I’ve been looking into Burp AI new feature, and was keen to see if any sensitive parameters are being stripped off while sending the request to ai.portswigger.net, but no.
Although PortSwigger has a blog post on its AI feature privacy, but I wanted to verify this behavior firsthand.
I evaluated only Burpsuite Explorer and Explainer AI features and its data privacy policy (AI security, privacy and data handling – PortSwigger), and found that, data is sent to the PortSwigger AI infrastructure only when we use it explicitly. However, there are some AI-powered extensions in the bApp Store, and in those cases, it entirely depends on the extension’s implementation whether it masks the data or not, before sending it to ai.portswigger.net.
As per Burp’s AI security, privacy, and data handling policy:
- AI feature is disabled by default
- No Data is used for AI Training; data processed through Burp’s AI infrastructure is not used to train AI models.
- PortSwigger Stores AI Data (AI request data is processed securely and stored in an encrypted audit trail, accessible only by authorized PortSwigger personnel).
- We as security testers or customer, cannot review or delete our data, stored in PortSwigger AI infrastructure.
Additionally, I did a deep dive on explorer and explainer AI feature, to see what all data is sent to PortSwigger servers (checked via Wireshark), below is what I got:
While browsing http://testphp.vulnweb.com/, I got SQLi as an issue by burp default scanner. I enabled burp AI and used Explorer feature [image(a)] for that specific issue. This initiated couple of requests [image(b)] to https://ai.portswigger.net endpoint, and if we see the first request [image(c)], it includes issue specific HTTP request/ response data containing session cookies, bearer tokens, etc, which burp scanner initially sent to identify this as an issue. That’s a big concern when working with client applications handling sensitive data.
For Burp AI Explainer feature, this only sends the data that we selected for getting the explanation [image(e)], as shown in the screenshot [image(f)]
So, to summarize, the Burp AI Explorer feature sends full HTTP data, including cookies and tokens, directly to PortSwigger’s server, specific to the issue. The Burp AI Explainer only sends the data that we have selected for the explanation. As for the AI-powered recorded login and BAC false positive reduction, I was not able to check, but it’s highly likely that data will be sent to the PortSwigger server.
📌 If you’re considering using Burpsuite AI features, make sure to get prior approval and review your organization’s data privacy policies. It’s important to be cautious, especially when working with sensitive environments.
Post by Mayank Mehra (Mayank Mehra | LinkedIn)
Hi there, You have performed an excellent job. I’ll definitely digg it and for my part suggest to my friends. I’m sure they’ll be benefited from this website.