Cyber Security News came across a new ChatGPT-powered Vulnerability detection Tool called “BurpGPT,” which helps security researchers to detect the vulnerabilities that traditional scanners might miss.
Like PentestGPT, a ChatGPT Powered Automated Penetration Testing Tool, BurpGPT was developed with deep vulnerability scanning features.
BurpGPT combines Burp Suite with OpenAI’s GPT to perform a passive scan to detect vulnerabilities and traffic-based analysis.
To detect the vulnerabilities in web applications, BurpGPT sends web traffic to an OpenAI model Specified by the user, enabling sophisticated analysis within the passive scanner.
Alexandre Teyar, a security researcher from the UK, developed BurpGPT. The plugin provides customizable prompts allowing customized web traffic analysis that adapts to each user’s demands.
“The extension generates an automated security report that summarises potential security issues based on the user’s
prompt and real-time data from
Burp-issued requests.”Alexandre said.
The add-on accelerates vulnerability assessment and gives security experts a higher-level overview of the scanned application or endpoint by utilizing AI and natural language processing.
Here the some of the features that come with BurpGPT.
- Adds a
passive scan check, allowing users to submit
HTTPdata to an
GPT modelfor analysis through a
- Leverages the power of
OpenAI's GPT modelsto conduct comprehensive traffic analysis, enabling the detection of various issues beyond just security vulnerabilities in scanned applications.
- Enables granular control over the number of
GPT tokensused in the analysis by allowing for precise adjustments of the
maximum prompt length.
- Offers users multiple
OpenAI modelschoices, allowing them to select the one that best suits their needs.
- Empowers users to customize
promptsand unleash limitless possibilities for interacting with
OpenAI models. Browse through the Example Use Cases for inspiration.
- Integrates with
Burp Suite, providing all native features for pre-and post-processing, including displaying analysis results directly within the Burp UI for efficient analysis.
- Provides troubleshooting functionality via the native
Burp Event Log, enabling users to resolve communication issues quickly
Before starting the installation process, users need to install Gradle and complete the configuration.
git clone https://github.com/aress31/burpgpt cd .\burpgpt\
Build the standalone
Load the BurpGPT Extension in Burp Suite:
- Go to Extension
- click on the
- select the
burpgpt-alljar file located in the
How to Use BurpGPT
Before start using the BurpGPT, users required to follow the steps given below
- Enter a valid
OpenAI API key.
- Select a
- Define the
max prompt size. This field controls the maximum
promptlength sent to
OpenAIto avoid exceeding the
GPTmodels (typically around
- Adjust or create custom prompts according to your requirements.
Once configured as outlined above, the
Burp passive scanner sends each request to the chosen
OpenAI model via the
OpenAI API for analysis, producing
Informational-level severity findings based on the results, Alexandre said.
Here the same prompt that BurpGPT enables users to tailor the
prompt for traffic analysis using a
||The scanned request.|
||The URL of the scanned request.|
||The HTTP request method used in the scanned request.|
||The headers of the scanned request.|
||The body of the scanned request.|
||The scanned response.|
||The headers of the scanned response.|
||The body of the scanned response.|
Sample Vulnerabilities Analysis by BurpGPT
Analyse the request and response data for potential security vulnerabilities related to the biometric authentication process: Web Application URL: URL Biometric Authentication Request Headers: REQUEST_HEADERS Biometric Authentication Response Headers: RESPONSE_HEADERS Biometric Authentication Request Body: REQUEST_BODY Biometric Authentication Response Body: RESPONSE_BODY Identify any potential vulnerabilities related to the biometric authentication process in the request and response data and report them.
Struggling to Apply The Security Patch in Your System? –
Try All-in-One Patch Manager Plus