Turn your Burp Suite findings into clean, professional cards, ready for reports, bug bounty submissions, and social sharing.
Every pentester knows the moment: you've just confirmed a SQL injection, an XSS payload, or a path traversal returned /etc/passwd. Now you need to document it.
The usual workflow looks like this:
- Open Flameshot or a screenshot tool
- Take a screenshot of the request
- Take another screenshot of the response
- Draw red boxes around the relevant parts manually
- Open your report template
- Copy/paste the vulnerability name, write the business impact from scratch
- Repeat for every single finding
When you're running a pentest or a bug bounty session with 10, 15, or 20 findings - this process kills your momentum. You spend more time documenting than hacking.
RepShot was built to fix that.
RepShot is a Burp Suite extension that adds a "Send to RepShot" option to your Repeater context menu. From there, you get a dedicated panel where you can:
- Scroll to the exact part of the request or response you want to show
- Capture that exact viewport — what you see is what gets exported
- Draw red annotation boxes directly on the capture before exporting
- Search inside request/response with
Cmd+F/Ctrl+F - Auto-fill the business impact based on the vulnerability type selected
- Export a professional HD PNG card ready to paste into any report or post on LinkedIn/X
No more context switching. No more Flameshot. No more writing "An attacker could..." from scratch for the tenth time today.
Example finding card exported by RepShot
- Download
repshot-1.0.0.jarfrom the Releases page - Open Burp Suite
- Go to Extensions → Add
- Extension type: Java
- Select the downloaded JAR
- Click Next - you should see
RepShot loadedin the Output tab
Requirements: Burp Suite 2023.x or later · Java 17+ on your system
git clone https://github.com/JFOZ1010/repshot.git
cd repshot
mvn clean package
# JAR will be at target/repshot-1.0.0.jarRequirements: Java 17+, Maven 3.8+
-
Send a request to Repeater and fire it
-
Right-click anywhere in the request/response → 📸 Send to RepShot
-
The RepShot panel opens with your request and response loaded
-
Fill in the finding details - title, vulnerability type, severity, your handle
-
Business impact auto-fills based on the vulnerability type selected
-
Selecting a different type updates the impact automatically
-
Choose "Other..." to type a custom vulnerability name
-
-
Navigate to the relevant part of the request or response using scroll
-
Click
[ 📷 Capture ]- this captures exactly what's visible in the panel at that moment (What You See is What You Get) -
Annotate with red boxes (optional):
- Click
[ ✏ Draw Box ]to enter drawing mode - Click and drag to draw annotation rectangles over the payload or evidence
- Click
[ Clear Boxes ]to remove all boxes - Re-capture after drawing to include the boxes in the export
- Click on
[ ✏ Draw Box ]again to exit the context of the red box and have the response scroll.
- Click
-
Search with
Cmd+F(macOS) orCtrl+F(Windows/Linux):- Type to find matches in real time, highlighted in yellow
- Navigate with
‹and›buttons - Press
Escapeto close
- Type to find matches in real time, highlighted in yellow
-
Click
Preview Cardto see the result before saving
- Click
Export PNGto save the HD card (2400px wide, print-quality)
RepShot includes pre-written business impact templates for 30 vulnerability types:
| Category | Types |
|---|---|
| Injection | SQL Injection (Error-Based, Blind/Boolean, Out-of-Band), Command Injection, SSTI, XXE, GraphQL Injection |
| XSS | Reflected, Stored, DOM-Based |
| Access Control | IDOR, Broken Access Control, Authentication Bypass, Broken Auth / Session Management |
| Server-Side | SSRF, RCE, Path Traversal / LFI, RFI |
| Web Misc | CORS Misconfiguration, HTTP Request Smuggling, Cache Poisoning, Open Redirect, Clickjacking, Subdomain Takeover |
| Client-Side | Prototype Pollution, JWT Vulnerabilities |
| Other | Insecure File Upload, Mass Assignment, Insecure Deserialization, Business Logic Flaw, Other... |
Each template is written in plain business language no jargon, so the impact makes sense to a non-technical audience.
"800 lines of HTML. The evidence is on line 697."
I was spending too much time on the same repetitive documentation work on every engagement. The worst part wasn't writing the report, it was this:
RepShot captures exactly what you're looking at in Burp, lets you annotate inline, and exports a card that works for both technical reports and non-technical stakeholders.
The same PNG that goes into a pentest report can go on LinkedIn without looking like a raw terminal dump.
It also auto-fills the business impact. Because "An attacker can exploit this SQL injection to extract the entire database..." is something I've typed some variation of a hundred times.
RepShot is open source and community-driven. If you:
- Found a bug → open an issue
- Want a new vulnerability template → open a PR editing
ImpactTemplates.java - Want a new feature → open an issue first to discuss
All contributions welcome.
- Burp Suite Montoya API: extension framework
- Java Swing: UI and viewport capture
- Graphics2D: HD PNG rendering
- Maven: build system
MIT - use it, fork it, improve it.
Juan Felipe Oz - Application Security Engineer & Security Researcher based in Colombia.
Software Developer · AppSec Engineer · Security Researcher
Built with frustration and too many Flameshot screenshots.