# π€ BurpAI
**AI-Powered Vulnerability Analysis for Burp Suite**
[](https://github.com/Stalin-143/BURP-AI/releases/tag/v1.0)
[](LICENSE)
[](https://www.python.org/)
[](SECURITY_ADVISORY.md)
[Official Burp Suite](https://portswigger.net/burp) β’ [Security Policy](SECURITY.md) β’ [Changelog](CHANGELOG.md) β’ [Report Issue](https://github.com/Stalin-143/BURP-AI/issues)
---
## π― Overview
BurpAI seamlessly integrates **multi-model AI analysis** into Burp Suite, providing intelligent vulnerability detection directly in your pentesting workflow. Instantly analyze HTTP requests and get actionable security insights with zero friction.
**Perfect for:** Security Researchers β’ Penetration Testers β’ Bug Bounty Hunters β’ Security Teams
---
## β¨ Features
| Feature | Description |
|---------|-------------|
| π§ **Multi-Model AI** | 11 AI models with automatic failover (Kimi, DeepSeek, GLM, Qwen, LLaMA, Mistral, etc.) |
| β‘ **Real-time Analysis** | Background threadingβzero UI lag during analysis |
| π **Smart Detection** | Priority detection for P1/P2 vulnerabilities (RCE, IDOR, SQLi, Auth bypass) |
| π **Native Repeater** | Built-in request/response editing with Burp's native editors |
| π **Request History** | Automatic tracking of 1000+ requests with full context |
| ποΈ **Easy Configuration** | One-click API key setup, model selection dropdown |
| π¬ **Interactive Chat** | Custom prompts for targeted security analysis |
| π **Security First** | HTTPS-only, no telemetry, local-only data storage |
---
## π Quick Start
### 1οΈβ£ Install
```bash
# In Burp Suite: Extensions β Add β Select burpaai.py
```
### 2οΈβ£ Configure
- Go to **BurpAI** tab
- Enter your DigitalOcean AI API key β **Save**
### 3οΈβ£ Analyze
- Load a request in **Repeater**
- Click **"Analyze with AI"**
- Review vulnerability report in chat panel
---
## π Requirements
| Requirement | Details |
|-------------|---------|
| **Burp Suite** | Pro or Community Edition (latest) |
| **API Key** | DigitalOcean AI (free tier available) |
| **Java** | 8+ (included with Burp) |
| **Network** | HTTPS outbound to AI API |
---
## π§ Supported Models
```
β
Alibaba Qwen 3 (32B)
β
DeepSeek R1 (70B)
β
GLM-5
β
Kimi K2.5
β
LLaMA 3 & 3.3 (8B-70B)
β
Mistral Nemo (2407)
β
NVIDIA Nemotron (120B)
β
OpenAI GPT OSS (20B-120B)
```
Automatic failover if primary model unavailable.
---
## π‘οΈ Security & Compliance
β
**HTTPS-only** API communication
β
**No telemetry** or tracking
β
**Local-only** data storage
β
**API keys** user-managed
β
**Open-source** for transparency
π [Security Policy](SECURITY.md) β’ [Vulnerability Reporting](SECURITY.md#reporting-security-vulnerabilities) β’ [Advisory](SECURITY_ADVISORY.md)
---
## π Documentation
| Document | Purpose |
|----------|---------|
| [SECURITY.md](SECURITY.md) | Security policy & best practices |
| [SECURITY_ADVISORY.md](SECURITY_ADVISORY.md) | Release security assessment |
| [CHANGELOG.md](CHANGELOG.md) | Version history & fixes |
| [COLLABORATION.md](COLLABORATION.md) | Contributing guidelines |
| [DISCLAIMER.md](DISCLAIMER.md) | Legal notices & warranty |
---
## π Support & Security
### Report Issues
- **Bugs & Features**: [GitHub Issues](https://github.com/Stalin-143/BURP-AI/issues)
- **General Discussion**: [GitHub Discussions](https://github.com/Stalin-143/BURP-AI/discussions)
### π Report Security Vulnerabilities
**β οΈ DO NOT open public issues for security vulnerabilities**
Instead, use **GitHub Security Advisory**:
1. Go to [GitHub Security Advisory](https://github.com/Stalin-143/BURP-AI/security/advisories)
2. Click **"Report a vulnerability"**
3. Provide detailed information:
- Vulnerability description
- Steps to reproduce
- Potential impact
- Suggested fix (if applicable)
4. Submit privately to maintainers
**Or email the maintainers** (See [SECURITY.md](SECURITY.md#reporting-security-vulnerabilities) for contact)
**Thank you for helping keep BurpAI secure!** π
---
## π License
Licensed under **Apache License 2.0** β See [LICENSE](LICENSE) for details.
**Disclaimer**: For authorized security testing only. See [DISCLAIMER.md](DISCLAIMER.md)
---
## π₯ Contributors
Special thanks to the security community for feedback and contributions.
**Want to contribute?** See [COLLABORATION.md](COLLABORATION.md)
---
**Built for the modern security toolkit** | [v1.0](https://github.com/Stalin-143/BURP-AI/releases/tag/v1.0) | March 2026
### Critical (P1) - Automatic Detection
- **RCE** - Remote code execution, command injection
- **IDOR** - Insecure direct object reference
- **SSRF** - Server-side request forgery
- **SQLi** - SQL injection
- **Auth Bypass** - Session hijacking, weak auth
### High (P2)
- XSS, CSRF, XXE, Header Injection
- Cookie/credential handling flaws
- Privilege escalation
### Medium & Low
- Missing security headers
- CORS misconfiguration
- Information disclosure
- Weak configuration
---
## AI Models
The extension uses DigitalOcean's inference models and automatically falls back through this chain:
1. alibaba-qwen3-32b
2. deepseek-r1-distill-llama-70b
3. glm-5
4. kimi-k2.5
5. llama3-8b-instruct
6. llama3.3-70b-instruct
7. minimax-m2.5
8. mistral-nemo-instruct-2407
9. nvidia-nemotron-3-super-120b
10. openai-gpt-oss-120b
11. openai-gpt-oss-20b
If the selected model fails, the next model in the chain is automatically tried.
---
---
## π§ Setup
**Get API Key**: [DigitalOcean AI](https://cloud.digitalocean.com)
**Add Extension**: Burp Suite β Extensions β Add β Select `burpaai.py`
**Configure**: Enter API key in BurpAI tab β Save
**Start**: Analyze requests or enable Auto-Analyze
---
## π Found a Vulnerability?
### Security Reporting β οΈ
**Please DO NOT create a public GitHub issue for security vulnerabilities.**
Use one of these secure reporting methods:
#### Method 1: GitHub Security Advisory (Recommended)
1. Visit: [GitHub Security Advisory - Report](https://github.com/Stalin-143/BURP-AI/security/advisories/new)
2. Click **"Report a vulnerability"** button
3. Fill in the form with:
- **Vulnerability Title**: Brief description
- **Vulnerability Description**: Detailed explanation
- **Steps to reproduce**: How to trigger the issue
- **Impact**: Potential damage/risk
- **CVSS Score**: If you have one
4. Submit privately to maintainers
#### Method 2: Private Email
- See [SECURITY.md](SECURITY.md#reporting-security-vulnerabilities) for maintainer contact
**Response Timeline:**
- 24-48 hours: Initial acknowledgment
- 7 days: Targeted fix or timeline provided
- 30 days: Security patch release
**Your privacy will be respected, and you'll be credited in the fix** π
---
## π Example Scenarios
| Scenario | Action |
|----------|--------|
| Find SQLi vulnerabilities | Load request β Click "Analyze" β Review results |
| Custom analysis prompt | Use chat box to ask specific questions |
| Auto-analyze requests | Enable checkbox β Requests auto-analyzed when captured |
| Switch AI models | Change dropdown β New model selected immediately |
---
## β‘ API Integration
**Endpoint**: `https://inference.do-ai.run/v1/chat/completions`
**Models**: 11 AI models with automatic failover
**Response Time**: < 15 seconds per analysis
**Timeout Handling**: Automatic retry chain
---
## π What Others Love
β
Zero configuration complexity
β
Instant integration with existing workflow
β
Enterprise-grade AI models
β
No performance impact on Burp
β
Privacy-first architecture
---
## π Learn More
Dive into the detailed docs:
- [Installation & Setup](README.md#-quick-start)
- [Security Guidelines](SECURITY.md)
- [Contribution Guide](COLLABORATION.md)
- [Release Notes](CHANGELOG.md)
---
### Ready to analyze like a pro?
[β Star on GitHub](https://github.com/Stalin-143/BURP-AI) β’ [π’ Report Issue](https://github.com/Stalin-143/BURP-AI/issues) β’ [π¬ Discuss](https://github.com/Stalin-143/BURP-AI/discussions)
Built with β€οΈ for the security community