Proof-of-testing coverage tracker for Burp Suite.
ScopeProof gives pentesters a real-time view of which endpoints have been tested, how deeply, and what gaps remain. It captures traffic from every Burp tool automatically and aggregates it into a single coverage dashboard — no manual bookkeeping required.
- Real-time traffic capture — Automatically tracks requests from Proxy, Repeater, Intruder, Scanner, and all other Burp tools.
- Endpoint aggregation — Groups requests by normalized endpoint (e.g.
/users/123and/users/456become/users/{id}), with smart grouping for Intruder/Scanner payloads. - Testing depth classification — Automatically classifies each endpoint as Thoroughly Tested, Fuzz Tested, Manually Tested, Observed, or Untested based on which tools have interacted with it.
- Priority scoring — Ranks untested or under-tested endpoints by risk (write methods, parameters, auth state, status codes).
- Attack payload detection — Tracks payload categories (XSS, SQLi, Path Traversal, CMDi, SSTI, SSRF, XXE) by matching user-defined signatures in request content. Add your own payloads per category and ScopeProof flags which endpoints have been hit.
- Intruder payload generator — Registered payload generators let you fire your custom payloads directly from Intruder.
- Scope filtering — Filter by host (supports wildcards like
*.example.com), import from Burp's target scope, or load from file. - Persistent storage — All captured data, notes, and tags survive Burp restarts. Auto-saves every 30 seconds.
- Export — JSON and CSV export for reports. CSV output is sanitized against formula injection.
- Context menu integration — Right-click to mark requests as tested, flag decoder usage, or tag selected text as a payload.
- ScopeProof Pro upload — Optionally upload coverage reports to ScopeProof Pro for team dashboards and historical tracking.
- Open Burp Suite.
- Go to Extensions > BApp Store.
- Search for ScopeProof.
- Click Install.
- Clone and build:
git clone https://github.com/MockedLabs/ScopeProof.git cd ScopeProof ./gradlew jar - In Burp Suite, go to Extensions > Installed > Add.
- Set Extension type to Java.
- Select
build/libs/ScopeProof-1.0.0.jar.
- Burp Suite Professional or Community Edition
- Java 17 or later (bundled with modern Burp releases)
Once installed, a ScopeProof tab appears in Burp Suite.
- Browse your target through Burp Proxy as usual. ScopeProof captures traffic automatically.
- Click Refresh to also import existing proxy history and site map entries.
- Use Settings > Filters to set your scope hosts and exclude static resources or noise domains.
The main table shows one row per unique endpoint with:
| Column | Description |
|---|---|
| Host | Target hostname |
| Endpoint | Normalized path (dynamic segments replaced with {id}, {uuid}, etc.) |
| Methods | HTTP methods observed (GET, POST, etc.) |
| Reqs | Total request count |
| Priority | Risk-based priority: Critical, High, Medium, Low |
| Depth | Testing depth: Thoroughly Tested through Untested |
| Tested By | Which tools hit this endpoint and how many times |
| Status Codes | Response status code distribution |
| Tests | Detected payload categories |
| Tag | User-assigned tag |
| Notes | Free-text notes (editable inline) |
| Depth | Criteria |
|---|---|
| Thoroughly Tested | Fuzz tested + manually tested + 10 or more requests |
| Fuzz Tested | Hit by Intruder or Scanner |
| Manually Tested | Hit by Repeater, Extensions, or edited in Proxy |
| Observed | 3 or more passive requests |
| Untested | Fewer than 3 passive requests, no active testing |
Open Settings > Payloads to manage payload signatures per category. You can:
- Add individual payloads or paste/load lists.
- Use the built-in Intruder payload generator (ScopeProof - All Payloads or per-category).
- Right-click selected text in the request editor and choose Tag Payload (ScopeProof) to add new signatures on the fly.
- JSON — Full coverage report including summary statistics and engagement metadata.
- CSV — Flat table export for spreadsheets and reporting tools.
ScopeProof stores data in ~/.scopeproof/:
| File | Contents |
|---|---|
scopeproof_records.json |
Captured traffic records |
scopeproof_annotations.json |
Notes and tags |
payloads.json |
Custom payload signatures |
./gradlew jarThe output jar is at build/libs/ScopeProof-1.0.0.jar.
- Montoya API 2025.3 (compile-only)
- Gson 2.11.0 (bundled in jar)
Apache License 2.0. See LICENSE.
