burpai

# burpai — Autonomous AI Pentest Agent for Burp Suite

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)

A **Burp Suite extension** built on the [Montoya API](https://portswigger.github.io/burp-extensions-montoya-api/javadoc/) that embeds an autonomous AI penetration testing agent directly into Burp. All HTTP traffic flows through Burp's engine — every request the agent fires is visible in the HTTP history, and you can inspect it in Burp's native editors in real time.

---

## Features at a Glance

| Feature | Description |
|---|---|
| **AI Pentester** | Autonomous agentic loop — probes targets, fires requests through Burp, confirms and reports vulnerabilities |
| **11 agent tools** | HTTP requests, crawling, fuzzing, extraction, decoding, variable interpolation, site-map querying, reporting, run control |
| **Multi-provider LLM** | Ollama (local), Google DeepSeek, **Anthropic Claude**, **DeepSeek**, **OpenAI**, and **OpenRouter** |
| **Focused task mode** | "Find SSRF" tests *only* SSRF — 19 vulnerability classes auto-detected from your prompt |
| **Timing-based detection** | `fuzz_parameter` tracks response latency per payload — catches blind SSRF and blind CMDi |
| **Integrated Token Map** | Intelligent detection of JWT, UUID, API keys, and CSRF tokens across headers and cookies with automatic mirror detection |
| **CSV Export** | Export agent findings and HTTP history directly to CSV for external reporting |
| **HTML reports** | Structured findings report saved to `~/burpai_logs/` |
| **Burp native reporting** | Confirmed findings posted directly to the Burp Dashboard Issues pane — severity, confidence, PoC and evidence requests included |
| **AI Personas** | Task-focused personas (Auth, SSRF, Injection, etc.) sharpen the agent's strategy from iteration one |
| **Vector memory** | Per-target memory persists WAF info, endpoints, parameters and vuln history across runs |
| **Repeater DeepSeek** | AI suggestion panel embedded in every Re