Skip to content

Changeable AI provider (with OpenAI-compatible alternative) #8

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Changeable AI provider (with OpenAI-compatible alternative) #8

wants to merge 3 commits into from

Conversation

pasiorovuo
Copy link

@pasiorovuo pasiorovuo commented May 30, 2025
edited
Loading

This PR introduces the possibility to switch to an OpenAI compatible AI provider instead of Burp AI. This is needed because:

  • Burp AI data is processed in the US. Often, European companies have have DPA's which categorically prevent data transfers to the US. This prevents EU companies of using Shadow Repeater with Burp AI.
  • Burp AI logs all requests (content + metadata) but does not define a specific retention. A properly defined (and often configurable) retention is required by DPAs for companies to enable customers to exercise their GDPR defined rights.

OpenAI compatibility enables use of e.g. managed Azure OpenAI services, which leaves the control of the AI model to the hands of the tester, and enables them to solve above issues.

The implementation is somewhat simple. The UI is a bit silly in few areas:

  • OpenAI configuration is visible in the settings even though Burp AI is selected. This is difficult to fix due to the dynamic nature of building the settings dialog.
  • Burp AI must be enabled even though it's not used (by the extension).

Otherwise seems to work decently.

pasiorovuo added 3 commits May 24, 2025 13:26
@pasiorovuo
Ignore .DS_Store
506982a
@pasiorovuo
OpenAI compatible AI provider
8902b0d 
This commit introduces the possibility to switch to an OpenAI compatible AI provider instead of Burp AI.
This is needed because

- Burp AI data is processed in the US. Often, European companies have have DPA's which categorically prevent data transfers to the US. This prevents EU companies of using Burp AI.
- Burp AI logs all requests (content + metadata) but does not define a specific retention. A properly defined (and often configurable) retention is required by DPAs for companies to enable customers to exercise their GDPR defined rights.

OpenAI compatibility enables use of e.g. managed Azure OpenAI services, which leaves the control of the AI model to the hands of the tester, and enables them to solve above issues.

The implementation is somewhat simple. The UI is a bit silly in few areas:

- OpenAI configuration is visible in the settings even though Burp AI is selected. This is difficult to fix due to the dynamic nature of building the settings dialog.
- Burp AI must be enabled even though it's not used (by the extension).
@pasiorovuo
Structure the AI implementation differently
3e40458
@hackvertor
Copy link
Owner

Thanks for the PR! We having discussion around these issues and I'll get back to you what the conclusion is thanks.

@pasiorovuo
Copy link
Author

Thanks for the update! I'll be updating the PR to accommodate the latest changes in the main branch during the next few or so days.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pasiorovuo @hackvertor