APICollector is a comprehensive Burp Suite extension designed to streamline the entire API security testing lifecycle. It bridges the gap between development artifacts (like OpenAPI specs or Postman collections) and professional security auditing.
- Background processing for large imports and request execution keeps Burp responsive.
- Project persistence fix restores row-indexed
bodies,responses, andendpoint_findingscorrectly after save/load. - Thread-safe results storage with lock protection for generated tests and cached responses.
- Clean unload support via Burp
IExtensionStateListenerto stop running workers safely. - Improved editor integration with
IMessageEditorControllerbacking the embedded message editors. - Context-aware menu only adds Send to APICollector where it belongs.
- Executive Mission Control: A new visual dashboard featuring high-level metrics for your assessment.
- Risk Distribution: Color-coded cards showing the count of Critical, High, Medium, Low, and Info findings.
- Remediation Health: Real-time tracking of finding statuses (Open, Remediated, Verified, Re-Open).
- Visual Progress: A dynamic progress bar showing the percentage of findings successfully verified as fixed.
- Inventory Statistics: Summary of total endpoints vs. vulnerable endpoints to assess the overall risk surface.
- Ingestion: Import from OpenAPI (YAML/JSON), Postman, Insomnia, or cURL.
- Context: Right-click any traffic in Burp Proxy/Repeater and select "Send to APICollector".
- Analysis: Use the Endpoints and Parameters tabs to map the attack surface and data dictionary.
- Testing: Use the Internal Executor for rapid iteration or push to Burp Repeater.
- Audit: Document findings in the Endpoints tab to automatically populate the Vulnerabilities dashboard.
- Verify: Re-test findings using the Revalidation Panel and capture proof-of-fix snapshots.
- Dashboard: Monitor high-level assessment health and risk distribution in the Dashboard tab.
- Report: Generate professional Markdown, CSV, or JSON reports.
- File-Based Project Management: Save/Load entire workspaces into
.apicfiles for assessment isolation. - Vulnerability Revalidation: Stateful tracking with side-by-side PoC vs. Retest evidence.
- Universal Parameter Decoding: Automatic URL-decoding for human-readable parameter documentation.
- Native Burp Integration: Full use of
IMessageEditorfor syntax highlighting and context menus. - Responsive Workflow: Background import and request execution prevents Burp UI freezes during large operations.
- Download
APICollector.py. - In Burp Suite, go to the Extensions tab -> Installed -> Add.
- Select Python as the extension type and point to
APICollector.py. - (Prerequisite: Ensure Jython 2.7.x is configured in Burp Suite settings).
- Added Assessment Analytics Dashboard with risk distribution & remediation metrics.
- Added Visual Progress Tracking for verified fixes.
- Enhanced dashboard UI with professional CSS metric cards.
- Added Project Management (.apic file system).
- Added Vulnerability Revalidation with dual-evidence tracking.
- Implemented Universal URL Decoding for parameters.
- Added Global Status Bar for operational feedback.
- Added context menu integration ("Send to APICollector").
- Integrated Burp native message editors.
- Added YAML support for OpenAPI.
- Initial release with Support for OpenAPI, Postman, and Insomnia.
Developed by Kamran Saifullah for professional security researchers.