AI-powered Burp Suite extension for automated payload generation and vulnerability testing using DeepSeek API
---
name: deepseek-pentest-ai-burp-extension
description: AI-powered Burp Suite extension for automated payload generation and vulnerability testing using DeepSeek API
triggers:
- help me test web vulnerabilities with deepseek pentest ai
- how do i use the deepseek burp suite extension
- generate ai payloads for sql injection testing
- automate fuzzing with deepseek pentest ai
- analyze web app parameters with burp ai extension
- export vulnerability findings from deepseek pentest
- send custom prompts to deepseek for payload generation
- configure deepseek api key in burp suite
---
# DeepSeek Pentest AI Burp Extension
> Skill by [ara.so](https://ara.so) — Security Skills collection.
DeepSeek Pentest AI is a Burp Suite extension that combines generative AI with intelligent fuzzing to automate payload generation and vulnerability testing. It uses the DeepSeek API to generate context-aware attack payloads for SQL injection, XSS, command injection, path traversal, SSRF, RCE, SSTI, XXE, and more.
## What It Does
- **AI-Powered Payload Generation**: Creates advanced attack payloads using DeepSeek's language model
- **Automatic Parameter Detection**: Identifies parameters in GET, POST, JSON, XML, multipart, and custom headers
- **Smart Fuzzing**: Injects payloads, compares against baselines, scores severity and confidence
- **Real-Time Metrics**: Visualizes vulnerability types with integrated charts
- **Privacy-First**: Redacts hostnames and sanitizes sensitive data before sending to AI
- **Export Results**: CSV export with full request/response history and evidence
- **Burp Integration**: Send findings directly to Repeater and Intruder
## Installation
### Prerequisites
- Burp Suite Pro or Community Edition
- Jython standalone JAR (for Python extensions)
- DeepSeek API key from https://platform.deepseek.com/
### Setup Steps
1. **Clone the repository**:
```bash
git clone https://github.com/HernanRodriguez1/DeepSeek-Pentest-AI.git
cd DeepSeek-Pentest-AI
```
2. **Configure Jython in Burp Suite**:
- Go to **Extender** → **Options**
- Under **Python Environment**, set the location of `jython-standalone.jar`
3. **Load the extension**:
- Go to **Extender** → **Extensions** → **Add**
- Extension type: **Python**
- Extension file: Select the `.py` file from the cloned repository
- Check the **Output** tab for "Plugin initialized" message
4. **Configure API Key**:
- Navigate to the **DeepSeek Pentest AI** tab in Burp
- Enter your DeepSeek API key (store in environment variable for security)
## Core Workflow
### 1. Capture a Request
Intercept a request in Burp Proxy or send one from Repeater to the extension.
### 2. Analyze & Generate Payloads
```python
# The extension automatically detects parameters from:
# - Query strings: ?id=123&category=books
# - POST body: username=admin&password=test
# - JSON: {"user": "admin", "role": "user"}
# - XML: <user><name>admin</name></user>
# - Multipart form data
# - Custom headers: X-Forwarded-For, User-Agent, etc.
```
In the UI:
- Select **Attack Type** (SQLi, XSS, Command Injection, etc.) or **CUSTOM PROMPT**
- Set **Number of Payloads** (default: 10)
- Set **Delay** between requests (milliseconds)
- Click **Analyze & Generate**
### 3. Start Fuzzing
Click **Start Pentesting** to inject payloads into detected parameters and analyze responses.
## Attack Types
The extension supports predefined attack strategies:
```python
attack_types = [
"SQL Injection",
"XSS (Cross-Site Scripting)",
"Command Injection",
"Path Traversal",
"LFI (Local File Inclusion)",
"SSRF (Server-Side Request Forgery)",
"RCE (Remote Code Execution)",
"SSTI (Server-Side Template Injection)",
"XXE (XML External Entity)",
"NoSQL Injection",
"GraphQL Injection",
"Open Redirect",
"CRLF Injection",
"CORS Misconfiguration",
"Host Header Injection",
"CUSTOM PROMPT"
]
```
## Custom Prompt Usage
For specialized payload generation:
```python
# Instead of selecting a predefined attack type,
# enter a custom instruction in the prompt field
# Example 1: WAF Bypass
custom_prompt = "Give me payloads SQLi boolean bypass WAF"
# Example 2: Specific Technology
custom_prompt = "Generate SSTI payloads for Jinja2 templates"
# Example 3: Chained Attacks
custom_prompt = "Create XSS payloads that also attempt DOM clobbering"
```
**Result**: The AI generates targeted payloads matching your exact requirements instead of generic patterns.
## Configuration
### API Key Management
Store your API key securely:
```bash
# Linux/macOS
export DEEPSEEK_API_KEY="your_api_key_here"
# Windows
set DEEPSEEK_API_KEY=your_api_key_here
```
Reference in code (if extending):
```python
import os
api_key = os.getenv('DEEPSEEK_API_KEY')
```
### Payload Generation Settings
```python
# Number of payloads to generate per attack type
num_payloads = 10 # Adjustable: 5-50
# Delay between fuzzing requests (milliseconds)
delay_ms = 100 # Recommended: 100-1000 to avoid rate limits
# Heuristic scoring thresholds
confidence_threshold = 0.7 # 0.0-1.0
severity_levels = ["Low", "Medium", "High", "Critical"]
```
## Code Examples
### Example 1: Analyzing Generated Payloads
```python
# After clicking "Analyze & Generate", payloads appear in the AI Analysis tab
# Example output for SQL Injection:
payloads = [
"' OR '1'='1",
"' OR '1'='1'--",
"admin' --",
"' OR 1=1--",
"' UNION SELECT NULL--",
"1' AND '1'='1",
"' OR 'a'='a",
"1' ORDER BY 1--",
"' OR ''='",
"1' UNION SELECT username, password FROM users--"
]
# Each payload is tested against detected parameters
# Results include: request, response, status code, length, evidence
```
### Example 2: Parameter Detection Logic
```python
# The extension automatically identifies injectable parameters:
# Query string parameters
GET /search?q=test&category=all HTTP/1.1
# Detected: ['q', 'category']
# JSON body
POST /api/login HTTP/1.1
Content-Type: application/json
{"username": "admin", "password": "pass"}
# Detected: ['username', 'password']
# XML body
POST /api/user HTTP/1.1
Content-Type: application/xml
<user><id>123</id><role>admin</role></user>
# Detected: ['id', 'role']
# Custom headers (special cases)
GET / HTTP/1.1
X-Forwarded-For: 127.0.0.1
User-Agent: Mozilla/5.0
# Detected: ['X-Forwarded-For', 'User-Agent'] (if testing for header injection)
```
### Example 3: Heuristic Scoring
```python
# Response analysis after payload injection
def score_response(baseline, test_response, payload):
"""
Compares test response against baseline to detect anomalies
"""
score = 0.0
evidence = []
# Check for SQL error messages
sql_errors = ["SQL syntax", "mysql_fetch", "ORA-", "PostgreSQL", "sqlite3"]
for error in sql_errors:
if error.lower() in test_response.lower():
score += 0.3
evidence.append(f"SQL error detected: {error}")
# Check for XSS reflection
if payload in test_response and "<script>" in payload:
score += 0.4
evidence.append("XSS payload reflected in response")
# Check for status code changes
if test_response.status_code != baseline.status_code:
score += 0.1
evidence.append(f"Status code changed: {baseline.status_code} -> {test_response.status_code}")
# Check for response length anomalies
if abs(len(test_response.body) - len(baseline.body)) > 500:
score += 0.2
evidence.append("Significant response length difference")
return min(score, 1.0), evidence
```
### Example 4: Exporting Results
```python
# Export options available in the UI:
# 1. Export All Results
# Includes: all requests, responses, payloads, parameters tested
# 2. Export Only Vulnerabilities
# Filters: only entries with confidence >= threshold
# 3. Export With Evidence Only
# Filters: entries with non-empty evidence snippets
# CSV Format:
# Timestamp | URL | Parameter | Payload | Status | Length | Confidence | Severity | Evidence
```
## Common Patterns
### Pattern 1: Testing a Login Form
1. Capture POST request to `/login`
2. Extension detects `username` and `password` parameters
3. Select **SQL Injection** attack type
4. Generate 15 payloads
5. Start fuzzing with 200ms delay
6. Review results for authentication bypass evidence
### Pattern 2: Custom WAF Bypass
1. Capture request blocked by WAF
2. Select **CUSTOM PROMPT**
3. Enter: "Generate SQLi payloads using URL encoding and inline comments to bypass ModSecurity"
4. Generate payloads
5. Test manually in Repeater or auto-fuzz
### Pattern 3: API Testing
1. Capture JSON API request
2. Extension auto-detects JSON parameters
3. Select **NoSQL Injection** or **GraphQL Injection**
4. Review AI-generated payloads for API-specific attacks
5. Export findings with evidence
## Troubleshooting
### Extension Not Loading
```bash
# Check Extender → Output tab for errors
# Common issues:
# 1. Jython not configured correctly
# Solution: Download jython-standalone.jar and set path in Extender → Options
# 2. Python version mismatch
# Solution: Use Jython 2.7.x (Burp requires Jython, not CPython)
# 3. Missing dependencies
# Solution: Ensure all imports are available in Jython environment
```
### API Key Errors
```python
# Error: "Invalid API Key" or "Authentication failed"
# Solutions:
# 1. Verify API key is correct from https://platform.deepseek.com/
# 2. Check for extra spaces or newlines in key field
# 3. Ensure API key has sufficient credits/quota
# 4. Test API key with curl:
curl https://api.deepseek.com/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $DEEPSEEK_API_KEY" \
-d '{
"model": "deepseek-chat",
"messages": [{"role": "user", "content": "test"}]
}'
```
### No Payloads Generated
```python
# Check AI Analysis tab for error messages
# Common causes:
# 1. API rate limit exceeded
# Solution: Increase delay between requests
# 2. Network connectivity issues
# Solution: Check proxy settings, firewall rules
# 3. Malformed request sent to AI
# Solution: Review extension logs, check parameter detection
# 4. AI returned unexpected format
# Solution: Try different attack type or custom prompt
```
### False Positives
```python
# High confidence scores but manual verification shows no vulnerability
# Mitigations:
# 1. Adjust heuristic thresholds in code
# 2. Review evidence snippets in Results tab
# 3. Send to Repeater for manual confirmation
# 4. Check baseline response accuracy
# 5. Add custom scoring rules for your target
```
### Performance Issues
```bash
# Extension slows down Burp Suite
# Solutions:
# 1. Reduce number of payloads (5-10 instead of 20+)
# 2. Increase delay between requests (500-1000ms)
# 3. Disable real-time metrics if not needed
# 4. Clear request history periodically
# 5. Use "Export & Clear" to free memory
```
## Best Practices
1. **Always test on authorized targets only** — Never use against systems without explicit permission
2. **Start with baseline testing** — Let the extension capture a clean baseline response
3. **Review AI-generated payloads** — Not all payloads may be relevant to your target
4. **Use custom prompts for specific scenarios** — Generic attack types may miss edge cases
5. **Verify findings manually** — AI scoring is heuristic, confirm vulnerabilities in Repeater
6. **Export results regularly** — Prevents data loss and helps with reporting
7. **Monitor API usage** — DeepSeek API has rate limits and costs
8. **Sanitize exports** — Redact sensitive data before sharing CSV reports
## Integration with Burp Tools
### Send to Repeater
Right-click any request in **Pentest Live** tab → **Send to Repeater** for manual testing
### Send to Intruder
Right-click any request → **Send to Intruder** → Use AI-generated payloads as position values
### Scan Results
Cross-reference findings with Burp Scanner (Pro only) for comprehensive coverage
## Environment Variables
```bash
# Recommended environment setup
export DEEPSEEK_API_KEY="sk-..."
export BURP_PENTEST_DELAY=200
export BURP_PENTEST_PAYLOADS=10
export BURP_PENTEST_LOG_LEVEL=INFO
```
## Further Resources
- Project Repository: https://github.com/HernanRodriguez1/DeepSeek-Pentest-AI
- DeepSeek API Docs: https://platform.deepseek.com/docs
- Burp Extender API: https://portswigger.net/burp/extender/api/
- Author LinkedIn: https://www.linkedin.com/in/hernanrodriguez-/
Creator's repository · aradotso/security-skills