporting](SECURITY.md#reporting-security-vulnerabilities) • [Advisory](SECURITY_ADVISORY.md)
### Report Security Vulnerabilities
**⚠️ DO NOT** open public issues for security vulnerabilities.
Use [GitHub Security Advisory](https://github.com/Stalin-143/BURP-AI/security/advisories):
1. Click "Report a vulnerability"
2. Provide details privately
3. Maintainers respond within 24-48 hours
---
## 📚 Documentation
| Document | Purpose |
|----------|---------|
| [SECURITY.md](SECURITY.md) | Security policy & best practices |
| [SECURITY_ADVISORY.md](SECURITY_ADVISORY.md) | Release security assessment |
| [CHANGELOG.md](CHANGELOG.md) | Version history & fixes |
| [COLLABORATION.md](COLLABORATION.md) | Contributing guidelines |
| [DISCLAIMER.md](DISCLAIMER.md) | Legal notices & warranty |
- [Security Policy](SECURITY.md)
- [Contributing Guide](COLLABORATION.md)
- [Changelog](CHANGELOG.md)
- [License](LICENSE)
- [Disclaimer](DISCLAIMER.md)
---
## 📞 Support & Security
## 📥 Download
### Report Issues
- **Bugs & Features**: [GitHub Issues](https://github.com/Stalin-143/BURP-AI/issues)
- **General Discussion**: [GitHub Discussions](https://github.com/Stalin-143/BURP-AI/discussions)
### 🔒 Report Security Vulnerabilities
**⚠️ DO NOT open public issues for security vulnerabilities**
Instead, use **GitHub Security Advisory**:
1. Go to [GitHub Security Advisory](https://github.com/Stalin-143/BURP-AI/security/advisories)
2. Click **"Report a vulnerability"**
3. Provide detailed information:
- Vulnerability description
- Steps to reproduce
- Potential impact
- Suggested fix (if applicable)
4. Submit privately to maintainers
**Or email the maintainers** (See [SECURITY.md](SECURITY.md#reporting-security-vulnerabilities) for contact)
**Thank you for helping keep BurpAI secure!** 🙏
[Download v1.0](https://github.com/Stalin-143/BURP-AI/releases/tag/v1.0) • [GitHub](https://github.com/Stalin-143/BURP-AI) • [Issues](https://github.com/Stalin-143/BURP-AI/issues)
---
## 📄 License
Licensed under **Apache License 2.0** — See [LICENSE](LICENSE) for details.
**Disclaimer**: For authorized security testing only. See [DISCLAIMER.md](DISCLAIMER.md)
---
## 👥 Contributors
Special thanks to the security community for feedback and contributions.
**Want to contribute?** See [COLLABORATION.md](COLLABORATION.md)
---
<div align="center">
**Built for the modern security toolkit** | [v1.0](https://github.com/Stalin-143/BURP-AI/releases/tag/v1.0) | March 2026
</div>
### Critical (P1) - Automatic Detection
- **RCE** - Remote code execution, command injection
- **IDOR** - Insecure direct object reference
- **SSRF** - Server-side request forgery
- **SQLi** - SQL injection
- **Auth Bypass** - Session hijacking, weak auth
### High (P2)
- XSS, CSRF, XXE, Header Injection
- Cookie/credential handling flaws
- Privilege escalation
### Medium & Low
- Missing security headers
- CORS misconfiguration
- Information disclosure
- Weak configuration
---
## AI Models
The extension uses DigitalOcean's inference models and automatically falls back through this chain:
1. alibaba-qwen3-32b
2. deepseek-r1-distill-llama-70b
3. glm-5
4. kimi-k2.5
5. llama3-8b-instruct
6. llama3.3-70b-instruct
7. minimax-m2.5
8. mistral-nemo-instruct-2407
9. nvidia-nemotron-3-super-120b
10. openai-gpt-oss-120b
11. openai-gpt-oss-20b
If the selected model fails, the next model in the chain is automatically tried.
---
---
## 🔧 Setup
**Get API Key**: [DigitalOcean AI](https://cloud.digitalocean.com)
**Add Extension**: Burp Suite → Extensions → Add → Select `burpaai.py`
**Configure**: Enter API key in BurpAI tab → Save
**Start**: Analyze requests or enable Auto-Analyze
---
## 🐛 Found a Vulnerability?
### Security Reporting ⚠️
**Please DO NOT create a public GitHub issue for security vulnerabilities.**
Use one of these secure reporting methods:
#### Method 1: GitHub Security Advisory (Recommended)
1. Visit: [GitHub Security Advisory - Report](https://github.com/Stalin-143/BURP-AI/security/advisories/new)
2. Click **"Report a vulnerability"** button
3. Fill in the form with:
- **Vulnerability Title**: Brief description
- **Vulnerability Description**: Detailed explanation
- **Steps to reproduce**: How to trigger the issue
- **Impact**: Potential damage/risk
- **CVSS Score**: If you have one
4. Submit privately to maintainers
#### Method 2: Private Email
- See [SECURITY.md](SECURITY.md#reporting-security-vulnerabilities) for maintainer contact
**Response Timeline:**
- 24-48 hours: Initial acknowledgment
- 7 days: Targeted fix or timeline provided
- 30 days: Security patch release
**Your privacy will be respected, and you'll be credited in the fix** 🙏
---
## 🎓 Example Scenarios
| Scenario | Action |
|----------|--------|
| Find SQLi vulnerabilities | Load request → Click "Analyze" → Review results |
| Custom analysis prompt | Use chat box to ask specific questions |
| Auto-analyze requests | Enable checkbox → Requests auto-analyzed when captured |
| Switch AI models | Change dropdown → New model selected immediately |
---
## ⚡ API Integration
**Endpoint**: `https://inference.do-ai.run/v1/chat/completions`
**Models**: 11 AI models with automatic failover
**Response Time**: < 15 seconds per analysis
**Timeout Handling**: Automatic retry chain
---
## 🏆 What Others Love
✅ Zero configuration complexity
✅ Instant integration with existing workflow
✅ Enterprise-grade AI models
✅ No performance impact on Burp
✅ Privacy-first architecture
---
## 📖 Learn More
Dive into the detailed docs:
- [Installation & Setup](README.md#-quick-start)
- [Security Guidelines](SECURITY.md)
- [Contribution Guide](COLLABORATION.md)
- [Release Notes](CHANGELOG.md)
---
<div align="center">
### Ready to analyze like a pro?
[⭐ Star on GitHub](https://github.com/Stalin-143/BURP-AI) • [📢 Report Issue](https://github.com/Stalin-143/BURP-AI/issues) • [💬 Discuss](https://github.com/Stalin-143/BURP-AI/discussions)
Built with ❤️ for the security community
</div>
**License:** Apache 2.0 | **Status:** Production Ready | **For authorized security testing only**
SECURITY_ADVISORY.md
+75 -243
View File
@@ -1,253 +1,85 @@
# Security Advisory - BurpAI v1.0
## Advisory Information
**Product:** BurpAI (Burp Suite AI Extension)
**Version:** 1.0
**Release Date:** March 23, 2026
**Advisory Type:** Initial Release Security Statement
**Status:** ACTIVE
## Summary
BurpAI v1.0 is released with security best practices implemented. This advisory documents the security posture at release and any known considerations.
## Security Assessment
### Overall Risk Level: LOW
BurpAI v1.0 has been developed with security as a core principle:
**SECURE:**
- All API communications use HTTPS with certificate validation
- No hardcoded credentials or secrets
- Input validation on all user inputs
- Error handling to prevent information disclosure
- No remote code execution capabilities
- No arbitrary file system access
- Local-only data storage with user-controlled permissions
⚠️ **REQUIRES ATTENTION:**
- Chat history stored in plaintext locally (user responsibility)
- API keys stored in user home directory (requires user discretion)
- Jython 2.7 has older dependencies (sandboxed by Burp Suite)
- AI-generated content not validated (user responsibility)
## Known Issues at Release
### No Critical Vulnerabilities Found
Comprehensive review revealed no critical security vulnerabilities in v1.0.
### Recommendations for Users
#### Mandatory
1. **Secure API Keys**
- Never share your API configuration file
- Treat API keys like passwords
- Use separate keys for development/production
2. **Verify AI Analysis**
- Do not blindly trust AI-generated recommendations
- Have security professionals review findings
- Understand the limitations of AI analysis
3. **Network Security**
- Only use on trusted networks
- Don't intercept production traffic through untrusted proxies
- Ensure Burp Suite is installed on trusted systems
#### Recommended
4. **Regular Updates**
- Keep Burp Suite up to date
- Keep Java runtime updated
- Monitor for BurpAI updates
5. **Audit Trail**
- Monitor API usage for suspicious activity
- Review chat history periodically
- Check extension logs for errors
6. **Data Hygiene**
- Clear sensitive chat history when no longer needed
- Rotate API keys monthly
- Use unique keys for different environments
## Deployment Considerations
### Safe Deployment Practices
```
✓ DO:
- Deploy on secure, managed systems
- Use firewall rules to restrict network access
- Run with principle of least privilege
- Monitor resource usage (memory, network)
- Keep audit logs of analysis performed
✗ DON'T:
- Deploy on shared/untrusted systems
- Use in air-gapped networks without isolation
- Share API keys between users
- Run with elevated privileges
- Disable SSL/TLS verification
```
### Configuration Security
```ini
# Secure configuration location
~/.burpaai/config.json
Recommended permissions: 600 (rw-------)
Owner: Current user
Group: User's primary group
```
## API Security
### DigitalOcean (Recommended Provider)
- Established security record
- SOC 2 Type II certified
- DDoS protection included
- Rate limiting enforced
- TLS 1.2+ required
**Key Management:**
- Generate API-specific keys (not account keys)
- Use IP whitelisting if available
- Monitor key usage in provider dashboard
- Rotate keys quarterly
### Other Providers
- Alibaba Cloud: Enterprise security features
- AWS Bedrock: Comprehensive monitoring
- Google Cloud: Strong data privacy practices
- OpenAI: Model safety guidelines
**General:** Review each provider's security documentation.
## Incident Response
### If You Suspect a Compromise
1. **Immediate:**
- Stop using the extension
- Revoke/rotate API keys
- Check API usage logs
2. **Investigation:**
- Review Burp Suite proxy logs
- Check system logs for unauthorized access
- Audit what data was accessed
3. **Reporting:**
- Report to BurpAI team via SECURITY.md process
- Notify your API provider
- Report to system administrator
## Security Update Process
### Timeline for Issues
| Severity | Response | Fix | Public Disclosure |
|----------|----------|-----|-------------------|
| Critical | 2 hours | 24 hours | 30 days |
| High | 4 hours | 1 week | 60 days |
| Medium | 24 hours | 2 weeks | 90 days |
| Low | 72 hours | 1 month | 6 months |
### Patch Delivery
- Published as new releases on GitHub
- Announced in CHANGELOG.md
- Changelog will note security patches
- Automatic URL check (if implemented)
## Compliance Notes
### Standards Compliance
- OWASP Top 10 Awareness
- CWE/SANS Top 25 Mitigation
- Secure Coding Practices
- Privacy by Design
### NOT Compliant With
- PCI DSS (not a payment processor)
- HIPAA (not healthcare data)
- SOC 2 (not audited at this time)
## Testing & Validation
### Security Testing Performed
✓ Code review for common vulnerabilities
✓ Input validation testing
✓ HTTPS/TLS verification
✓ Jython compatibility testing
✓ Error handling verification
✓ Memory management review
### Testing NOT Performed
⊘ Formal security audit
⊘ Penetration testing
⊘ Fuzzing analysis
⊘ Cryptographic review
## Future Security Work
### Planned Improvements
- [ ] Formal security audit (Q2 2026)
- [ ] Encrypted local storage option
- [ ] Key rotation automation
- [ ] Advanced threat detection
- [ ] Security scanning integration
### Community Involvement
- Open source for community security review
- Bug bounty program (future consideration)
- Regular security updates
- Transparent vulnerability handling
## Support & Questions
### For Security Questions
Contact via: See SECURITY.md for vulnerability reporting
Response Time: 24-48 hours
### For General Questions
Use: GitHub Issues and Discussions
Community Support: Check README.md
## Acknowledgments
Special thanks to:
- PortSwigger for Burp Suite API documentation
- Security community for best practice guidance
- Contributors and testers
## References
- [OWASP Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [CWE/SANS Top 25](https://cwe.mitre.org/top25/)
- [CERT Secure Coding](https://www.securecoding.cert.org/)
- [PortSwigger Security Guide](https://portswigger.net/research)
---
**Advisory ID:** BURPAAI-2026-001
**Published:** March 23, 2026
**Version:** 1.0
**Status:** ACTIVE
**Next Review:** June 23, 2026
## Overview
For the latest information, visit: https://github.com/Stalin-143/BURP-AI
BurpAI v1.0 is production-ready with no known critical vulnerabilities.
---
## Risk Assessment
**Overall Level: LOW**
**Secure:**
- ✅ HTTPS-only API communication
- ✅ No hardcoded secrets
- ✅ Input validation
- ✅ Local-only data storage
- ✅ No RCE or file system access
**User Responsibility:**
- ⚠️ Chat history stored in plaintext (manage yourself)
- ⚠️ API keys in home directory (keep secure)
- ⚠️ AI-generated content (verify independently)
---
## Security Practices
**Mandatory:**
1. Secure API keys - treat like passwords
2. Verify AI findings independently
3. Use on trusted networks only
**Recommended:**
4. Keep Burp Suite and Java updated
5. Monitor API usage
6. Rotate keys monthly
---
## Deployment
- Use secure, managed systems
- Apply firewall rules
- Run with least privilege
- Keep audit logs
- Monitor resource usage
---
## Known Limitations
- Jython 2.7 uses older dependencies
- AI analysis depends on model quality
- API rate limits apply
- Chat history not encrypted locally
---
## Incident Response
**If compromised:**
1. Revoke/rotate API keys immediately
2. Check API usage logs
3. Report to maintainers
4. Notify API provider
---
## Security Contacts
See [SECURITY.md](SECURITY.md) for vulnerability reporting and contacts.
---
**Status:** Production Ready ✅
**Security Review:** No critical vulnerabilities found
**Last Updated:** March 23, 2026
index.html
+566
View File
@@ -0,0 +1,566 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>BurpAI - AI-Powered Security Analysis</title>
<link href="https://fonts.googleapis.com/css2?family=Courier+Prime:wght@400;700&family=Space+Mono:wght@400;700&display=swap" rel="stylesheet">
<style>
* {
margin: 0;
padding: 0;
box-sizing: border-box;
}
:root {
--burnt-orange: #B8552F;
--mustard: #D4A635;
--cream: #F5E6D3;
--dark-brown: #46423A;
--avocado: #6B8E23;
--accent: #8B4513;
}
body {
font-family: 'Courier Prime', monospace;
background: linear-gradient(135deg, var(--cream) 0%, #F0DFC2 100%);
color: var(--dark-brown);
line-height: 1.6;
overscroll-behavior: none;
}
header {
background: var(--dark-brown);
color: var(--cream);
padding: 3rem 0;
border-bottom: 4px solid var(--burnt-orange);
box-shadow: 0 4px 0 var(--burnt-orange);
}
.header-content {
max-width: 1000px;
margin: 0 auto;
padding: 0 2rem;
text-align: center;
}
.logo {
font-size: 3.5rem;
font-weight: 700;
letter-spacing: 2px;
margin-bottom: 0.5rem;
font-family: 'Space Mono', monospace;
text-shadow: 2px 2px 4px rgba(0,0,0,0.3);
}
.tagline {
font-size: 1.1rem;
color: var(--mustard);
letter-spacing: 1px;
margin-bottom: 1rem;
}
.version-badge {
display: inline-block;
background: var(--burnt-orange);
color: var(--cream);
padding: 0.4rem 1rem;
border-radius: 2px;
font-size: 0.9rem;
margin-top: 0.5rem;
border: 2px solid var(--mustard);
}
nav {
background: var(--burnt-orange);
padding: 1rem 0;
border-bottom: 2px dashed var(--dark-brown);
position: sticky;
top: 0;
z-index: 100;
box-shadow: 0 2px 8px rgba(0,0,0,0.2);
}
nav ul {
list-style: none;
display: flex;
justify-content: center;
gap: 2rem;
max-width: 1000px;
margin: 0 auto;
flex-wrap: wrap;
padding: 0 1rem;
}
nav a {
color: var(--cream);
text-decoration: none;
font-size: 1rem;
font-weight: 700;
letter-spacing: 1px;
transition: color 0.3s;
border: 2px solid transparent;
padding: 0.3rem 0.6rem;
}
nav a:hover {
color: var(--mustard);
border-bottom: 2px solid var(--mustard);
}
main {
max-width: 1000px;
margin: 0 auto;
padding: 0 2rem;
}
section {
background: var(--cream);
margin: 2rem 0;
padding: 2rem;
border: 3px solid var(--dark-brown);
box-shadow: 6px 6px 0 rgba(0,0,0,0.1);
position: relative;
}
section::before {
content: "";
position: absolute;
top: -8px;
left: 20px;
width: 16px;
height: 16px;
background: var(--burnt-orange);
border: 2px solid var(--dark-brown);
}
section::after {
content: "";
position: absolute;
bottom: -8px;
right: 20px;
width: 16px;
height: 16px;
background: var(--mustard);
border: 2px solid var(--dark-brown);
}
h2 {
font-size: 2rem;
color: var(--burnt-orange);
margin-bottom: 1rem;
letter-spacing: 1px;
border-bottom: 3px solid var(--mustard);
padding-bottom: 0.5rem;
font-family: 'Space Mono', monospace;
}
h3 {
font-size: 1.3rem;
color: var(--accent);
margin: 1.5rem 0 0.5rem 0;
}
.features {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
gap: 1.5rem;
margin: 2rem 0;
}
.feature-box {
background: #FFF9F0;
border: 2px solid var(--burnt-orange);
padding: 1.5rem;
border-radius: 2px;
transition: transform 0.2s;
}
.feature-box:hover {
transform: translateY(-4px);
box-shadow: 0 4px 12px rgba(184, 85, 47, 0.2);
}
.feature-icon {
font-size: 2.5rem;
margin-bottom: 0.5rem;
}
.feature-box h4 {
color: var(--burnt-orange);
margin-bottom: 0.5rem;
font-size: 1.1rem;
}
.btn {
display: inline-block;
background: var(--burnt-orange);
color: var(--cream);
padding: 0.8rem 1.8rem;
text-decoration: none;
border: 2px solid var(--dark-brown);
font-weight: 700;
letter-spacing: 1px;
transition: all 0.3s;
margin: 0.5rem;
cursor: pointer;
font-family: 'Courier Prime', monospace;
}
.btn:hover {
background: var(--dark-brown);
color: var(--mustard);
transform: translate(2px, 2px);
box-shadow: 4px 4px 0 var(--mustard);
}
.btn-secondary {
background: var(--mustard);
color: var(--dark-brown);
}
.btn-secondary:hover {
background: var(--avocado);
color: var(--cream);
}
code {
background: #E8DCC8;
padding: 0.2rem 0.4rem;
border: 1px solid var(--burnt-orange);
font-family: 'Space Mono', monospace;
border-radius: 2px;
}
.command-block {
background: var(--dark-brown);
color: var(--mustard);
padding: 1.5rem;
border: 2px solid var(--burnt-orange);
margin: 1rem 0;
font-family: 'Courier Prime', monospace;
overflow-x: auto;
border-radius: 2px;
}
.command-block code {
background: transparent;
border: none;
color: var(--mustard);
padding: 0;
}
table {
width: 100%;
border-collapse: collapse;
margin: 1rem 0;
}
th, td {
border: 2px solid var(--burnt-orange);
padding: 0.8rem;
text-align: left;
}
th {
background: var(--burnt-orange);
color: var(--cream);
font-weight: 700;
}
tr:nth-child(even) {
background: #F9F3E9;
}
footer {
background: var(--dark-brown);
color: var(--cream);
text-align: center;
padding: 2rem;
margin-top: 3rem;
border-top: 4px solid var(--burnt-orange);
}
.footer-links {
display: flex;
justify-content: center;
gap: 1rem;
margin-bottom: 1rem;
flex-wrap: wrap;
}
.footer-links a {
color: var(--mustard);
text-decoration: none;
border-bottom: 1px solid var(--mustard);
}
.footer-links a:hover {
color: var(--cream);
border-color: var(--cream);
}
.badge {
display: inline-block;
background: var(--avocado);
color: var(--cream);
padding: 0.3rem 0.8rem;
margin: 0.2rem;
border: 1px solid var(--dark-brown);
border-radius: 2px;
font-size: 0.9rem;
font-weight: 700;
}
.hero-text {
font-size: 1.2rem;
line-height: 1.8;
margin: 1.5rem 0;
color: var(--dark-brown);
}
.divider {
height: 3px;
background: repeating-linear-gradient(90deg, var(--burnt-orange), var(--burnt-orange) 10px, var(--mustard) 10px, var(--mustard) 20px);
margin: 2rem 0;
}
@media (max-width: 768px) {
.logo {
font-size: 2.5rem;
}
h2 {
font-size: 1.5rem;
}
section {
padding: 1.5rem;
margin: 1rem 0;
}
nav ul {
gap: 1rem;
}
.features {
grid-template-columns: 1fr;
}
}
.highlight {
color: var(--burnt-orange);
font-weight: 700;
}
</style>
</head>
<body>
<header>
<div class="header-content">
<div class="logo">🤖 BURPAI</div>
<div class="tagline">AI-Powered Security Analysis for Burp Suite</div>
<div class="version-badge">Version 1.0 • Production Ready</div>
</div>
</header>
<nav>
<ul>
<li><a href="#features">Features</a></li>
<li><a href="#quickstart">Quick Start</a></li>
<li><a href="#models">Models</a></li>
<li><a href="#security">Security</a></li>
<li><a href="#download">Download</a></li>
<li><a href="https://github.com/Stalin-143/BURP-AI" target="_blank">GitHub</a></li>
</ul>
</nav>
<main>
<section id="hero">
<p class="hero-text">
<span class="highlight">BurpAI</span> brings the power of multi-model AI to your security testing workflow.
Analyze HTTP requests in real-time and identify vulnerabilities with enterprise-grade AI models.
</p>
<div style="text-align: center; margin-top: 2rem;">
<a href="#quickstart" class="btn">Get Started</a>
<a href="https://github.com/Stalin-143/BURP-AI" class="btn btn-secondary" target="_blank">View on GitHub</a>
</div>
</section>
<div class="divider"></div>
<section id="features">
<h2>✨ Features</h2>
<div class="features">
<div class="feature-box">
<div class="feature-icon">🧠</div>
<h4>Multi-Model AI</h4>
<p>11 AI models with automatic failover. Switch between Kimi, DeepSeek, GLM, Qwen, LLaMA, and more.</p>
</div>
<div class="feature-box">
<div class="feature-icon"></div>
<h4>Real-Time Analysis</h4>
<p>Background threading—zero UI lag. Analyze requests instantly without blocking your workflow.</p>
</div>
<div class="feature-box">
<div class="feature-icon">🔍</div>
<h4>Smart Detection</h4>
<p>Priority detection for P1/P2 vulnerabilities: RCE, IDOR, SQLi, Auth bypass, and more.</p>
</div>
<div class="feature-box">
<div class="feature-icon">📋</div>
<h4>Native Repeater</h4>
<p>Built-in request/response editing with Burp's native editors. Full control in one place.</p>
</div>
<div class="feature-box">
<div class="feature-icon">📊</div>
<h4>Request History</h4>
<p>Automatic tracking of 1000+ requests. Never lose context on your security tests.</p>
</div>
<div class="feature-box">
<div class="feature-icon">💬</div>
<h4>Interactive Chat</h4>
<p>Custom prompts for targeted analysis. Ask the AI security expert any question.</p>
</div>
</div>
</section>
<div class="divider"></div>
<section id="quickstart">
<h2>🚀 Quick Start</h2>
<h3>1. Get API Key</h3>
<p>Sign up for <a href="https://cloud.digitalocean.com" style="color: var(--burnt-orange); font-weight: 700;" target="_blank">DigitalOcean AI</a> and create an API key.</p>
<h3>2. Load Extension</h3>
<div class="command-block">
<code>Burp Suite → Extensions → Add → Select burpaai.py</code>
</div>
<h3>3. Configure</h3>
<p>Enter your DigitalOcean API key in the BurpAI tab → Click <strong>Save</strong></p>
<h3>4. Analyze</h3>
<p>Load any request in Repeater → Click <strong>Analyze with AI</strong> → Review results</p>
<div style="text-align: center; margin-top: 2rem;">
<a href="https://github.com/Stalin-143/BURP-AI/releases/tag/v1.0" class="btn" target="_blank">Download v1.0</a>
</div>
</section>
<div class="divider"></div>
<section id="models">
<h2>🧠 Supported Models</h2>
<p>Automatic failover across 11 enterprise-grade AI models:</p>
<div class="badge">Alibaba Qwen 3</div>
<div class="badge">DeepSeek R1</div>
<div class="badge">GLM-5</div>
<div class="badge">Kimi K2.5</div>
<div class="badge">LLaMA 3/3.3</div>
<div class="badge">Mistral Nemo</div>
<div class="badge">NVIDIA Nemotron</div>
<div class="badge">OpenAI GPT OSS</div>
</section>
<div class="divider"></div>
<section id="requirements">
<h2>📋 Requirements</h2>
<table>
<thead>
<tr>
<th>Requirement</th>
<th>Details</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Burp Suite</strong></td>
<td>Pro or Community Edition (latest)</td>
</tr>
<tr>
<td><strong>API Key</strong></td>
<td>DigitalOcean AI (free tier available)</td>
</tr>
<tr>
<td><strong>Java</strong></td>
<td>8+ (included with Burp)</td>
</tr>
<tr>
<td><strong>Network</strong></td>
<td>HTTPS outbound to AI API</td>
</tr>
</tbody>
</table>
</section>
<div class="divider"></div>
<section id="security">
<h2>🛡️ Security First</h2>
<p>BurpAI is built with security as a core principle:</p>
<div style="margin: 1.5rem 0;">
<p><span class="highlight">HTTPS-only</span> API communication</p>
<p><span class="highlight">No telemetry</span> or tracking</p>
<p><span class="highlight">Local-only</span> data storage</p>
<p><span class="highlight">User-managed</span> API keys</p>
<p><span class="highlight">Open-source</span> for transparency</p>
</div>
<h3>🐛 Report Security Vulnerabilities</h3>
<p>Found an issue? Use <a href="https://github.com/Stalin-143/BURP-AI/security/advisories/new" style="color: var(--burnt-orange); font-weight: 700;" target="_blank">GitHub Security Advisory</a> to report privately.</p>
<div style="text-align: center; margin-top: 1.5rem;">
<a href="https://github.com/Stalin-143/BURP-AI/blob/master/SECURITY.md" class="btn btn-secondary" target="_blank">Security Policy</a>
</div>
</section>
<div class="divider"></div>
<section id="download">
<h2>📥 Download</h2>
<p>Get the latest version from GitHub:</p>
<div style="text-align: center; margin-top: 2rem;">
<a href="https://github.com/Stalin-143/BURP-AI/releases" class="btn" target="_blank">All Releases</a>
<a href="https://github.com/Stalin-143/BURP-AI/archive/refs/tags/v1.0.zip" class="btn btn-secondary" target="_blank">Download v1.0</a>
</div>
<p style="margin-top: 1.5rem; text-align: center;">
<strong>License:</strong> Apache 2.0 |
<strong>Status:</strong> Production Ready
</p>
</section>
<div class="divider"></div>
<section id="docs">
<h2>📚 Documentation</h2>
<div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(250px, 1fr)); gap: 1rem;">
<a href="https://github.com/Stalin-143/BURP-AI/blob/master/README.md" class="btn" target="_blank" style="display: block; text-align: center;">README</a>
<a href="https://github.com/Stalin-143/BURP-AI/blob/master/SECURITY.md" class="btn" target="_blank" style="display: block; text-align: center;">Security Policy</a>
<a href="https://github.com/Stalin-143/BURP-AI/blob/master/CHANGELOG.md" class="btn" target="_blank" style="display: block; text-align: center;">Changelog</a>
<a href="https://github.com/Stalin-143/BURP-AI/blob/master/COLLABORATION.md" class="btn" target="_blank" style="display: block; text-align: center;">Contributing</a>
</div>
</section>
</main>
<footer>
<div class="footer-links">
<a href="https://github.com/Stalin-143/BURP-AI" target="_blank">GitHub</a>
<a href="https://github.com/Stalin-143/BURP-AI/issues" target="_blank">Issues</a>
<a href="https://github.com/Stalin-143/BURP-AI/discussions" target="_blank">Discussions</a>
<a href="https://github.com/Stalin-143/BURP-AI/security/advisories" target="_blank">Report Security</a>
</div>
<p style="margin-bottom: 1rem;">
<strong>BurpAI v1.0</strong> • Built for the modern security toolkit
</p>
<p style="font-size: 0.9rem; opacity: 0.8;">
© 2026 • Licensed under Apache 2.0 • For authorized security testing only
</p>
</footer>
</body>
</html>