⚠️ Development Phase Source code will be published upon project completion. This repository currently hosts release notes, issue tracking, and roadmap only.
MacroFlow is a visual, node-based macro workflow engine for Burp Suite. It replaces Burp's built-in Macro system with a drag-and-drop canvas where you build multi-step HTTP flows, automatically inject session tokens, and validate reflected payloads (NOT INCLUDED) across multiple targets - all without writing a single script.
| Node | Purpose |
|---|---|
| Trigger | Intercepts live Burp traffic by host / path / method |
| Request | Sends an HTTP request; captures tokens from the response |
| Custom | Rules engine - headers, body transform, live crawl |
| Ignite | Calls another workflow as a sub-routine |
- Drag-and-drop node builder with zoom, pan, freeze / group-move
- Connect nodes by dragging from output port → input port
- Export / import workflows as JSON
- Import from Postman Collections, Insomnia, and OpenAPI / Swagger
- Dark / Light / Hacking Mode themes
$placeholder$tokens substituted live in every request- Captures: cookies, CSRF tokens, hidden inputs, JSON keys, redirect URLs
- Multi-value expansion - one request per captured value set
- Passive - every proxy response in scope auto-creates a Request node, extracts captures, and wires it into the chain. Canvas updates live. Start Auto Crawl follows links, submits forms, and parses fetch / XHR / axios calls up to a configurable depth.
- Active - seeds Burp's built-in spider with configured scope URLs.
- Workflow ON/OFF toggle immediately force-stops any running crawl.
- Visual execution graph matching the workspace canvas appearance (colored header bars, type badges, bezier wires)
- Live per-node status: ▶ running / ✓ ok / ✗ error
- Adjustable split between execution log and flow graph
- Right-click any node → View Request / View Response
- Download
MacroWorkflow.jar - In Burp Suite: Extender → Extensions → Add
- Extension type: Java
- Select the downloaded
.jar - MacroFlow tab appears in the Burp toolbar
To be announced upon public release.
Tag: v0.1-beta Title: v0.1-beta - Initial Limited Release
- Visual canvas: Trigger, Request, Custom, Ignite nodes
$placeholder$session injection and multi-value capture expansion- Live Crawl on Custom node (passive + active modes)
- Workflow Player with graphical execution log
- Postman / Insomnia / OpenAPI collection import
- Export / import workflows as JSON
- Dark / Light Mode themes
- User Preferences: button style, theme persistence
Download MacroWorkflow.jar, load it in Burp Extender → Java extension.
Connect an AI model directly into your workflow chain for automated analysis, triage, and payload assistance.
Capabilities
- Reads the response from any upstream Request node and passes it to an AI model
- Returns a structured result that downstream nodes can consume via captures
- Useful for: automated vulnerability triage, payload suggestion, response diffing, and custom prompt-driven validation
Supported providers
- OpenAI: GPT-4o, GPT-4o-mini, and any GPT-4 variant (Yet to decide whether to include or not)
- Anthropic: Claude (via OpenAI-compatible endpoint) (Yet to decide whether to include or not)
- Any OpenAI-compatible API (set a custom base URL) (Yet to decide whether to include or not)
Download MacroWorkflow.jar below, load it in Burp Extender → Java extension.
Remove any v0.1-beta installation first.
Screenshots:
