A passive and active secret-detection extension for Burp Suite (Montoya API). Detects exposed API keys, credentials, PII, JWTs, and connection strings in HTTP traffic.
Community Edition note: Passive scan check registration requires Burp Suite Professional. All other features (Bulk Scan, right-click rescan, sitemap sweep, proxy handler) work in Community Edition. Findings will appear in the Bulk Scan panel and via the context menu rather than in Dashboard → Issue Activity.
| Dashboard — Issue Activity | Bulk Scan tab with live results |
|---|---|
 |
 |
| HTML Report | Settings Tab |
|---|---|
 |
 |
| Right-click Rescan |
|---|
 |
| Feature | Detail |
|---|---|
| Passive scanning | Fires on every proxied response automatically; also sweeps existing sitemap on load |
| 100+ anchored token rules | GitHub, GitLab, AWS, Stripe, OpenAI, Slack, Shopify, Azure, GCP, Docker Hub, Clerk, and more |
| 40+ context-gated rules | Algolia, Cloudflare, Zendesk, Heroku, Datadog, Salesforce, Mistral, Cohere, Auth0, Supabase, and more |
| Request header scanning | Detects credentials in custom headers (e.g. App_key, Resource, Ocp-Apim-Subscription-Key) |
| Generic KV & high-entropy scanner | Catches unlisted keys using keyword + entropy heuristics |
| PII detection | SSN, credit card numbers (Luhn-validated), credential-bearing URLs |
| Bulk Scan tab | Paste/import URL lists; follows <script src>, webpack chunks; 1–50 concurrent threads |
| HAR import | Scan responses from a .har file directly — no live fetch needed (useful for auth-walled or offline targets) |
| Headless Browse | Optionally launch Chrome/Chromium headless through Burp proxy to capture dynamic XHR/Fetch calls |
| Scope Monitor | Capture passive proxy findings for watched hosts and route them into the Bulk Scan results table |
| HTML reports | Per-scan all-in-one HTML report; per-domain ZIP (one file per hostname); CSV export |
| Scan tiers | FAST / LIGHT / FULL — trade speed vs. coverage |
| Key name blocklist / allowlist | Suppress FP-prone key patterns or force-report specific key names regardless of entropy |
| FP mitigations | CDN blocklist, 60+ noise key filter, Angular/Vue directive filter, JWT suppression, UUID rejection |
| Component | Version |
|---|---|
| Burp Suite Professional | 2024.7+ (Montoya API) |
| Burp Suite Community | 2024.7+ (Bulk Scan, rescan, and proxy handler work; passive scan check skipped) |
| Java | 17+ (bundled with Burp) |
| OS | macOS (Intel / Apple Silicon), Windows (x64), or Linux |
Download secretsifter-1.0.0.jar from the Releases page, or build it yourself (see below).
- Open Burp Suite → Extensions tab → Installed → Add
- Set Extension type: Java
- Browse to
secretsifter-1.0.0.jar - Click Next — the extension loads and a Secret Sifter tab appears in the main tab bar
Once loaded, the extension scans every response passing through the Burp proxy. Findings appear in:
- Dashboard → Issue Activity (as Burp AuditIssues — Pro only)
- The Secret Sifter → Bulk Scan results table (all editions)
On load, the extension also sweeps all responses already recorded in Target → Site map so that findings appear immediately — even for traffic captured before the extension was installed.
No configuration required.
In Proxy → HTTP History or Repeater, right-click any request → Rescan for Secrets. Expands to all site-map entries for the selected host(s). Optionally save an HTML report after the scan.
- Navigate to Secret Sifter → Bulk Scan
- Paste one URL per line into the URL box (or import a
.txt/.csvfile, or import a.harfile) - Choose scan tier and thread count
- Click ▶ Start Scan
- Results populate the table in real time
- Export as CSV, HTML Report, or HTML Report (per domain)
Bulk Scan options:
| Option | Description |
|---|---|
| Tier | FAST (anchored tokens only) / LIGHT (+ entropy) / FULL (+ PII, KV, SSR blobs) |
| Threads | 1–50 concurrent URL workers (default 25) |
| Follow script-src | Fetch and scan <script src> URLs found in HTML responses |
| Follow webpack chunks | Follow chunk references inside JS bundles (depth 1) |
| Scope Monitor | Capture passive-scan findings from Burp proxy traffic for watched hosts |
| Cross-origin APIs | Capture XHR/Fetch calls fired from a watched host to other domains |
| Headless Browse | Launch Chrome/Chromium headless through Burp proxy to capture dynamic JS API calls |
| Scan Site Map | Scan all JS/HTML responses already captured in Burp's site map |
| Setting | Description |
|---|---|
| Scan Tier | FAST / LIGHT / FULL |
| Entropy Threshold | Minimum Shannon entropy for high-entropy scanner (default: 3.5 bits/char) |
| PII Detection | Enable/disable SSN and credit card scanning |
| Scan request headers | Scan custom request headers (e.g. App_key, Resource) for credentials |
| CDN Blocklist | Hostnames to skip (one per line; pre-populated with common CDN/analytics domains) |
| Key Name Blocklist | Substring patterns — matching key names are suppressed (e.g. STATE_KEY_, NEXT_PUBLIC_) |
| Key Name Allowlist | Substring patterns — matching key names are always reported regardless of entropy |
| Tier | Rules Active | Use When |
|---|---|---|
| FAST | 100+ anchored vendor tokens | Quick recon, large site maps |
| LIGHT | + High-entropy scanner + 40+ context-gated rules + DB strings | Standard pentest |
| FULL | + PII (SSN, CC) + Generic KV + SSR state blobs + JSON walker + getter functions | Deep audit, bug bounty |
- Java 17+
- Gradle 8+ (or use
./gradlew)
git clone https://github.com/secretsifter/burp-secret-scanner
cd burp-secret-scanner
./gradlew shadowJarOutput: build/libs/secretsifter-1.0.0.jar (~430 KB)
./gradlew testTest report: build/reports/tests/test/index.html
| Level | Meaning |
|---|---|
| HIGH | Confirmed active credentials — rotate immediately |
| MEDIUM | Tokens that confirm a live service integration |
| LOW | Identifiers or keys with limited standalone risk |
| INFORMATION | Structural or schema-level findings |
The extension includes built-in noise filtering, entropy thresholds, CDN domain skipping, and structural validation (Luhn, SSN format checks) to keep results actionable. User-configurable key name blocklist and allowlist are available in the Settings tab.
- Verify Burp Suite version is 2024.7 or later
- Check the Extensions → Output tab for error messages
- Confirm you are loading the shadow JAR (
secretsifter-1.0.0.jar), not the plain compile output
- Check Settings → Scan Tier — switch to FULL for maximum coverage
- Verify the response is flowing through Burp's proxy (not directly)
- For JS-heavy SPAs: use Bulk Scan with Follow script-src and Follow webpack chunks enabled, or browse the target through Burp Browser first then use Scan Site Map
- For secrets in request headers (e.g.
App_key): confirm Scan request headers is enabled in Settings
- Switch Scan Tier to FAST in Settings
- Expand the CDN blocklist to skip high-volume analytics traffic
- Disable PII scanning if not needed (Settings → PII Detection → Off)
- Ensure Google Chrome or Chromium is installed and on
PATH - On macOS:
/Applications/Google Chrome.appis detected automatically - Check the Extensions → Output tab for
[Headless] Chrome/Chromium not foundmessages - The feature routes all traffic through Burp proxy — ensure Burp is listening on the configured port
Security note: Headless Browse is opt-in and requires explicit user consent on first use. All traffic is routed exclusively through Burp's local proxy — no data leaves your machine. Each scan uses an isolated Chrome profile (
--user-data-dirin system temp) that is discarded after the scan.
- Dashboard → Issue Activity requires Burp Suite Professional
- In Community Edition, all findings are available in the Bulk Scan table and HTML/CSV export
Vendor token format specifications are publicly documented by their respective service providers. See NOTICE for details.
MIT License — free to use, modify, and distribute. See LICENSE for full terms.
