Professional-grade Burp Suite extension for comprehensive API reconnaissance, intelligent fuzzing, and AI-powered security testing.
- BurpAPISecuritySuite
BurpAPISecuritySuite is a complete API security testing toolkit that:
- Captures & analyzes API traffic with smart normalization
- Generates intelligent fuzzing campaigns with 100+ attack vectors
- Exports to multiple formats for AI, Turbo Intruder, and Nuclei
- Auto-configures Burp Intruder with attack positions
- Detects vulnerabilities across OWASP API Top 10
- Auto-Capture: Monitors all HTTP/Proxy traffic automatically
- Smart Normalization: Groups similar endpoints (
/users/123β/users/{id}) - Comprehensive Extraction: Parameters, headers, auth methods, request/response bodies
- Pattern Detection: REST, GraphQL, SOAP, JSON/XML APIs
- Security Analysis: IDOR/BOLA, unauth endpoints, PII exposure, weak encryption
- JWT Detection: Automatic JWT extraction and security analysis
- Diff Comparison: Compare two API exports to detect changes
- Import/Export: Save and restore captured API data
- 15 Attack Types: BOLA, IDOR, SQLi, XSS, NoSQLi, SSTI, JWT, GraphQL, Race Conditions, Business Logic, WAF Bypass, and more
- Smart Detection: Context-aware vulnerability identification
- 108+ Attack Vectors: Comprehensive payload library with bypass techniques
- Severity Ratings: Critical/High/Medium/Low risk classification
- WAF Evasion: Header injection, encoding bypass, method override, path manipulation
- Version Scanner: Test API version variations (v1, v2, dev, staging, legacy)
- Param Miner: Discover hidden parameters (admin, debug, internal, callback)
- Wayback Machine: Discover historical endpoints and forgotten APIs
- Katana Crawler: Deep web crawling with automatic endpoint discovery
- HTTPX Probe: Fast HTTP probing with technology detection
- FFUF Fuzzer: Directory and file fuzzing with wordlist support
- Burp Intruder: Auto-configured attack positions (§markers§)
- AI Context: Structured data for ChatGPT/Claude payload generation
- Turbo Intruder: Ready-to-use Python scripts for race conditions & high-speed attacks
- Nuclei: Target export and integrated scanning with WAF evasion
- Payload Library: JSON export of all attack payloads
- cURL Export: Copy attacks as cURL commands for manual testing
| Feature | BurpAPISecuritySuite | Burp Scanner Pro | OWASP ZAP | Postman |
|---|---|---|---|---|
| Price | Free | $449/year | Free | Free/Paid |
| API-Specific Focus | β Yes | β Yes | ||
| Auto-Capture & Normalization | β Yes | β No | β No | |
| BOLA/IDOR Detection | β Automated | β No | ||
| Attack Types | 15 types | 100+ (generic) | 50+ (generic) | Limited |
| API Payloads | 108+ API-focused | Generic web | Generic web | Basic |
| JWT Analysis | β Automatic | |||
| GraphQL Testing | β Built-in | β No | ||
| Race Condition Testing | β Turbo Intruder | β Turbo Intruder | β No | β No |
| AI Integration | β Export for LLM | β No | β No | β No |
| Version Scanner | β Built-in | β No | β No | β No |
| Parameter Mining | β Built-in | β No | β No | |
| Wayback Discovery | β Built-in | β No | β No | β No |
| External Tool Integration | β Nuclei, HTTPX, Katana, FFUF | β No | ||
| WAF Bypass Techniques | β 20+ methods | β No | ||
| Export Formats | JSON, Intruder, Turbo, Nuclei, cURL | XML, HTML | XML, HTML, JSON | JSON, cURL |
| Burp Community Support | β Yes | β Pro only | N/A | N/A |
| Learning Curve | Low | Medium | Medium | Low |
| Best For | API pentesting, bug bounty | Full web app testing | DAST automation | API development |
- API-First Design: Built specifically for modern API security testing (REST, GraphQL, SOAP)
- Free & Open Source: All features available without licensing costs
- Intelligent Automation: Auto-detects BOLA/IDOR vulnerabilities across all authenticated endpoints
- AI-Powered: Export context for ChatGPT/Claude to generate custom payloads
- Comprehensive Coverage: 15 attack types with 108+ API-specific payloads
- External Tool Integration: Seamlessly integrates with Nuclei, HTTPX, Katana, FFUF
- Works with Burp Community: No need for expensive Burp Pro license
- Active Development: Regular updates with new attack vectors and features
- Burp β Extender β Extensions β Add β Python
- Select:
BurpAPISecuritySuite.py - Extension loads and starts capturing automatically
- Burp Suite (Professional or Community Edition)
- Jython Standalone JAR (https://www.jython.org/download)
- Capture: Browse/scan target API with auto-capture enabled
- Review: Check "API Recon" tab to see captured endpoints
- Export: Click "Export for LLM" to generate analysis JSON
- Generate: Feed JSON to LLM (ChatGPT, Claude, etc.) to create custom extension
- Auto-Capture Toggle: Enable/disable automatic traffic capture
- Sample Limit: Configure samples per endpoint (1, 3, 5, 10)
- Pagination: Navigate large endpoint lists (50, 100, 200, 500 per page)
- Search & Filters: Filter by host, method, severity, search term
- Grouping: Group endpoints by Host, Method, Auth, Encryption
- Export All: Export complete API analysis to JSON
- Export Host: Export specific host endpoints
- Import: Load previously exported data
- Clear Data: Reset all captured endpoints
- Load Export 1/2: Load two API exports for comparison
- Compare: Identify added, removed, and unchanged endpoints
- Copy: Copy diff results to clipboard
- Version Input: Comma-separated version strings to test
- Presets: Standard, Decimal, Environments, Legacy, All
- Scan Versions: Test all API endpoints with version variations
- Export Results: Save discovered versions to file
- Param Input: Comma-separated parameter names to test
- Presets: Admin, Debug, Access, Callback, All
- Mine Params: Discover hidden parameters in API endpoints
- Export Results: Save parameter mining results
- Attack Type Dropdown: All, BOLA, IDOR, Auth Bypass, SQLi, XSS, SSRF, XXE, WAF Bypass
- Generate: Create fuzzing campaign with intelligent attack detection
- Send to Intruder: Export to Burp Intruder with pre-configured positions
- Export Payloads: Save all payloads to JSON
- AI Payloads: Export context for AI-powered custom payload generation
- Turbo Intruder: Generate Python scripts for high-speed attacks
- Copy as cURL: Export attack as cURL command
- Nuclei Path: Configure path to nuclei binary
- Run Nuclei: Execute Nuclei scanner with WAF evasion
- Export Targets: Save target list for external scanning
- Features: Random UA, X-Forwarded-For spoofing, rate limiting
- HTTPX Path: Configure path to httpx binary
- Probe Endpoints: Fast HTTP probing with technology detection
- Export URLs: Save URLs for external tools
- Katana Path: Configure path to katana binary
- Crawl Endpoints: Deep web crawling for endpoint discovery
- Export Discovered: Save discovered endpoints
- Send to Recon: Import discovered endpoints to Recon tab
- FFUF Path: Configure path to ffuf binary
- Wordlist: Select wordlist for fuzzing
- Fuzz Directories: Directory and file fuzzing
- Export Results: Save fuzzing results
- Send to Intruder: Export results to Burp Intruder
- Date Range: Configure from/to years for historical search
- Limit: Set maximum results to retrieve
- Discover: Query Wayback Machine for historical endpoints
- Send to Recon: Import discovered endpoints to Recon tab
- Export Results: Save discovered endpoints
-
BOLA (Broken Object Level Authorization)
- Tests ALL authenticated endpoints
- Horizontal/vertical privilege escalation
- Token manipulation, batch requests
-
IDOR (Insecure Direct Object Reference)
- ID enumeration (numeric, UUID, ObjectID)
- Wildcard injection, encoding bypass
- Parameter pollution
-
SQL Injection
- Boolean-based, union-based, time-based blind
- Error-based, stacked queries
- 38+ payloads
-
XSS (Cross-Site Scripting)
- Reflected parameter exploitation
- Context breaking, polyglot payloads
- Event handlers, template injection
-
NoSQL Injection
- MongoDB operators ($gt, $ne, $regex)
- Array notation, where clause injection
-
JWT Exploitation
- Algorithm confusion (alg:none)
- kid injection, claim manipulation
-
GraphQL Abuse
- Introspection, batching, depth attacks
- Alias abuse, mutation injection
-
SSTI (Server-Side Template Injection)
- Jinja2, Freemarker, Velocity
- RCE payloads
-
Race Conditions
- TOCTOU exploitation
- Parallel request techniques
-
Business Logic
- Price/quantity manipulation
- Workflow bypass
-
WAF Bypass
- Header injection (X-Forwarded-For, X-Original-URL)
- Encoding bypass (URL, Unicode, Hex, HTML entities)
- HTTP method override (X-HTTP-Method-Override)
- Path manipulation (dot encoding, null bytes, semicolons)
- Content-Type manipulation
- Protocol smuggling (CL.TE, TE.CL)
-
Path Traversal
- Directory traversal payloads
- Encoded path manipulation
- Null byte injection
-
SSRF (Server-Side Request Forgery)
- Internal IP targeting
- Cloud metadata access
- DNS rebinding
-
XXE (XML External Entity)
- File disclosure
- SSRF via XXE
- Denial of Service
-
Deserialization
- Java deserialization
- PHP object injection
- Python pickle exploitation
{
"metadata": {
"timestamp": "20240115_143022",
"total_endpoints": 15,
"total_requests": 47
},
"endpoints": [
{
"endpoint": "GET:/api/users/{id}",
"method": "GET",
"normalized_path": "/api/users/{id}",
"host": "api.example.com",
"sample_count": 3,
"parameters": {
"url": ["id"],
"body": [],
"cookie": ["session"],
"json": []
},
"auth_methods": ["Bearer Token"],
"response_codes": [200, 404],
"content_types": ["application/json"],
"api_patterns": ["REST API", "JSON API", "CRUD: GET"],
"sample_requests": [...]
}
],
"api_structure": {
"api_types": ["REST API", "JSON API"],
"http_methods": ["GET", "POST", "PUT", "DELETE"],
"auth_methods": ["Bearer Token", "API Key"],
"base_paths": ["/api/", "/v1/"]
},
"security_observations": [
{
"type": "Potential IDOR/BOLA",
"severity": "Critical",
"count": 5,
"examples": ["GET:/api/users/{id}", "GET:/api/orders/{id}"],
"recommendation": "Implement object-level authorization checks"
},
{
"type": "Unauthenticated Endpoints",
"severity": "High",
"count": 3,
"examples": ["GET:/api/health", "GET:/api/version"]
},
{
"type": "Weak Encryption (Base64)",
"severity": "High",
"count": 2,
"examples": [{"endpoint": "POST:/api/auth", "types": ["Base64"]}],
"recommendation": "Use proper encryption (AES-256, TLS 1.3)"
}
],
"llm_prompt": "# API Red Team Extension Generation\n\n..."
}- HTTP method and normalized path
- Host, protocol, port
- Query string and all parameter types (URL, body, cookie, JSON)
- Request/response headers
- Request/response bodies (truncated to 5KB)
- Response status codes
- Content types
- Authentication methods detected
- API patterns (REST, GraphQL, SOAP, etc.)
- API structure overview (types, methods, auth, base paths)
- Security observations (unauth endpoints, sensitive data)
- Endpoint grouping and deduplication
- Sample requests for each endpoint
The export includes a pre-formatted prompt instructing the LLM to:
- Analyze API structure and patterns
- Identify attack vectors (BOLA, Mass Assignment, Rate Limiting, etc.)
- Generate a custom Burp extension implementing:
- IScannerCheck for automated testing
- Passive and active scan methods
- Tailored payloads for detected patterns
- Clear reporting with severity ratings
# 1. Capture API traffic in Burp
# 2. Generate fuzzing attacks (Fuzzer tab β Generate)
# 3. Click "AI Payloads" button
# 4. Feed ai_context.json to ChatGPT/Claude:
"Analyze these API endpoints and generate 50 custom payloads for each
vulnerability type. Focus on:
- Context-aware SQLi based on parameter names
- IDOR payloads matching observed ID patterns
- XSS payloads for detected reflection points
- JWT manipulation for the specific auth mechanism"# 1. Generate fuzzing attacks
# 2. Click "Turbo Intruder" button
# 3. In Burp: Extensions β Turbo Intruder
# 4. Right-click target request β Send to Turbo Intruder
# 5. Load race_condition.py script
# 6. Execute for 50 parallel requests# 1. Generate fuzzing attacks
# 2. Click "Send to Intruder"
# 3. Burp Intruder opens with §markers§ pre-configured
# 4. Load payloads from exported payloads.json
# 5. Launch attack~/burp_APIRecon/
βββ FullExport_TIMESTAMP/
β βββ api_analysis.json
βββ HostExport_HOSTNAME_TIMESTAMP/
β βββ api_analysis.json
βββ Payloads_TIMESTAMP/
β βββ payloads.json (idor, sqli, xss, nosqli, ssrf, xxe, ssti, deserialization, waf_bypass)
βββ AI_Context_TIMESTAMP/
β βββ ai_context.json (structured data for AI payload generation)
βββ TurboIntruder_TIMESTAMP/
β βββ race_condition.py
β βββ bola_enum.py
β βββ jwt_brute.py
βββ VersionScan_Export_TIMESTAMP/
β βββ version_scan.txt
βββ ParamMiner_Export_TIMESTAMP/
β βββ param_mining.txt
βββ NucleiTargets_TIMESTAMP/
βββ targets.txt
- Capture Authenticated Traffic: Login first to capture protected endpoints
- Exercise All Features: Click through entire application for complete coverage
- Use Multiple Roles: Capture traffic as admin, user, guest for BOLA detection
- Review Statistics: Check Critical/High/Medium counts in stats panel
- Start with "All": Generate comprehensive attack campaign first
- Focus on High-Risk: Filter by severity for critical endpoints
- Verify Detections: Review generated attacks before sending to Intruder
- Batch Testing: Use Turbo Intruder for race conditions and high-speed enumeration
- Export Context Early: Generate AI context after initial capture
- Iterate Payloads: Use AI-generated payloads, test, refine prompt
- Combine Techniques: Merge AI payloads with built-in payload library
- Nuclei Integration: Run Nuclei for quick vulnerability validation
- Export Targets: Use target lists with ffuf, wfuzz, or custom scripts
- CI/CD Integration: Automate exports for regression testing
- Normalization: Replaces numeric IDs, UUIDs, ObjectIDs with placeholders
- Deduplication: Tracks unique endpoints by method + normalized path
- Truncation: Bodies limited to 5KB, samples limited to 3 per endpoint
- Auth Detection: Identifies Bearer, Basic, API Key, Session Cookie
- Pattern Matching: Regex-based detection for REST, GraphQL, SOAP
- Does not capture WebSocket traffic
- Binary responses not fully analyzed
- Large responses truncated (5KB limit)
- Requires Jython (Python 2.7 syntax)
- API Penetration Testing: Comprehensive fuzzing with 108+ attack vectors
- Bug Bounty Hunting: Automated BOLA/IDOR detection and exploitation
- Mobile API Testing: Integrated with RedTeamToolkitForAndroid for complete mobile app security assessment
- Security Research: Advanced attack techniques (race conditions, JWT, GraphQL)
- Red Team Operations: Turbo Intruder scripts for high-speed attacks
- AI-Assisted Testing: Generate custom payloads with ChatGPT/Claude
- CI/CD Security: Export targets for automated regression testing
- Training & Education: Learn API vulnerabilities through real-world examples
Perfect integration with RedTeamToolkitForAndroid for comprehensive mobile app security:
- Capture Android app API traffic via Burp proxy with SSL bypass
- Generate 108+ mobile-specific attack vectors (BOLA, JWT, GraphQL, Race Conditions)
- AI-orchestrated testing with 22+ MCP servers
- Complete workflow: Frida hooks β Traffic capture β Fuzzing β Exploitation β Reporting
Quick Start: Mobile API Integration Guide | Quick Reference
- Complete Documentation Index
- Workflow Guide
- Workflow Diagram
- Mobile API Integration
- Mobile Quick Start
- Logger++ Tags Reference
Q: Does this work with Burp Suite Community Edition?
A: Yes! All core features work with both Community and Professional editions. However, some advanced Burp features like Scanner integration require Pro.
Q: Why is the extension not capturing traffic?
A: Check that:
- Auto-Capture toggle is enabled in the Recon tab
- You're browsing through Burp's proxy
- The target is sending HTTP/HTTPS traffic (WebSockets not supported)
- Check the Activity Log for any error messages
Q: How do I install Jython?
A: Download Jython Standalone JAR from https://www.jython.org/download, then in Burp: Extender β Options β Python Environment β Select File β Choose the jython-standalone-*.jar file.
Q: How many endpoints can it handle?
A: The extension efficiently handles 500+ endpoints with automatic rotation when the limit (800) is reached. Older endpoints are automatically removed.
Q: Why are responses truncated to 5KB?
A: To prevent memory issues with large responses. This is sufficient for security analysis while maintaining performance.
Q: Can I increase the sample limit per endpoint?
A: Yes, use the "Samples" dropdown in the Recon tab (1, 3, 5, or 10 samples per endpoint).
Q: Why am I not seeing any BOLA/Auth Bypass attacks?
A: These attacks require authenticated endpoints. Make sure to:
- Login to the application first
- Capture traffic while authenticated
- Look for endpoints with Bearer tokens, API keys, or session cookies
Q: How do I use the generated attacks?
A: Three ways:
- Burp Intruder: Click "Send to Intruder" for automated testing
- Turbo Intruder: Export scripts for high-speed attacks
- Manual: Use "Copy as cURL" for command-line testing
Q: What's the difference between "All" and specific attack types?
A: "All" generates comprehensive attacks across all vulnerability types. Specific types (e.g., "SQLi") focus only on that vulnerability class for targeted testing.
Q: Do I need to install Nuclei/HTTPX/Katana/FFUF?
A: Only if you want to use those specific tabs. The core extension works without them. Install from:
- Nuclei: https://github.com/projectdiscovery/nuclei
- HTTPX: https://github.com/projectdiscovery/httpx
- Katana: https://github.com/projectdiscovery/katana
- FFUF: https://github.com/ffuf/ffuf
Q: Where should I install these tools?
A: Default paths:
~/go/bin/nuclei~/go/bin/httpx~/go/bin/katana~/go/bin/ffuf
Or configure custom paths in each tab.
Q: Where are exported files saved?
A: All exports go to ~/burp_APIRecon/ with timestamped subdirectories. Check the Activity Log for exact paths.
Q: How do I use the AI Context export?
A:
- Generate fuzzing attacks in the Fuzzer tab
- Click "AI Payloads" button
- Feed the exported
ai_context.jsonto ChatGPT/Claude - Ask it to generate custom payloads based on your API structure
Q: Can I import previously exported data?
A: Yes! Use the "Import" button in the Recon tab to load any previously exported api_analysis.json file.
Q: Extension loaded but not showing in tabs?
A: Check Burp's Extender β Extensions tab for errors. Common issues:
- Jython not configured correctly
- Python 2.7 syntax errors (extension uses Jython/Python 2.7)
- Insufficient memory (increase Burp's heap size)
Q: "No endpoints captured" message?
A: Ensure:
- You're actively browsing through Burp proxy
- Auto-Capture is enabled
- Target is making HTTP requests (not just loading static files)
- Check if endpoints are being filtered (images/fonts are auto-filtered)
Q: Nuclei/HTTPX scan hangs or times out?
A:
- Check tool is installed and path is correct
- Verify network connectivity to targets
- Large scans may take 5-10 minutes (max timeout: 10 minutes)
- Check Activity Log for detailed error messages
Q: Why are some endpoints marked as "Critical" or "High"?
A: Severity is based on:
- Critical: Debug/admin endpoints, unauthenticated IDOR/BOLA
- High: Authenticated IDOR/BOLA, sensitive data exposure, weak encryption
- Medium: Error responses, reflected parameters
- Info: Standard endpoints
Q: How do I test for race conditions?
A:
- Generate fuzzing attacks (Fuzzer tab)
- Click "Turbo Intruder" button
- Load the exported
race_condition.pyscript in Burp's Turbo Intruder - Configure for 50+ parallel requests
Q: Can I customize attack payloads?
A: Yes! Export payloads to JSON, modify them, then:
- Use in Burp Intruder manually
- Feed to AI for enhancement
- Create custom scripts with the payload library
Q: How do I compare two API versions?
A:
- Export API data from version 1 ("Export All")
- Clear data and capture version 2
- Export version 2
- Use Diff tab β Load both exports β Compare
Q: What's the best workflow for bug bounty hunting?
A:
- Capture authenticated traffic (all user roles)
- Review Critical/High severity endpoints first
- Generate "All" attacks in Fuzzer
- Focus on BOLA/IDOR endpoints
- Use Version Scanner to find legacy APIs
- Run Param Miner on high-value endpoints
- Export to Nuclei for automated validation
Q: Can I use this for mobile app testing?
A: Yes! Perfect for mobile API testing:
- Configure mobile device to use Burp proxy
- Install Burp CA certificate on device
- Use SSL pinning bypass (Frida, etc.)
- Capture app traffic automatically
- See Mobile API Integration Guide
Q: Does it work with RedTeamToolkitForAndroid?
A: Yes! They integrate seamlessly:
- RedTeamToolkitForAndroid handles SSL bypass and Frida hooks
- BurpAPISecuritySuite captures and analyzes the API traffic
- Complete workflow: Frida β Burp Proxy β API Analysis β Fuzzing
- Clean Jython Architecture: Modular design with testable core logic
- Smart Detection: Context-aware vulnerability identification
- Performance Optimized: Handles 500+ endpoints efficiently
- Cross-Platform: Works on Windows, macOS, Linux
- Extensible: Easy to add new attack types and payloads
- Professional UI: Color-coded severity, tabbed interface, real-time stats
Need custom security tools or API testing solutions? I build production-ready applications and security tools.
- TimeSeal (GitHub) - Cryptographic time-locked vault and dead man's switch with zero-trust encryption
- Ghost Chat - Secure P2P chat with WebRTC, no server storage, self-destruct timers
- BurpCopyIssues - Burp Suite extension for browsing, copying, and exporting scan findings
- BurpWpsScan - WordPress security scanner for Burp Suite with WPScan API integration
- Custom Security Tools - Burp extensions, API testing frameworks, automation scripts
- π Security Tool Development - Custom Burp extensions, penetration testing tools, automation frameworks
- π Web Application Development - Full-stack development with modern technologies
- π§ API Security Consulting - Architecture review, vulnerability assessment, remediation guidance
- π€ AI Integration - LLM-powered security tools, automated payload generation, intelligent fuzzing
Get in Touch: teycirbensoltane.tn | Available for freelance projects and consulting
Developed by Teycir Ben Soltane
MIT License - Free to use for authorized security testing and research purposes.
- β 15 attack types with 108+ vectors
- β BOLA-specific fuzzing for all authenticated endpoints
- β Auto-configured Burp Intruder export
- β AI context export for custom payload generation
- β Turbo Intruder script generation
- β Race condition detection and exploitation
- β JWT, GraphQL, SSTI, Deserialization attacks
- β Business logic testing (price/quantity manipulation)
- β WAF bypass techniques (header injection, encoding, method override)
- β Version scanner with presets
- β Parameter miner with smart detection
- β Diff comparison for API changes
- β External tool integration (Nuclei, HTTPX, Katana, FFUF, Wayback)
- β JWT automatic detection and security analysis
- β Pagination for large endpoint lists
- β cURL export for manual testing
- WebSocket traffic capture
- Real-time AI payload generation (OpenAI/Anthropic API)
- Success pattern detection (auto-verify exploits)
- OpenAPI/Swagger spec generation
- Collaborative data sharing
- Custom wordlist integration
- CVSS scoring for findings