While doing penetration testing with Burp Suite, I often run into the following problem:
A single feature/action (login, checkout, profile update, file upload, etc.) can trigger many HTTP requests at once.
These requests may involve:
- token passing
- API chaining
- frontend state synchronization
- polling
- analytics/tracking
- risk-control logic
- encryption/signature generation
Looking at only one request usually makes it hard to understand the complete business logic.
So I’ve been thinking about building a Burp plugin with a workflow like this:
In Proxy → HTTP history,
I select multiple requests related to the same feature,
then simply right-click:
“Send selected requests to AI for analysis”
The AI could then:
- analyze relationships between requests
- identify core business APIs
- detect auth/risk-control/encryption-related requests
- infer parameter sources
- summarize the business flow
- suggest possible vulnerability points
Current implementation idea:
- Multi-select requests in HTTP History
- Extract request/response pairs
- Convert them into structured context
- Send to AI APIs (OpenAI / Claude / Gemini, etc.)
- Display analysis results directly inside Burp
I’d like to ask experienced people in the community:
- Has anyone already built something similar?
- Are there better approaches than manual multi-selection?
- Any good ideas for automatically grouping requests? (time window, Referer, initiator chain, path similarity, etc.)
- Any recommendations for Burp Montoya API architecture/design?
- Any prompt engineering or data-structure tips for AI-based “multi-request business flow analysis”?
If there are related plugins, open-source projects, articles, or research in this direction, I’d really appreciate recommendations.