Cyber Security News discovered “BurpGPT,” a new ChatGPT powered vulnerability discovery tool that assists security researchers in detecting flaws that regular scanners may overlook.
BurpGPT, like PentestGPT, a ChatGPT powered Automated Penetration Testing Tool, was designed with extensive vulnerability detection tools.
BurpGPT combines the Burp Suite and OpenAI’s GPT to perform a passive vulnerability scan and traffic-based analysis.
BurpGPT delivers online traffic to an OpenAI model specified by the user to find vulnerabilities in web applications, allowing extensive analysis within the passive scanner.
BurpGPT was created by Alexandre Teyar, a security researcher from the United Kingdom.
The plugin includes customisable prompts for personalised online traffic analysis that adjusts to the needs of each user.
“Based on the user’s prompt and real-time data from Burp issued requests, the plugin provides an automated security report that summarises potential security vulnerabilities.”
By employing AI and natural language processing, the add-on speeds up vulnerability assessment and provides security specialists with a higher-level perspective of the scanned application or endpoint.
BurpGPT Installation
Before starting the installation process, users need to install Gradle and complete the configuration.
Download BurpGPT:
git clone https://github.com/aress31/burpgpt
cd .\burpgpt\Build the standalone jar:
./gradlew shadowJarLoad the BurpGPT Extension in Burp Suite:
- Go to Extension
- click on the
Addbutton - select the
burpgpt-alljar file located in the.\lib\build\libsfolder
How to Use BurpGPT
Before start using the BurpGPT, users required to follow the steps given below
- Enter a valid
OpenAI API key. - Select a
model. - Define the
max prompt size. This field controls the maximumpromptlength sent toOpenAIto avoid exceeding themaxTokensofGPTmodels (typically around2048forGPT-3). - Adjust or create custom prompts according to your requirements.
Once configured as outlined above, the Burp passive scanner sends each request to the chosen OpenAI model via the OpenAI API for analysis, producing Informational-level severity findings based on the results, Alexandre said.
