Bounty Prompt: AI-Powered Burp Suite extension

Introduction

Bounty Prompt is an open source Burp Suite extension developed by Bounty Security. Leveraging advanced AI technology through Burp AI, this tool enables you to generate intelligent prompts for security testing by analyzing selected HTTP requests and responses within Burp Suite.

What is Bounty Prompt?

Bounty Prompt allows users to analyze selected HTTP requests and responses within Burp Suite, generating smart prompts that facilitate both automated and manual penetration testing workflows. The extension supports a wide range of HTTP tags, which automatically include specific parts of HTTP traffic—such as headers, parameters, bodies, and cookies—into the prompts.

Installation and Configuration

To start using Bounty Prompt, you need to:

1. Install the extension in Burp Suite Pro Early Adopter, ensuring it is compatible with Burp AI.
2. Load the extension in Burp Suite by navigating to Extender > Extensions, then add the compiled JAR file (or the directory containing your compiled classes).
3. Set the prompts directory in the configuration tab.
4. Enable the "Use AI" option within the extension.
   

Key Features

• AI-Driven Prompt Generation: Automatically generate customized security testing prompts by analyzing HTTP requests and responses.
• Advanced HTTP Tag Support: Use predefined tags such as [HTTP_Requests], [HTTP_Requests_Headers], [HTTP_Requests_Parameters], [HTTP_Request_Body], [HTTP_Responses], [HTTP_Response_Headers], [HTTP_Response_Body], [HTTP_Status_Code], and [HTTP_Cookies] to include specific HTTP data in your prompts.
• Issue Creation Integration: Seamlessly create issues in Burp Suite with detailed, AI-generated descriptions, along with dynamic severity and confidence settings.
• Flexible Configuration: Customize prompts with fields like Title, Author, Output Type, Severity, and Confidence through an intuitive graphical interface.
• User-Friendly Interface: Easily trigger prompt generation via a context menu, streamlining the process of selecting and analyzing HTTP messages.
• Robust Error Handling: Receive clear notifications and error messages during prompt generation and issue creation, ensuring a smooth user experience.
• Powered by Burp AI: Utilizes the latest Burp AI technology to deliver accurate and effective security analysis.

Usage and Prompt Examples

The extension allows you to configure prompts that include the following fields:

• Title: The title of the prompt.
• Author: Your identifier (e.g., @bountysecurity).
• Output Type: Choose between Issue or Prompt Output.
• Severity: For issues, options include Information, Low, Medium, and High.
• Confidence: For issues, options include Certain, Firm, and Tentative.
• System Prompt: Instructions that define the AI’s role (for example, "You are a web security expert specializing in SQL injection analysis...").
• User Prompt: The question or task for the AI, which can include supported HTTP tags.

Some example prompts include:

• SQL Injection & Other Attack Parameters Issue: Analyze HTTP request parameters to identify vulnerabilities such as SQL injection, XSS, and more.
• Sensitive Information Disclosure Issue: Detect accidental exposure of sensitive information in HTTP responses.
• Malicious Input Reflection Analysis: Examine HTTP responses to identify unsafely reflected user input.
• Information Disclosure in Headers: Check HTTP headers for sensitive information like server versions or internal IP addresses.

Contributing and License

Bounty Prompt is an open source project licensed under the MIT License. Contributions are welcome—feel free to fork the repository, submit pull requests, or open issues if you have suggestions, find bugs, or want to help improve the extension.

Useful Links

For more information, to download the extension, or to contribute to its development, please visit the official GitHub repository:

Bounty Prompt on GitHub

You can also learn more about Bounty Security on their website: https://bountysecurity.ai