Transform API specs into ready-to-test requests in seconds. Start pentesting directly from specs. Import OpenAPI, Swagger, MCP, or AWS JSON API specs directly into Burp. Send all APIs to Repeater, Intruder, Sitemap, and more with a single-click.
- 🎯 Reduce manual request crafting – Import your spec and skip straight to security testing
- 🔄 Multi-format support – OpenAPI, Swagger, AWS JSON, MCP models all in one tool
- ⚡ Instant integration – One-click send to Repeater, Intruder, Organizer, Sitemap
🚀 Import → Click → Test
- Download the latest JAR
- Load into Burp Suite Extensions
- Import your spec file
- Start testing! 🎉
💡 Note: For AWS JSON models, you'll need the Python server running – see AWS JSON Setup
| Format | Status | Notes |
|---|---|---|
| OpenAPI 3.0 / 3.1 | ✅ Supported | JSON & YAML • Generates requests per content type |
| Swagger 2.0 | ✅ Supported | JSON & YAML • Generates requests per content type |
| AWS JSON (Botocore) | ✅ Supported | Requires Python server • Generate HTTP or awscli requests 📦 Source models |
| MCP Servers Config JSON | ✅ Supported | sse & http type• Calls tools/list on each server and stores the tool schemas in memory• Generates requests for each tool and server capability |
| AWS Smithy | ❌ Not currently supported |
- Download the JAR from releases
- Open Burp Suite → Extensions tab → Add
- Select the downloaded JAR file
- Find the API Parser tab in Burp
No additional setup needed! Just load your spec file and start testing.
API Parser parses the type, url, and headers fields of the JSON config. It uses these values to connect to the servers and call tools/list.
AWS JSON models (e.g. service-2.json files) require setting up the Python server for serialization.
Choose your preferred method:
Requirements: Docker Desktop
# Clone the repository
git clone <repo-url>
cd burp-api-spec-parser
# Build the image
docker build -t apiparserservice .
# Run on default port (50055)
docker run -p 50055:50055 apiparserservice 50055
# Or customize the port
docker run -p 8080:8080 apiparserservice 8080Requirements: Python ≥3.8, pip
# Install dependencies
python -m pip install -r requirements.txt
# Or install individually
python -m pip install grpcio-tools~=1.75.1
python -m pip install botocore~=1.40.40
# Start the server
python src/main/python/request_serializer_service.py -p 50055
# Optional: Test the connection
python src/main/python/test_request_serializer_client.py- Default port: 50055
- Custom port: Update in Settings tab → Port Number
- Health check: Use the Health Check button to verify connectivity
🔐 AWS Signing: To sign requests, use alongside AWS Signer or SigV4 extensions from the BApp store
1. Load spec file
↓
2. Browse operations
↓
3. Select operation(s) (SHIFT+CLICK for multiple)
↓
4. Send to Repeater/Intruder/Sitemap/Organizer
View Selection – Choose your request format:
| API Type | Available Views |
|---|---|
| AWS JSON | • HTTP request format • awscli command format |
| OpenAPI | • Each defined content type (JSON, XML, etc.) • Auto-generated examples • Spec-defined examples |
Host Configuration – Set your target:
| API Type | Available Hosts |
|---|---|
| AWS JSON | Manual input required (see limitations) |
| OpenAPI | • Each host defined in the spec • Manual input (Accepts both URL or FQDN) |
| MCP | Uses the URL in the JSON for connection, then the message endpoint for tools requests |
Authentication Configuration – Select an authentication method:
| API Type | Available Authentication Methods |
|---|---|
| AWS JSON | None (use the AWS Signer or SigV4 extension) |
| OpenAPI | Auto-generates each security scheme defined in the spec |
| MCP | None (use the headers field or add additional headers in the Additional Parameters section) |
Include Optional Parameters – Include/Omit optional parameters:
| API Type | Behavior |
|---|---|
| AWS JSON | Includes parameters based on the value "required": true |
| OpenAPI | None (not currently used) |
| MCP | Includes parameters based on the required field in the tool schema |
The swagger-parser library expects OAS compliance. If you encounter parsing errors:
- Validate your spec at swagger.io/validator
- Fix any schema violations
- Re-import the corrected file
Extremely large OpenAPI specs may fail to load. If you have a large spec, consider splitting it into smaller individual files.
Manual host configuration required. Find the correct host by either:
- Intercepting requests from awscli or AWS Console
- Checking
endpoint-rule-set-*.jsonfor the model at botocore data folder
Currently only the type, url, and headers fields are parsed from the servers config JSON. Servers with type: "stdio" are not supported since these do not have a URL to connect to.
We welcome contributions! See CONTRIBUTING.md for guidelines.
Built with swagger-parser and botocore