Olivia
Online
Bounty Security
@BountySecurity
Offensive Web Application Security Software
Joined May 2018
9.7K Following
19.1K Followers
809 Posts
Pinned Tweet
Burp Bounty Pro v3.1.0 is out.
New: AI Scanner. Sends each request to an LLM with structured context extracted from the response. The AI decides which profiles to launch automatically.
A new option alongside Active Scan and Smart Scan, not a replacement.
Some of the techniques emerging to improve the performance of LLMs are based on ideas borrowed from how the human brain works.
In our latest post we sum up 5 of the most recent ones: https://t.co/bYHUEZhOBm
Low limit on one route + high on another → which endpoint hits the expensive model. Map the architecture by following the money.
Denial of Wallet: exhaust the budget, not the compute. Exact limits tell you how
Profile 6, the last of the AI/LLM set in Burp Bounty Pro: RateLimit header disclosure.
⏱️ Detects RateLimit-* and X-RateLimit-* headers.
🎁 15 days free → https://t.co/OGiPM1UtFG
Who to follow
PortSwigger Research
@PortSwiggerRes
Web security research from the team at @PortSwigger
todayisnew
@codecancare
May you be well on your side of the screen.
Nuclei by ProjectDiscovery 
@pdnuclei
Nuclei uses a vast templating library to scan applications, cloud infrastructure, and networks to find and remediate vulnerabilities.
It confirms a raw LLM API is reachable, not just a wrapped chat UI. Raw endpoints (self-hosted vLLM, Ollama) often have far fewer guardrails. The usage object even hints at how big the hidden system prompt is
🎁 15 days free → https://t.co/OGiPM1UtFG
Profile 5 of the AI/LLM set in Burp Bounty Pro: OpenAI-compatible API fingerprinting.
🤖 Detects:
chatcmpl-* completion IDs
choices + model + usage objects in the body
The OpenAI schema became the de facto standard. Detecting it = found an LLM endpoint.
Each field is part of the attack plan:
rag_enabled → PoisonedRAG on the table mcp_enabled → tool poisoning on the table embedding_model → inversion attempts viable vector_db → know the retrieval backend
🎁 15 days free → https://t.co/OGiPM1UtFG
Profile 4 of the new AI/LLM set in Burp Bounty Pro: AI metadata leakage in JSON bodies.
📦 Detects in any response body:
rag_enabled
mcp_enabled
embedding_model
vector_db
*_tokens
model_provider
service_version
Nearly every SOC we talk to is automating something with LLMs.
L1 phishing triage, ticket classifiers, alert enrichment.
And nearly all of them make the same two mistakes: secrets in the system prompt + LLM output with no validation.
The gateway is the map of the architecture. Kong → likely rate limiting and auth plugins. Envoy → service mesh + microservices. Latency headers → where the LLM provider lives.
Passive recon that changes the whole engagement
🎁 15 days free → https://t.co/OGiPM1UtFG
Profile 2 of the new AI/LLM set in Burp Bounty Pro: API gateway fingerprints.
🌐 Detects:
x-kong-upstream-latency
x-kong-proxy-latency
x-kong-request-id
x-envoy-upstream-service-time
x-envoy-attempt-count
x-envoy-original-path
Sharp take from my @kaptorsecurity co-founder @joserabal .
Technical people used to be the most aware of the risks. Now we're one of attackers' favourite targets. Malicious extensions, agent Skills repos, indirect prompt injection
Full take 👇
https://t.co/hoZCvH8QZ6
x-openai-model: gpt-4o → which prompt injection patterns to use x-mcp-enabled: true → tool poisoning attack surface exists x-anthropic-model: claude-sonnet → different guardrails to bypass
Test it: https://t.co/oejZ4v3yxC
👉 Burp Bounty Pro: https://t.co/TAvUZKZFrK
AI pentests are growing fast. The first step on any of them: figure out the model, the provider, the architecture.
Profile #1 of 6 in the new AI/LLM set detects:
🔍 x-ai-backend
🔍 x-llm-provider
🔍 x-openai-model
🔍 x-anthropic-model
🔍 x-mcp-enabled
🔍 x-model
Validate them on Burp Bounty Lab. Load Burp Bounty Pro with the new profiles, point at https://t.co/oejZ4v3yxC, all 6 fire
Start of an AI-focused profile set. Disclosure patterns you keep seeing in AI pentests? Drop them.
Just shipped 6 new passive profiles for Burp Bounty Pro, focused on AI/LLM disclosure surfaces:
🔍 AI/LLM response headers
🌐 Kong + Envoy fingerprints
❤️ Health, status, metrics endpoints
📦 AI metadata in JSON bodies
🤖 OpenAI-compatible API detection
⏱️ RateLimit headers
https://t.co/IdTvUCxpY6
Have you tried "definitive solutions" for AI-driven pentesting and only ended up wasting time on false positives?
In our latest blog post: six approaches, what pays off and what doesn’t, and how to integrate AI at a sensible cost-benefit ratio.
https://t.co/quLRye6jf2
Have you tried AI-driven pentesting and felt it falls short of what you expected?
Loss of focus, false positives, low-impact findings, token costs that don’t pay off...
This Thursday on the Kaptor blog: approaches, architectures, and tips to make AI genuinely useful.
5 features the data says most users miss:
🏷️ Tags Manager
🧠 Custom Smart Scan rules
🔗 Multi-step profiles
✨ AI Scanner prompt customization
🪙 Per-host scan deduplication
Deep dive each day. Some old, some new in v3.1.0. All worth knowing
https://t.co/TAvUZKZFrK
Sent a survey to Burp Bounty Pro users. Half didn't know Tags Manager existed.
We spent months building it. It powers Smart Scan rules, filters the Profiles tab, organizes scans by tech stack. Half the people using BBP daily weren't touching it.
This week: a roundup.
The math: scan 500 endpoints across 3 hosts. Without dedup, 62 profiles fire 500 times each. With dedup, 3 times each. ~30,000 fewer requests, same coverage ✨
Automatic. No config needed.
https://t.co/MkBw00NIkZ
Quiet v3.1.0 feature in Burp Bounty Pro: per-host scan deduplication.
62 of 256 default profiles run once per host, not once per request:
📂 Exposed .git
🔑 Admin panel discovery
📦 Backup files at root
⚙️ Actuator/management endpoints
🖥 Server-wide tech detection
Last Seen Users on Sotwe
Hansaplast04
Seen from Singapore
Fatih Shankz
Seen from Turkey
cdazra
Seen from Turkey
MUHTEŞEM PAYLAŞIMLAR
Seen from Turkey
SüslüGelin
Seen from Turkey
Bokep indo
Seen from Indonesia
TÜRK PORNO EDIT❤️
Seen from Germany
Abdullah Karabulut
Seen from Turkey
Rani
Seen from Saudi Arabia
CPL kabyle a Alger sontre
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers