A transparent intercepting proxy + execution sandbox + agent interface for AI-driven web pentesting.
burpwn is to an AI agent what Burp Suite is to a human pentester. It runs every command an agent executes inside a rootless Linux sandbox whose entire network (HTTP/HTTPS/DNS/TCP) is forced through a built-in intercepting proxy. The agent can then go back through history, search and filter the decrypted request/response flows, replay and edit them (Repeater), apply match/replace rules, block and rewrite traffic in flight, and organize flows into workspaces — all from a scriptable CLI or over MCP. It is at once a Burp and a tshark, but driven by an agent.
Status:early development. See the milestones below.
Existing intercepting proxies are built for a human clicking in a GUI. An autonomous agent needs a programmatic surface: create a session, run tooling, and query the captured traffic — without the agent's own LLM traffic ever being captured. burpwn delivers exactly that: the agent process stays outside the sandbox; only the commands it executes (its children) enter the captured network namespace, so LLM traffic is excluded by construction.
Rootless transparent sandbox. Each executed command runs in its own Linux user + network namespace. An nftablesREDIRECT
ruleset inside that namespace forces all TCP (and UDP/53) to the burpwn proxy. bubblewrap isolates the filesystem and processes. No root, no setuid, no CAP_NET_ADMIN on the host — the kernel grants the needed capabilityinsidethe child namespace.TLS-MITM. A per-install root CA is generated once; leaf certs are minted on the fly per SNI and the CA is injected into the sandbox trust store so HTTPS is decrypted. Cert-pinned targets fall back cleanly to TLS pass-through with metadata-only logging.Capture & query. Flows are stored in a per-session SQLite database (WAL, content-addressed body dedup, FTS5 full-text search) written by a single-writer task off the proxy hot path.Agent integration (rtk-style).burpwn init
installs the right command-rewrite hook for the detected agent (Claude Code / Copilot, Cursor, Gemini CLI, Cline/Roo), plus a generic global shell hook so even a custom agent is covered.
burpwn doctor # check the rootless prerequisites
burpwn ca init && burpwn ca export # generate / print the MITM CA
burpwn session new --name engagement-1
burpwn exec -- curl -s https://target.example/ # runs sandboxed; traffic captured + decrypted
burpwn req list # browse captured flows
burpwn req show 42 --raw # decrypted request + response
burpwn req replay 42 --set-header 'X: 1' # Repeater
burpwn intercept enable # blocking intercept (also via MCP await_intercept)
Linux-only (relies on user/network namespaces, nftables, bubblewrap). Install the prerequisites
first — Fedora/RHEL: sudo dnf install bubblewrap nftables iproute
; Debian/Ubuntu:
sudo apt install bubblewrap nftables iproute2
.
curl -fsSL https://raw.githubusercontent.com/own2pwn-fr/burpwn/main/install.sh | sh
./install.sh # ./install.sh --hooks also installs the global shell hook
./install.sh --from-source # force a source build
cargo install --git https://github.com/own2pwn-fr/burpwn burpwn
make install # PREFIX=/usr/local make install (may need sudo); `make help` lists tasks
The curl | sh
path downloads the release binary for your architecture (x86_64 / aarch64 Linux) and
verifies its checksum; if none matches it falls back to a cargo
source build.
cargo build --release # produces a single `burpwn` binary at target/release/burpwn
cargo test # the privileged rootless-sandbox test is #[ignore]d
burpwn init
installs an rtk-style command-rewrite hook so every shell command your agent runs is
transparently routed through burpwn exec
(captured + decrypted), while the agent's own LLM traffic is never touched. There is also an MCP server and a ready-made agent skill:
burpwn init --agent claude # Claude Code / Copilot PreToolUse hook (also: cursor, gemini, cline)
burpwn init --global # generic shell hook — works for any agent
burpwn mcp # MCP server over stdio (session/exec/req/intercept tools)
The bundled agent skill lives in skills/burpwn/ — copy it into
~/.claude/skills/
(or your agent's skills dir) to teach an agent the workflow.