π API & Workflow Manager β Burp Suite Extension
API & Workflow Manager is a Burp Suite extension that provides centralized management and organization for API endpoints during security testing. It allows security professionals to collect, categorize, and export HTTP requests with workflow labels, enabling structured testing methodologies and comprehensive documentation through CSV and cURL exports.
Key capabilities:
- Collect and organize APIs from Proxy/Repeater
- Add workflow markers to structure testing phases
- Filter and manage endpoints by HTTP method
- Export to manual testing sheets or cURL commands
- Control duplicate entries for clean inventories
Perfect for API security testing where organized workflow management and documentation are essential.
-yellow){kind=icon}
- Centralized API Management β Collect and organize HTTP requests in a dedicated tab
- Smart Filtering β Filter APIs by HTTP methods (GET, POST, PUT, DELETE, etc.)
- Duplicate Control β Configurable duplicate detection to maintain clean API inventories
- Visual Workflow Creation β Add workflow markers to structure testing processes
- Context Menu Integration β Direct access from Proxy/Repeater
- Drag & Drop Reordering β Intuitive UI for organizing API sequences
- Bulk Operations β Multi-select support for efficient management
- CSV Manual Sheets β Generate documentation for manual testing
- cURL Commands β Convert requests to cURL format for external testing
- Flexible Formats β Multiple export options with duplicate handling
Manage your captured APIs efficiently:
- View all collected APIs.
- Filter by HTTP method.
- Reorder or remove entries.
- Add new APIs or workflows manually.
Right-click any request in Proxy, Repeater, or HTTP history, and choose:
- Send APIs to Management Tab
- Export APIβs as Manual Sheet
- Export cURL to File
The exported CSV file includes structured columns for:
- API & parameters
- Attack steps & observations
- Manual test tracking (Found/Not found)
- Burp Suite Professional
- Jython 2.7+ configured in Burp Suite
# 1. Clone the repository
git clone https://github.com/yourusername/burp-api-workflow-manager.gitGo to Extender β Options
Set Python environment to your Jython standalone JAR
Ensure Jython 2.7+ is properly configured
Open Burp Suite β Extender β Extensions
Click Add β Python as extension type
Browse and select the extension file
Click Next to load
Check for the βAPI Managementβ tab
Confirm context menu options in Proxy/Repeater
β Adding APIs to Management
Right-click request β Extensions β Send APIs to Management Tab
-Use the Add API button in the management tab -Enter Method, URL, and Parameters manually
| Feature | Description | Shortcut |
|---|---|---|
| Filtering | Filter by HTTP method | Dropdown |
| Reordering | Move APIs up/down | Move Up/Down buttons |
| Workflows | Add workflow markers for testing phases | Add Workflow button |
| Duplicate Control | Toggle duplicate prevention | Checkbox (top panel) |
SR.NO.,API,Parameters,Attack tried,Steps/procedure,Observation,Status
1,GET /api/users,"id,name",,,,####
curl -i -s -k -X 'GET' -H 'Authorization: Bearer token' 'https://api.example.com/users'
####π§ͺ API Security Testing
-Comprehensive documentation to track testing progress -Structured workflows for repeatable test phases -Team collaboration via organized inventories
π§ββοΈ Manual Testing Support
- Collect all endpoints via Proxy
- Organize by functionality in management tab
- Export to CSV for manual testing documentation
- Use cURL exports for automated tool integration
# Export cURL commands and pipe to external tools
burp_export_curl.txt | while read cmd; do
[ "$cmd" != "####" ] && eval "$cmd"
doneSupported HTTP Methods
Standard: GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS
Custom: Any HTTP method supported by Burp Suite
| Format | Encoding | Use Case |
|---|---|---|
| CSV | UTF-8 | Manual testing documentation |
| TXT | System default | cURL command export |
| Issue | Solution |
|---|---|
| Extension not loading | Verify Jython configuration in Burp |
| Missing context menu | Restart Burp or reload extension |
| Export failures | Check file permissions and disk space |
| Performance issues | Reduce number of APIs in management tab |
This project is licensed under the MIT License β see the LICENSE