Back to Details

burpsuite-project-parser

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Burp Project Parser

Burp项目解析工具

Search and extract data from Burp Suite project files using the burpsuite-project-file-parser extension.
使用burpsuite-project-file-parser扩展从Burp Suite项目文件中搜索和提取数据。

When to Use

适用场景

  • Searching response headers or bodies with regex patterns
  • Extracting security audit findings from Burp projects
  • Dumping proxy history or site map data
  • Analyzing HTTP traffic captured in a Burp project file
  • 使用正则表达式搜索响应头或响应体
  • 从Burp项目中提取安全审计结果
  • 导出代理历史或站点地图数据
  • 分析Burp项目文件中捕获的HTTP流量

Prerequisites

前提条件

This skill delegates parsing to Burp Suite Professional - it does not parse .burp files directly.
Required:
  1. Burp Suite Professional - Must be installed (portswigger.net)
  2. burpsuite-project-file-parser extension - Provides CLI functionality
Install the extension:
  1. Download from github.com/BuffaloWill/burpsuite-project-file-parser
  2. In Burp Suite: Extender → Extensions → Add
  3. Select the downloaded JAR file
本工具将解析工作委托给Burp Suite Professional——它不会直接解析.burp文件。
必需组件:
  1. Burp Suite Professional - 必须已安装(portswigger.net
  2. burpsuite-project-file-parser扩展 - 提供CLI功能
安装扩展:
  1. github.com/BuffaloWill/burpsuite-project-file-parser下载
  2. 在Burp Suite中:扩展程序 → 扩展 → 添加
  3. 选择下载的JAR文件

Quick Reference

快速参考

Use the wrapper script:
bash
{baseDir}/scripts/burp-search.sh /path/to/project.burp [FLAGS]
The script uses environment variables for platform compatibility:
  • BURP_JAVA
    : Path to Java executable
  • BURP_JAR
    : Path to burpsuite_pro.jar
See Platform Configuration for setup instructions.
使用包装脚本:
bash
{baseDir}/scripts/burp-search.sh /path/to/project.burp [FLAGS]
该脚本使用环境变量实现平台兼容性:
  • BURP_JAVA
    : Java可执行文件路径
  • BURP_JAR
    : burpsuite_pro.jar文件路径
查看平台配置了解设置说明。

Sub-Component Filters (USE THESE)

子组件过滤器(推荐使用)

ALWAYS use sub-component filters instead of full dumps. Full 
proxyHistory
or 
siteMap
can return gigabytes of data. Sub-component filters return only what you need.
**始终使用子组件过滤器而非完整导出。**完整的
proxyHistory
siteMap
可能返回数GB的数据。子组件过滤器仅返回你需要的内容。

Available Filters

可用过滤器

FilterReturnsTypical Size
proxyHistory.request.headers
Request line + headers onlySmall (< 1KB/record)
proxyHistory.request.body
Request body onlyVariable
proxyHistory.response.headers
Status + headers onlySmall (< 1KB/record)
proxyHistory.response.body
Response body onlyLARGE - avoid
siteMap.request.headers
Same as above for site mapSmall
siteMap.request.body
Variable
siteMap.response.headers
Small
siteMap.response.body
LARGE - avoid
过滤器返回内容典型大小
proxyHistory.request.headers
仅请求行 + 请求头小(每条记录<1KB)
proxyHistory.request.body
仅请求体大小可变
proxyHistory.response.headers
仅状态行 + 响应头小(每条记录<1KB)
proxyHistory.response.body
仅响应体大 - 避免使用
siteMap.request.headers
站点地图的上述相同内容
siteMap.request.body
大小可变
siteMap.response.headers
siteMap.response.body
大 - 避免使用

Default Approach

默认使用方式

Start with headers, not bodies:
bash
undefined
先查看头信息,不要直接获取体内容:
bash
undefined

GOOD - headers only, safe to retrieve

推荐 - 仅获取头信息,安全可靠

{baseDir}/scripts/burp-search.sh project.burp proxyHistory.request.headers | head -c 50000 {baseDir}/scripts/burp-search.sh project.burp proxyHistory.response.headers | head -c 50000
{baseDir}/scripts/burp-search.sh project.burp proxyHistory.request.headers | head -c 50000 {baseDir}/scripts/burp-search.sh project.burp proxyHistory.response.headers | head -c 50000

BAD - full records include bodies, can be gigabytes

不推荐 - 完整记录包含体内容,可能达数GB

{baseDir}/scripts/burp-search.sh project.burp proxyHistory # NEVER DO THIS

**Only fetch bodies for specific URLs after reviewing headers, and ALWAYS truncate:**

```bash
{baseDir}/scripts/burp-search.sh project.burp proxyHistory # 切勿这样做

**仅在查看头信息后,针对特定URL获取体内容,并且必须截断:**

```bash

1. First, find interesting URLs from headers

1. 首先,从头信息中查找感兴趣的URL

{baseDir}/scripts/burp-search.sh project.burp proxyHistory.response.headers |
jq -r 'select(.headers | test("text/html")) | .url' | head -n 20
{baseDir}/scripts/burp-search.sh project.burp proxyHistory.response.headers |
jq -r 'select(.headers | test("text/html")) | .url' | head -n 20

2. Then search bodies with targeted regex - MUST truncate body to 1000 chars

2. 然后使用目标正则表达式搜索体内容 - 必须将体内容截断为1000字符

{baseDir}/scripts/burp-search.sh project.burp "responseBody='.specific-pattern.'" |
head -n 10 | jq -c '.body = (.body[:1000] + "...[TRUNCATED]")'

**HARD RULE: Body content > 1000 chars must NEVER enter context.** If the user needs full body content, they must view it in Burp Suite's UI.
{baseDir}/scripts/burp-search.sh project.burp "responseBody='.specific-pattern.'" |
head -n 10 | jq -c '.body = (.body[:1000] + "...[TRUNCATED]")'

**硬性规则:超过1000字符的体内容绝不能进入上下文。**如果用户需要完整的体内容,必须在Burp Suite的UI中查看。

Regex Search Operations

正则表达式搜索操作

Search Response Headers

搜索响应头

bash
responseHeader='.*regex.*'
Searches all response headers. Output: 
{"url":"...", "header":"..."}
Example - find server signatures:
bash
responseHeader='.*(nginx|Apache|Servlet).*' | head -c 50000
bash
responseHeader='.*regex.*'
搜索所有响应头。输出格式:
{"url":"...", "header":"..."}
示例 - 查找服务器标识:
bash
responseHeader='.*(nginx|Apache|Servlet).*' | head -c 50000

Search Response Bodies

搜索响应体

bash
responseBody='.*regex.*'
MANDATORY: Always truncate body content to 1000 chars max. Response bodies can be megabytes each.
bash
undefined
bash
responseBody='.*regex.*'
**强制要求:始终将体内容截断至最多1000字符。**响应体可能达数MB。
bash
undefined

REQUIRED format - always truncate .body field

必需格式 - 始终截断.body字段

{baseDir}/scripts/burp-search.sh project.burp "responseBody='.*<form.action.'" |
head -n 10 | jq -c '.body = (.body[:1000] + "...[TRUNCATED]")'

**Never retrieve full body content.** If you need to see more of a specific response, ask the user to open it in Burp Suite's UI.
{baseDir}/scripts/burp-search.sh project.burp "responseBody='.*<form.action.'" |
head -n 10 | jq -c '.body = (.body[:1000] + "...[TRUNCATED]")'

**绝不要获取完整的体内容。**如果需要查看特定响应的更多内容,请让用户在Burp Suite的UI中打开它。

Other Operations

其他操作

Extract Audit Items

提取审计项

bash
auditItems
Returns all security findings. Output includes: name, severity, confidence, host, port, protocol, url.
Note: Audit items are small (no bodies) - safe to retrieve with 
head -n 100
.
bash
auditItems
返回所有安全检测结果。输出内容包括:名称、严重程度、可信度、主机、端口、协议、URL。
**注意:**审计项体积小(不包含体内容)- 使用
head -n 100
获取是安全的。

Dump Proxy History (AVOID)

导出代理历史(避免使用)

bash
proxyHistory
NEVER use this directly. Use sub-component filters instead:
  • proxyHistory.request.headers
  • proxyHistory.response.headers
bash
proxyHistory
**切勿直接使用此命令。**请改用子组件过滤器:
  • proxyHistory.request.headers
  • proxyHistory.response.headers

Dump Site Map (AVOID)

导出站点地图(避免使用)

bash
siteMap
NEVER use this directly. Use sub-component filters instead.
bash
siteMap
**切勿直接使用此命令。**请改用子组件过滤器。

Output Limits (REQUIRED)

输出限制(强制要求)

CRITICAL: Always check result size BEFORE retrieving data. A broad search can return thousands of records, each potentially megabytes. This will overflow the context window.
**关键:在获取数据前始终检查结果大小。**范围宽泛的搜索可能返回数千条记录,每条记录可能达数MB,这会超出上下文窗口。

Step 1: Always Check Size First

步骤1:始终先检查大小

Before any search, check BOTH record count AND byte size:
bash
undefined
在执行任何搜索前,同时检查记录数量字节大小
bash
undefined

Check record count AND total bytes - never skip this step

检查记录数量和总字节数 - 切勿跳过此步骤

{baseDir}/scripts/burp-search.sh project.burp proxyHistory | wc -cl {baseDir}/scripts/burp-search.sh project.burp "responseHeader='.Server.'" | wc -cl {baseDir}/scripts/burp-search.sh project.burp auditItems | wc -cl

The `wc -cl` output shows: `<bytes> <lines>` (e.g., `524288 42` means 512KB across 42 records).

**Interpret the results - BOTH must pass:**

| Metric | Safe | Narrow search | Too broad | STOP |
|--------|------|---------------|-----------|------|
| **Lines** | < 50 | 50-200 | 200+ | 1000+ |
| **Bytes** | < 50KB | 50-200KB | 200KB+ | 1MB+ |

**A single 10MB response on one line will show high byte count but only 1 line - the byte check catches this.**
{baseDir}/scripts/burp-search.sh project.burp proxyHistory | wc -cl {baseDir}/scripts/burp-search.sh project.burp "responseHeader='.Server.'" | wc -cl {baseDir}/scripts/burp-search.sh project.burp auditItems | wc -cl

`wc -cl`的输出格式为:`<字节数> <行数>`(例如,`524288 42`表示42条记录共512KB)。

**结果解读 - 必须同时满足安全条件:**

| 指标 | 安全范围 | 需要缩小搜索范围 | 范围过宽 | 停止操作 |
|--------|------|---------------|-----------|------|
| **行数** | < 50 | 50-200 | 200+ | 1000+ |
| **字节数** | < 50KB | 50-200KB | 200KB+ | 1MB+ |

**单行10MB的响应会显示高字节数但仅1行 - 字节检查会捕获这种情况。**

Step 2: Refine Broad Searches

步骤2:缩小过宽的搜索范围

If count/size is too high:
  1. Use sub-component filters (see table above):
    bash
    # Instead of: proxyHistory (gigabytes)
# Use: proxyHistory.request.headers (kilobytes)
  2. Narrow regex patterns:
    bash
    # Too broad (matches everything):
responseHeader='.*'

# Better - target specific headers:
responseHeader='.*X-Frame-Options.*'
responseHeader='.*Content-Security-Policy.*'
  3. Filter with jq before retrieving:
    bash
    # Get only specific content types
{baseDir}/scripts/burp-search.sh project.burp proxyHistory.response.headers | \
  jq -c 'select(.url | test("/api/"))' | head -n 50
如果数量/大小超出安全范围:
  1. 使用子组件过滤器(见上方表格):
    bash
    # 不要使用:proxyHistory(数GB)
# 改用:proxyHistory.request.headers(数KB)
  2. 缩小正则表达式范围:
    bash
    # 范围过宽(匹配所有内容):
responseHeader='.*'

# 更好的方式 - 针对特定头信息:
responseHeader='.*X-Frame-Options.*'
responseHeader='.*Content-Security-Policy.*'
  3. 在获取前使用jq过滤:
    bash
    # 仅获取特定内容类型
{baseDir}/scripts/burp-search.sh project.burp proxyHistory.response.headers | \
  jq -c 'select(.url | test("/api/"))' | head -n 50

Step 3: Always Truncate Output

步骤3:始终截断输出

Even after narrowing, always pipe through truncation:
bash
undefined
即使缩小了范围,也要始终通过管道进行截断:
bash
undefined

ALWAYS use head -c to limit total bytes (max 50KB)

始终使用head -c限制总字节数(最大50KB)

{baseDir}/scripts/burp-search.sh project.burp proxyHistory.request.headers | head -c 50000
{baseDir}/scripts/burp-search.sh project.burp proxyHistory.request.headers | head -c 50000

For body searches, truncate each JSON object's body field:

对于体内容搜索,截断每个JSON对象的body字段:

{baseDir}/scripts/burp-search.sh project.burp "responseBody='pattern'" |
head -n 20 | jq -c '.body = (.body | if length > 1000 then .[:1000] + "...[TRUNCATED]" else . end)'
{baseDir}/scripts/burp-search.sh project.burp "responseBody='pattern'" |
head -n 20 | jq -c '.body = (.body | if length > 1000 then .[:1000] + "...[TRUNCATED]" else . end)'

Limit both record count AND byte size:

同时限制记录数量和字节大小:

{baseDir}/scripts/burp-search.sh project.burp auditItems | head -n 50 | head -c 50000

**Hard limits to enforce:**
- `head -c 50000` (50KB max) on ALL output
- **Truncate `.body` fields to 1000 chars - MANDATORY, no exceptions**
  ```bash
  jq -c '.body = (.body[:1000] + "...[TRUNCATED]")'
Never run these without counting first AND truncating:
  • proxyHistory
    / 
    siteMap
    (full dumps - always use sub-component filters)
  • responseBody='...'
    searches (bodies can be megabytes each)
  • Any broad regex like 
    .*
    or 
    .+
{baseDir}/scripts/burp-search.sh project.burp auditItems | head -n 50 | head -c 50000

**强制执行的硬性限制:**
- 所有输出使用`head -c 50000`(最大50KB)
- **必须将.body字段截断至1000字符 - 强制要求,无例外**
  ```bash
  jq -c '.body = (.body[:1000] + "...[TRUNCATED]")'
绝不要在未先计数和截断的情况下运行以下命令:
  • proxyHistory
    / 
    siteMap
    (完整导出 - 始终使用子组件过滤器)
  • responseBody='...'
    搜索(体内容可能达数MB)
  • 任何宽泛的正则表达式如
    .*
    .+

Investigation Workflow

调查工作流

  1. Identify scope - What are you looking for? (specific vuln type, endpoint, header pattern)
  2. Search audit items first - Start with Burp's findings:
    bash
    {baseDir}/scripts/burp-search.sh project.burp auditItems | jq 'select(.severity == "High")'
  3. Check confidence scores - Filter for actionable findings:
    bash
    ... | jq 'select(.confidence == "Certain" or .confidence == "Firm")'
  4. Extract affected URLs - Get the attack surface:
    bash
    ... | jq -r '.url' | sort -u
  5. Search raw traffic for context - Examine actual requests/responses:
    bash
    {baseDir}/scripts/burp-search.sh project.burp "responseBody='pattern'"
  6. Validate manually - Burp findings are indicators, not proof. Verify each one.
  1. 确定范围 - 你要查找什么?(特定漏洞类型、端点、头信息模式)
  2. 先搜索审计项 - 从Burp的检测结果开始:
    bash
    {baseDir}/scripts/burp-search.sh project.burp auditItems | jq 'select(.severity == "High")'
  3. 检查可信度评分 - 过滤出可操作的检测结果:
    bash
    ... | jq 'select(.confidence == "Certain" or .confidence == "Firm")'
  4. 提取受影响的URL - 获取攻击面:
    bash
    ... | jq -r '.url' | sort -u
  5. 搜索原始流量获取上下文 - 检查实际的请求/响应:
    bash
    {baseDir}/scripts/burp-search.sh project.burp "responseBody='pattern'"
  6. 手动验证 - Burp的检测结果是指示性的,而非确凿证据。请逐一验证每个结果。

Understanding Results

结果解读

Severity vs Confidence

严重程度 vs 可信度

Burp reports both severity (High/Medium/Low) and confidence (Certain/Firm/Tentative). Use both when triaging:
CombinationMeaning
High + CertainLikely real vulnerability, prioritize investigation
High + TentativeOften a false positive, verify before reporting
Medium + FirmWorth investigating, may need manual validation
A "High severity, Tentative confidence" finding is frequently a false positive. Don't report findings based on severity alone.
Burp会同时报告严重程度(高/中/低)和可信度(确定/可靠/暂定)。分类时请同时使用这两个指标:
组合含义
高 + 确定很可能是真实漏洞,优先调查
高 + 暂定通常是误报,报告前请验证
中 + 可靠值得调查,可能需要手动验证
“高严重程度、暂定可信度”的检测结果通常是误报。不要仅根据严重程度报告结果。

When Proxy History is Incomplete

代理历史不完整的情况

Proxy history only contains what Burp captured. It may be missing traffic due to:
  • Scope filters excluding domains
  • Intercept settings dropping requests
  • Browser traffic not routed through Burp proxy
If you don't find expected traffic, check Burp's scope and proxy settings in the original project.
代理历史仅包含Burp捕获的内容。可能由于以下原因缺失流量:
  • 范围过滤器排除了某些域名
  • 拦截设置丢弃了请求
  • 浏览器流量未通过Burp代理路由
如果未找到预期的流量,请检查原始项目中的Burp范围和代理设置。

HTTP Body Encoding

HTTP体内容编码

Response bodies may be gzip compressed, chunked, or use non-UTF8 encoding. Regex patterns that work on plaintext may silently fail on encoded responses. If searches return fewer results than expected:
  • Check if responses are compressed
  • Try broader patterns or search headers first
  • Use Burp's UI to inspect raw vs rendered response
响应体可能经过gzip压缩、分块编码或使用非UTF8编码。在明文上有效的正则表达式可能在编码后的响应上无声失败。如果搜索结果少于预期:
  • 检查响应是否被压缩
  • 尝试更宽泛的模式或先搜索头信息
  • 使用Burp的UI检查原始响应与渲染后的响应

Rationalizations to Reject

需要避免的不当操作

Common shortcuts that lead to missed vulnerabilities or false reports:
ShortcutWhy It's Wrong
"This regex looks good"Verify on sample data first—encoding and escaping cause silent failures
"High severity = must fix"Check confidence score too; Burp has false positives
"All audit items are relevant"Filter by actual threat model; not every finding matters for every app
"Proxy history is complete"May be filtered by Burp scope/intercept settings; you see only what Burp captured
"Burp found it, so it's a vuln"Burp findings require manual verification—they indicate potential issues, not proof
常见的捷径会导致遗漏漏洞或误报:
不当操作原因
“这个正则表达式看起来没问题”先在样本数据上验证——编码和转义会导致无声失败
“高严重程度 = 必须修复”同时检查可信度评分;Burp会产生误报
“所有审计项都相关”根据实际威胁模型过滤;并非每个检测结果都与所有应用相关
“代理历史是完整的”可能被Burp的范围/拦截设置过滤;你只能看到Burp捕获的内容
“Burp检测到了,所以这是漏洞”Burp的检测结果需要手动验证——它们只是潜在问题的指示,而非确凿证据

Output Format

输出格式

All output is JSON, one object per line. Pipe to 
jq
for formatting:
bash
{baseDir}/scripts/burp-search.sh project.burp auditItems | jq .
Filter with grep:
bash
{baseDir}/scripts/burp-search.sh project.burp auditItems | grep -i "sql injection"
所有输出均为JSON格式,每行一个对象。可通过管道传递给
jq
进行格式化:
bash
{baseDir}/scripts/burp-search.sh project.burp auditItems | jq .
使用grep过滤:
bash
{baseDir}/scripts/burp-search.sh project.burp auditItems | grep -i "sql injection"

Examples

示例

Search for CORS headers (with byte limit):
bash
{baseDir}/scripts/burp-search.sh project.burp "responseHeader='.*Access-Control.*'" | head -c 50000
Get all high-severity findings (audit items are small, but still limit):
bash
{baseDir}/scripts/burp-search.sh project.burp auditItems | jq -c 'select(.severity == "High")' | head -n 100
Extract just request URLs from proxy history:
bash
{baseDir}/scripts/burp-search.sh project.burp proxyHistory.request.headers | jq -r '.request.url' | head -n 200
Search response bodies (MUST truncate body to 1000 chars):
bash
{baseDir}/scripts/burp-search.sh project.burp "responseBody='.*password.*'" | \
  head -n 10 | jq -c '.body = (.body[:1000] + "...[TRUNCATED]")'
搜索CORS头信息(带字节限制):
bash
{baseDir}/scripts/burp-search.sh project.burp "responseHeader='.*Access-Control.*'" | head -c 50000
获取所有高严重程度的检测结果(审计项体积小,但仍需限制):
bash
{baseDir}/scripts/burp-search.sh project.burp auditItems | jq -c 'select(.severity == "High")' | head -n 100
从代理历史中提取请求URL:
bash
{baseDir}/scripts/burp-search.sh project.burp proxyHistory.request.headers | jq -r '.request.url' | head -n 200
搜索响应体(必须将体内容截断为1000字符):
bash
{baseDir}/scripts/burp-search.sh project.burp "responseBody='.*password.*'" | \
  head -n 10 | jq -c '.body = (.body[:1000] + "...[TRUNCATED]")'

Platform Configuration

平台配置

The wrapper script requires two environment variables to locate Burp Suite's bundled Java and JAR file.
包装脚本需要两个环境变量来定位Burp Suite附带的Java和JAR文件。

macOS

macOS

bash
export BURP_JAVA="/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/java"
export BURP_JAR="/Applications/Burp Suite Professional.app/Contents/Resources/app/burpsuite_pro.jar"
bash
export BURP_JAVA="/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/java"
export BURP_JAR="/Applications/Burp Suite Professional.app/Contents/Resources/app/burpsuite_pro.jar"

Windows

Windows

powershell
$env:BURP_JAVA = "C:\Program Files\BurpSuiteProfessional\jre\bin\java.exe"
$env:BURP_JAR = "C:\Program Files\BurpSuiteProfessional\burpsuite_pro.jar"
powershell
$env:BURP_JAVA = "C:\Program Files\BurpSuiteProfessional\jre\bin\java.exe"
$env:BURP_JAR = "C:\Program Files\BurpSuiteProfessional\burpsuite_pro.jar"

Linux

Linux

bash
export BURP_JAVA="/opt/BurpSuiteProfessional/jre/bin/java"
export BURP_JAR="/opt/BurpSuiteProfessional/burpsuite_pro.jar"
Add these exports to your shell profile (
.bashrc
, 
.zshrc
, etc.) for persistence.
bash
export BURP_JAVA="/opt/BurpSuiteProfessional/jre/bin/java"
export BURP_JAR="/opt/BurpSuiteProfessional/burpsuite_pro.jar"
将这些导出命令添加到你的shell配置文件(
.bashrc
, 
.zshrc
等)中以持久化设置。

Manual Invocation

手动调用

If not using the wrapper script, invoke directly:
bash
"$BURP_JAVA" -jar -Djava.awt.headless=true "$BURP_JAR" \
  --project-file=/path/to/project.burp [FLAGS]
如果不使用包装脚本,可直接调用:
bash
"$BURP_JAVA" -jar -Djava.awt.headless=true "$BURP_JAR" \
  --project-file=/path/to/project.burp [FLAGS]