AI-Powered Passive Vulnerability Analysis for Burp Suite
Intelligent β’ Silent β’ Adaptive β’ Comprehensive
π Getting Started β’ π Documentation β’ π§ Configuration β’ β¬οΈ Upgrade to Pro
Note: This is the Community Edition. Commercial and Professional Editions with advanced features are available separately.
SILENTCHAIN AIβ’ - Community Edition is a Burp Suite extension that brings the power of artificial intelligence to web application security testing. Using advanced AI models, SILENTCHAIN performs intelligent passive analysis of HTTP traffic to identify OWASP Top 10 vulnerabilities, security misconfigurations, and potential attack vectors.
Traditional security scanners rely on predefined signatures and patterns. SILENTCHAIN AIβ’ goes beyond with:
- π§ AI-Powered Analysis: Leverages state-of-the-art language models (Ollama, OpenAI, Claude, Gemini) for intelligent vulnerability detection
- π― Context-Aware Detection: Understands application logic and business context, not just pattern matching
- β‘ Real-Time Scanning: Analyzes traffic as it flows through Burp's proxy
- π Professional Reporting: Generates detailed findings with CWE, OWASP mappings, and remediation guidance
- π Zero False Positives: AI validation reduces noise and focuses on real vulnerabilities
- π Community Edition: Free passive analysis capabilities
- Real-time traffic analysis through Burp Proxy
- OWASP Top 10 vulnerability detection
- CWE-mapped security findings
- Intelligent confidence scoring
- Modern, intuitive dashboard
- Live findings panel with severity color-coding
- Task tracking and management
- Integrated console logging
- Ollama (Local, free, privacy-focused)
- OpenAI (GPT-4, GPT-3.5)
- Claude (Anthropic)
- Gemini (Google)
- Detailed vulnerability descriptions
- Affected parameters identification
- CWE and OWASP mappings
- Remediation recommendations
- Direct links to security resources
SILENTCHAIN AIβ’ detects a wide range of security issues including:
| Category | Vulnerabilities |
|---|---|
| Injection | SQL Injection, NoSQL Injection, Command Injection, LDAP Injection, XPath Injection |
| Cross-Site Scripting | Reflected XSS, Stored XSS, DOM-based XSS |
| Authentication | Broken Authentication, Session Management Issues, Credential Exposure |
| Access Control | IDOR, Broken Authorization, Privilege Escalation |
| Cryptography | Weak Encryption, Insecure SSL/TLS, Sensitive Data Exposure |
| Configuration | Security Misconfigurations, Default Credentials, Debug Enabled |
| XXE | XML External Entity Attacks |
| Deserialization | Insecure Deserialization |
| Components | Vulnerable Dependencies, Outdated Libraries |
- Burp Suite (Community or Professional)
- Java 8+ (required by Burp)
- Jython (for Python extensions, typically bundled with Burp)
- AI Provider (one of the following):
- Ollama (Free, local)
- OpenAI API key
- Claude API key
- Gemini API key
- Open Burp Suite
- Go to Extender β BApp Store
- Search for "SILENTCHAIN AI"
- Click Install
-
Download the Extension
- Download
silentchain_ai_community.pyfrom this repository or the Burp Suite BApp Store
- Download
-
Load in Burp Suite
- Open Burp Suite
- Go to Extender β Extensions β Add
- Set Extension type: Python (or Jython)
- Select the downloaded
silentchain_ai_community.pyfile - Click Next
-
Configure AI Provider
- Go to SILENTCHAIN tab in Burp
- Click β Settings
- Configure your AI provider (see Configuration)
- Click Test Connection
- Click Save
-
Start Scanning
- Set your target scope in Burp (Target β Scope)
- Browse the target application through Burp's proxy
- SILENTCHAIN will automatically analyze traffic
- View findings in the Findings panel and Burp's Issue Activity
- Cross-platform: Windows, macOS, Linux
- Burp Suite (Community or Professional)
- Jython (for Python extensions)
Free, local, no API keys required
-
Install Ollama:
# macOS/Linux curl -fsSL https://ollama.ai/install.sh | sh # Windows # Download from https://ollama.ai/download
-
Pull a model:
ollama pull deepseek-r1 # or ollama pull llama3 -
Configure SILENTCHAIN:
- Provider:
Ollama - API URL:
http://localhost:11434 - Model:
deepseek-r1:latest
- Provider:
-
Get API key from platform.openai.com
-
Configure SILENTCHAIN:
- Provider:
OpenAI - API URL:
https://api.openai.com/v1 - API Key:
sk-... - Model:
gpt-4orgpt-3.5-turbo
- Provider:
-
Get API key from console.anthropic.com
-
Configure SILENTCHAIN:
- Provider:
Claude - API URL:
https://api.anthropic.com/v1 - API Key: Your Anthropic API key
- Model:
claude-3-5-sonnet-20241022
- Provider:
-
Get API key from makersuite.google.com
-
Configure SILENTCHAIN:
- Provider:
Gemini - API URL:
https://generativelanguage.googleapis.com/v1 - API Key: Your Google API key
- Model:
gemini-1.5-pro
- Provider:
| Setting | Description | Default |
|---|---|---|
| AI Provider | AI service to use | Ollama |
| API URL | Provider endpoint | http://localhost:11434 |
| API Key | Authentication key | (empty for Ollama) |
| Model | AI model name | deepseek-r1:latest |
| Max Tokens | Response length limit | 2048 |
| Verbose Logging | Enable detailed logs | True |
- Traffic Interception: SILENTCHAIN monitors HTTP requests/responses through Burp Proxy
- Scope Filtering: Only analyzes in-scope targets (configure in Burp's Target Scope)
- AI Analysis: Sends request/response data to AI for security analysis
- Vulnerability Detection: AI identifies security issues based on OWASP Top 10 patterns
- Finding Generation: Creates detailed reports with severity, confidence, and remediation
- Deduplication: Prevents duplicate findings for the same URL/parameter combination
| Level | AI Confidence | Meaning |
|---|---|---|
| Certain | 90-100% | High confidence, verified vulnerability pattern |
| Firm | 75-89% | Strong indicators, likely vulnerable |
| Tentative | 50-74% | Potential issue, requires manual verification |
- Total Requests: HTTP requests analyzed
- Analyzed: Successfully processed
- Skipped (Duplicate): Prevented redundant analysis
- Findings Created: Total vulnerabilities found
- Errors: Analysis failures
- Shows currently processing requests
- Status tracking (Queued, Analyzing, Completed)
- Duration timing
- All detected vulnerabilities
- Severity-based color coding:
- π΄ High - Critical vulnerabilities
- π Medium - Important security issues
- π‘ Low - Minor vulnerabilities
- π΅ Information - Security notes
- Confidence levels
- Discovery timestamps
- Real-time logging
- AI connection status
- Analysis progress
- Error messages
-
Set Target Scope
Burp β Target β Scope β Add Example: https://example.com/* -
Browse Application
- Configure browser proxy to Burp (127.0.0.1:8080)
- Navigate through the target application
- SILENTCHAIN analyzes in the background
-
Review Findings
- Check
SILENTCHAINβFindingspanel - Or
TargetβIssue Activity(integrated with Burp)
- Check
Right-click any request in:
- Proxy History
- Site Map
- Repeater
Select: SILENTCHAIN - Analyze Request
This forces analysis even if the URL was previously scanned.
- Select a finding in the Findings panel
- Review the detailed description
- Check affected parameters
- Follow CWE/OWASP links for more information
- Manually test using Burp Repeater/Intruder
| Feature | Community (Free) | Professional |
|---|---|---|
| AI-Powered Passive Analysis | β | β |
| OWASP Top 10 Detection | β | β |
| Multi-AI Support | β | β |
| Professional UI | β | β |
| CWE/OWASP Mapping | β | β |
| Deduplication | β | β |
| Phase 2 Active Verification | β | β |
| Advanced Payload Libraries | β | β |
| WAF Detection & Evasion | β | β |
| Out-of-Band (OOB) Testing | β | β |
| Burp Intruder Integration | β | β |
| Automatic Fuzzing | β | β |
| Priority Support | β | β |
SILENTCHAIN Professional adds active verification capabilities:
- π― Phase 2 Verification: Automatically validates findings with exploit payloads
- π‘οΈ WAF Detection: Identifies and adapts to web application firewalls
- π Curated Payload Libraries: Battle-tested OWASP payloads
- π OOB Testing: Detects blind vulnerabilities (SSRF, XXE, etc.)
- π Burp Intruder Integration: Auto-configures fuzzing attacks
- β‘ Smart Fuzzing: AI-generated payloads for maximum coverage
Contact us for commercial licensing and professional editions: support@sn1persecurity.com
Solution:
- Check AI provider is running (Ollama:
ollama list) - Verify API URL is correct
- For cloud providers, confirm API key is valid
- Check network connectivity
Solution:
- Verify target is in scope (
TargetβScope) - Ensure traffic is flowing through Burp Proxy
- Check Console for errors
- Try manual analysis (right-click β
SILENTCHAIN - Analyze Request)
Solution:
- Verify Burp Suite version (Community/Pro)
- Check Python environment (Jython 2.7)
- Review
ExtenderβErrorstab - Ensure file permissions are correct
Solution:
- Reduce Max Tokens setting (Settings β AI Provider)
- Clear completed tasks regularly
- Use lighter AI models (e.g.,
llama3instead ofdeepseek-r1)
Enable verbose logging:
SettingsβAdvanced- Check
Verbose Logging - Review Console for detailed output
This project does not accept outside contributions. See CONTRIBUTING.md for details.
- Check existing issues
- Create a new issue with:
- Burp Suite version
- SILENTCHAIN version
- AI provider/model
- Steps to reproduce
- Error messages (from Console)
Open an issue with tag enhancement:
- Describe the feature
- Explain use case
- Provide examples if possible
SILENTCHAIN AIβ’ CE is source-visible but proprietary software. By using this software, you agree to the terms in the LICENSE file.
PortSwigger Ltd. is granted explicit permission to redistribute, host, and bundle this software within Burp Suite and the BApp Store free of charge to users. All other redistribution is prohibited without written permission.
Do not use this software for unauthorized access or activities outside systems you own or have explicit permission to test.
- Local Processing: SILENTCHAIN runs entirely within Burp Suite
- No Data Collection: We don't collect or transmit usage data
- AI Provider Privacy:
- Ollama: Completely local, no external communication
- Cloud Providers: Data sent to respective AI services (OpenAI, Claude, Gemini)
- Use Ollama for sensitive testing (100% local, private)
- Review AI Provider Terms before using cloud services
- Never test production without authorization
- Sanitize Data if sharing logs/findings
- π Documentation: Documentation
- π Issues: GitHub Issues
- βοΈ Email: support@silentchain.ai
- β Star this repository
- ποΈ Watch for updates
- π¦ Twitter: @SilentChainAI
Built by:
- @xer0dayz at @Sn1perSecurity LLC
Built with:
- Burp Suite by PortSwigger
- Ollama for local AI
- OpenAI for GPT models
- Anthropic for Claude
- Google for Gemini
Inspired by the security community's dedication to making the web safer.
"SILENTCHAIN AIβ’", "SILENTCHAINβ’", and the SILENTCHAIN AI logo are trademarks of SN1PERSECURITY LLC. Unauthorized use is prohibited.
SILENTCHAIN AIβ’ - Intelligent Security Testing for the Modern Web
Website β’ Documentation β’ Professional Edition
Copyright Β© 2026 SN1PERSECURITY LLC. All rights reserved.