security-burpsuite-project-parser
Burp Suite Project Parser
When to Use
- Parsing Burp Suite XML export files for findings
- Analyzing HTTP request/response history from Burp
- Extracting and deduplicating vulnerability findings
- Correlating Burp scan results with source code locations
- Converting Burp output to other formats (CSV, JSON, SARIF)
When NOT to Use
- Running active Burp scans (use Burp Suite directly)
- Configuring Burp extensions
- General web application testing without Burp data
Burp XML Export Format
Burp Suite exports data in XML format with these key elements:
<items>
<item>
<time>...</time>
<url>https://example.com/api/user</url>
<host ip="1.2.3.4">example.com</host>
<port>443</port>
<protocol>https</protocol>
<method>POST</method>
<path>/api/user</path>
<request base64="true">...</request>
<response base64="true">...</response>
<status>200</status>
<responselength>1234</responselength>
<mimetype>JSON</mimetype>
</item>
</items>
Parsing Commands
# Extract all unique URLs from Burp export
xmllint --xpath '//item/url/text()' burp_export.xml 2>/dev/null | sort -u
# Extract URLs with response status
python3 -c "
import xml.etree.ElementTree as ET
tree = ET.parse('burp_export.xml')
for item in tree.findall('.//item'):
url = item.findtext('url', '')
status = item.findtext('status', '')
method = item.findtext('method', '')
print(f'{method} {status} {url}')
"
# Decode base64 request/response bodies
python3 -c "
import xml.etree.ElementTree as ET, base64
tree = ET.parse('burp_export.xml')
for item in tree.findall('.//item'):
req = item.find('request')
if req is not None and req.get('base64') == 'true':
print(base64.b64decode(req.text).decode('utf-8', errors='replace'))
print('---')
"
Analysis Workflow
- Export Burp project data as XML (HTTP history or scan results)
- Parse XML to extract requests, responses, and findings
- Deduplicate findings by URL pattern and vulnerability type
- Correlate with source code (map endpoints to handlers)
- Prioritize by severity, exploitability, and business impact
- Report findings with request/response evidence
Common Findings to Extract
| Finding Type | Indicator in Burp Data |
|---|---|
| SQL Injection | Error-based responses, time delays |
| XSS | Reflected input in response body |
| Auth bypass | 200 status on restricted endpoints without auth |
| Information disclosure | Stack traces, debug info in responses |
| CSRF | Missing tokens on state-changing requests |
| Open redirect | 3xx with user-controlled Location header |
More from elizaos/eliza
nano-pdf
Edits PDF files using natural-language instructions via the nano-pdf CLI. Supports modifying text, changing titles, fixing typos, and updating content on specific pages. Use when the user wants to edit a PDF, modify PDF content, update PDF text, fix a typo in a PDF, change a PDF title, or rewrite part of a PDF page.
30wacli
Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.
27nano-banana-pro
Generate or edit images via Gemini 3 Pro Image (Nano Banana Pro). Use when the user asks to create an image, generate a picture, produce AI-generated artwork, edit a photo, compose multiple images, or upscale an image to higher resolution. Supports text-to-image generation, single-image editing, and multi-image composition using the Gemini API.
27obsidian
Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli. Use when the user asks about notes, vault management, PKM, knowledge base organization, wikilinks, or personal knowledge management in Obsidian.
25session-logs
Search and analyze session logs (older/parent conversations) stored as JSONL files using jq and rg. Use when the user asks about prior chats, previous conversations, conversation history, what was said before, session costs, token usage, or tool usage breakdown across past sessions.
24discord
Use when you need to control Discord from Otto via the discord tool: send messages, react, post or upload stickers, upload emojis, run polls, manage threads/pins/search, create/edit/delete channels and categories, fetch permissions or member/role/channel info, set bot presence/activity, or handle moderation actions in Discord DMs or channels.
24