- About The Project
- Extensions Included
- Features
- Getting Started
- Usage
- Roadmap
- Contributing
- License
- Contact
- Credits
- Acknowledgements
This repository contains a suite of Burp Suite extensions developed in Jython, designed to enhance the capabilities of penetration testers and security researchers when interacting with AI applications and performing prompt-based security testing. The extensions are supported by a backend API for processing, augmentation, and analysis tasks.
-
Prompt Augmenter Payload Processor
Generates prompt augmentations based on user requirements. Integrates with Intruder payload processor and payload generator. -
Automated Conversations
Facilitates conversational testing with LLMs, allowing users to interact dynamically while evaluating success criteria and managing context. Supports model to model attacks. -
Bulk Analyze HTTP Transactions
Analyzes HTTP transactions (request/response pairs) for detailed security analysis and threat detection. Chat with the built-in chatbot regarding the transactions on your screen. -
Analyze and Score
Provides analysis, scoring, benchmarking, and export functionalities for HTTP requests and responses processed through Burp Suite.
- Context Menu Integration: Right-click context menu options to send requests to each extension quickly.
- Custom Burp Tabs: Each extension adds a dedicated tab to Burp Suite for interactive use.
- Backend API Integration: All extensions communicate with a local backend API for processing and augmenting data.
- Intruder Payload Processor: Automatically augment payloads for Burp Intruder attacks.
- Intruder Payload Generator: After generating a number of augments in the custom tab, send them over to Intruder to use in your attack.
- Custom Tab: UI for configuring augmentation settings and submitting prompts.
- Interactive Conversations: Conduct multi-turn interactions with LLMs.
- Objective-Based Testing: Set objectives and receive feedback on whether success criteria are met.
- Compression: Compresses conversation history to maintain token limits.
- Logging: View detailed logs of each conversation step.
- Threat Analysis: Analyze HTTP transactions for potential threats.
- Detailed Results: Display detailed analyses and threat levels for each transaction.
- Chat About Your Transactions: Expand the right-hand chatbox to ask questions about one or multiple of the transactions you have loaded in the tab.
- Scoring and Benchmarking: Score requests/responses and run benchmarks to evaluate chatbot interactions.
- Export Functionality: Export results in CSV, Excel, or Parquet formats.
- Suggested Next Moves: Built-in buttons support querying for probable next steps in the evaluation process.
To get a local copy up and running follow these simple steps.
- Burp Suite (Professional or Community Edition)
- Python for the backend API
- Access to a model by one of these service providers: GCP, OpenAI, AzureOpenAI, Ollama
- Jython standalone JAR file for running Python extensions in Burp Suite
-
Clone the repo
git clone https://github.com/Verizon/verizon_burp_extensions_ai.git
-
Set up environment variables
- Replace the values in the
ai_attack_api/red_team_api/env.example
with your key value pairs - Note: You only need to specify values for the services you want to utilize
- Replace the values in the
-
Download and import Jython standalone JAR file:
- Go to the Jython Downloads Page
- Download the standalone Jython .jar file (e.g., jython-standalone-2.7.4.jar)
- Open Burp Suite
- Go to the Extensions tab in Burp Suite
- Under the Options tab, scroll down to the Python Environment section
- Click Select File, and choose the jython-standalone-2.7.4.jar file you downloaded
- Click Apply to load the Jython environment into Burp Suite
-
Load the Extensions:
- Go to Extender > Extensions
- Click Add
- Select each .py file and load them individually
-
Install dependencies (recommended to use python venv):
pip install -r requirements.txt
-
Navigate to the backend API folder in the repository:
cd /verizon_burp_extensions_ai/ai_attack_api/red_team_api
-
Run the backend server:
python start_server
-
The API will be available at http://localhost:8000.
-
Prompt Augmenter Payload Processor:
- Highlight a payload in Burp Suite
- Configure settings in the Prompt Augmenter Payload Processor tab and click Submit
- Optionally, send the prompts to Intruder to be used as Payloads
-
Automated Conversations:
- Select a request and send it to Automated Conversations
- Mark payload positions, set objectives, and start conversations
-
Bulk Analyze HTTP Transactions:
- In the Proxy tab, select requests and send them to Bulk Analyze HTTP Transactions for analysis
- Use any of the buttons at the bottom to extract information from a group of HTTP requests and responses
- Chat with a model of your choice given a highlighted transaction or transactions from the table
-
Analyze and Score:
- Send requests to Analyze and Score
- Analyze, score, and benchmark results
- Edit the HTTP request manually and Resend it to view results
See the open issues for a list of proposed features (and known issues).
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. For detailed contributing guidelines, please see CONTRIBUTING.md
Distributed under the MIT License. See LICENSE for more information.
Verizon AI Red Team [email protected]
- Verizon AI Red Team
- Samuel Cameron
- Jorge Orchilles
- Tim Schulz
- Heather Linn
- Executive Sponsor: Ali Jahangiri
This template was adapted from https://github.com/othneildrew/Best-README-Template.