Verizon Burp Extensions: Powering AI Security Testing with Jython Tools

by · Published · Updated

This repository contains a suite of Burp Suite extensions developed in Jython, designed to enhance the capabilities of penetration testers and security researchers when interacting with AI applications and performing prompt-based security testing. The extensions are supported by a backend API for processing, augmentation, and analysis tasks.

Extensions Included

  1. Prompt Augmenter Payload Processor
    Generates prompt augmentations based on user requirements. Integrates with Intruder payload processor and payload generator.

  2. Automated Conversations
    Facilitates conversational testing with LLMs, allowing users to interact dynamically while evaluating success criteria and managing context. Supports model to model attacks.

  3. Bulk Analyze HTTP Transactions
    Analyzes HTTP transactions (request/response pairs) for detailed security analysis and threat detection. Chat with the built-in chatbot regarding the transactions on your screen.

  4. Analyze and Score
    Provides analysis, scoring, benchmarking, and export functionalities for HTTP requests and responses processed through Burp Suite.

Features

Common Features

  • Context Menu Integration: Right-click context menu options to send requests to each extension quickly.
  • Custom Burp Tabs: Each extension adds a dedicated tab to Burp Suite for interactive use.
  • Backend API Integration: All extensions communicate with a local backend API for processing and augmenting data.

Specific Features

Prompt Augmenter Payload Processor

  • Intruder Payload Processor: Automatically augment payloads for Burp Intruder attacks.
  • Intruder Payload Generator: After generating a number of augments in the custom tab, send them over to Intruder to use in your attack.
  • Custom Tab: UI for configuring augmentation settings and submitting prompts.
Automated Conversations

  • Interactive Conversations: Conduct multi-turn interactions with LLMs.
  • Objective-Based Testing: Set objectives and receive feedback on whether success criteria are met.
  • Compression: Compresses conversation history to maintain token limits.
  • Logging: View detailed logs of each conversation step.
Bulk Analyze HTTP Transactions

  • Threat Analysis: Analyze HTTP transactions for potential threats.
  • Detailed Results: Display detailed analyses and threat levels for each transaction.
  • Chat About Your Transactions: Expand the right-hand chatbox to ask questions about one or multiple of the transactions you have loaded in the tab.
Analyze and Score

  • Scoring and Benchmarking: Score requests/responses and run benchmarks to evaluate chatbot interactions.
  • Export Functionality: Export results in CSV, Excel, or Parquet formats.
  • Suggested Next Moves: Built-in buttons support querying for probable next steps in the evaluation process.

Install

Tags: