A comprehensive Burp Suite extension for managing security testing notes with professional features, structured documentation, multi-format export capabilities, and optimized dark/light theme support.
Created by: @ronydasx
- Custom Main Tab: Dedicated "Notes Binder" tab in Burp Suite for centralized note management
- Context Menu Integration: Right-click "Bind Note" option in Proxy History and Repeater tabs
- Structured Note-Taking: Organized fields for Title, Severity, Description, and Proof of Concept
- Automatic PoC Population: HTTP requests and responses are automatically captured
- Note Management: View, organize, and manage all notes in a user-friendly interface
- Multi-Format Export: Generate professional reports in Markdown, JSON, and CSV formats
- Dark/Light Theme Support: Optimized UI with proper text visibility in both Burp Suite themes
- CRUD Operations: Complete Create, Read, Update, Delete functionality for notes
- Import/Export: Save and restore note collections for persistence
- Burp Suite Professional or Community Edition
- Java Development Kit (JDK) 11 or higher
- Montoya API JAR file (place in project root as
montoya-api-2025.8.jar)
Automated Build with PowerShell:
- Clone/Download the project
- Place Montoya API JAR in the project root directory
- Run the PowerShell build script:
.\build.ps1
PowerShell Build Script Features:
- Automatically detects and validates Java installation
- Provides helpful error messages if Java/JDK is not properly installed
- Handles Java tools not in PATH (uses JAVA_HOME)
- UTF-8 encoding support for Unicode characters
- Clean build options
PowerShell Build Options:
.\build.ps1 # Standard build
.\build.ps1 -Clean # Clean build (removes old class files)
.\build.ps1 -Verbose # Verbose output for debugging
.\build.ps1 -NoJar # Compile only, don't create JAR
.\build.ps1 -Help # Show all available optionsAutomated Build with Bash:
- Clone/Download the project
- Place Montoya API JAR in the project root directory
- Run the build script:
./build.sh
Bash Build Options:
./build.sh # Standard build
./build.sh --clean # Clean build (removes old class files)
./build.sh --help # Show help and options
./build.sh --no-jar # Compile only, don't create JARIf you prefer manual compilation:
Windows:
mkdir build dist
javac -cp montoya-api-2025.8.jar -d build -encoding UTF-8 src/AuditPad.java
cd build && jar cf ../dist/AuditPad.jar *.class && cd ..Linux/macOS:
mkdir -p build dist
javac -cp montoya-api-2025.8.jar -d build -encoding UTF-8 src/AuditPad.java
cd build && jar cf ../dist/AuditPad.jar *.class && cd ..- Open Burp Suite
- Go to Extensions → Installed → Add
- Select "Java" as extension type
- Choose
dist/AuditPad.jar - Click "Next" to load
- Navigate to Proxy History or Repeater
- Right-click on any HTTP request
- Select "Bind Note" from the context menu
- Fill in the note details:
- Title: Short, descriptive name for the finding
- Severity: Select from Critical, High, Medium, Low, or Informational
- Description: Detailed explanation of the vulnerability or finding
- Proof of Concept: Automatically populated with the selected request/response
- Click "Save" to store the note
- Switch to the "Notes Binder" tab
- View all notes in the table on the left
- Click on any note to view full details on the right
- Edit notes by double-clicking or using the context menu
- Delete notes using the context menu
- Notes are sorted by timestamp for easy organization
The extension supports multiple export formats:
Markdown Export:
- Go to the "Notes Binder" tab
- Click "Export Notes (Markdown)"
- Choose a location to save your report
- Generated file includes professional formatting with timestamps and findings count
JSON Export:
- Click "Export as JSON" for structured data export
- Perfect for integration with other tools or custom processing
CSV Export:
- Click "Export as CSV" for spreadsheet-compatible format
- Easy import into Excel, Google Sheets, or other analysis tools
Export Notes Collection:
- Use "Export as JSON" to save all notes for later use
- Maintains all note data including timestamps and metadata
Import Notes Collection:
- Use "Import Notes" to restore previously saved note collections
- Merges with existing notes without duplicates
- AuditPad: Main extension class implementing BurpExtension
- Note: Data class for storing note information with full CRUD support
- NotesContextMenuProvider: Handles context menu integration
- ThemeColors: Advanced theme detection and color management for dark/light modes
- Export Listeners: Multiple format export handlers (Markdown, JSON, CSV)
- Memory-based Storage: Notes persist during the Burp session
- Advanced Theme Support: Automatic detection and optimization for Burp Suite's dark/light themes
- Swing UI Components: Professional interface using Java Swing with theme-aware styling
- Montoya API Integration: Full compatibility with modern Burp Suite versions
- Thread-safe Operations: Proper handling of UI updates and data management
- UTF-8 Support: Full Unicode character support for international content
The extension automatically detects Burp Suite's theme and adjusts:
- Text Colors: White text for dark theme, black text for light theme
- Background Colors: Theme-appropriate backgrounds for optimal readability
- Border Colors: Subtle borders that work in both themes
- Severity Colors: Color-coded severity levels optimized for each theme
PentestNoteBinder/
├── src/
│ └── AuditPad.java # Main extension source code (1577+ lines)
├── build/ # Compiled class files (auto-generated)
│ ├── AuditPad.class
│ ├── AuditPad$Note.class
│ ├── AuditPad$ThemeColors.class
│ └── ... # Other inner class files
├── dist/
│ └── AuditPad.jar # Final JAR file (auto-generated)
├── build.sh # Linux/macOS build script
├── build.ps1 # Windows PowerShell build script
├── montoya-api-2025.8.jar # Montoya API (place here)
├── LICENSE # License file
└── README.md # This documentation
Java Not Found:
- Windows: The PowerShell script will guide you to download JDK from Oracle or Adoptium
- All Platforms: Ensure JDK 11+ is installed and JAVA_HOME is set correctly
- Verify with:
java -versionandjavac -version
javac/jar Not Found:
- Windows: PowerShell script automatically finds tools in JAVA_HOME
- All Platforms: Ensure JDK (not just JRE) is installed
- Add
$JAVA_HOME/binto your PATH
-
Extension fails to load:
- Verify Java version compatibility (JDK 11+)
- Check that Montoya API was in classpath during compilation
- Ensure Burp Suite version supports Montoya API
- Try rebuilding with
-Cleanoption
-
Compilation errors with Unicode characters:
- Use the provided build scripts (they include
-encoding UTF-8) - For manual builds, always include
-encoding UTF-8parameter
- Use the provided build scripts (they include
-
Text not visible in dark/light theme:
- Current version automatically handles theme detection
- Rebuild the extension if you experience issues
- Report theme-specific issues with your Burp Suite version
-
Context menu not appearing:
- Verify you're right-clicking in Proxy History or Repeater tabs
- Check that the extension loaded successfully in Extensions tab
- Look for error messages in Burp Suite's output
-
Export functionality not working:
- Ensure you have write permissions to the selected directory
- Check that there are notes to export
- Try different export formats (Markdown, JSON, CSV)
-
Import not working:
- Ensure JSON file is properly formatted
- Check file permissions
- Verify JSON structure matches exported format
The extension logs important events to Burp Suite's output:
- Extension loading/unloading messages
- Theme detection information
- Error information for troubleshooting
- Export/import operation status
- API: Burp Suite Montoya API
- Language: Java 11+
- UI Framework: Java Swing with custom theme support
- Storage: In-memory (session-based) with export/import for persistence
- Export Formats: Markdown, JSON, CSV
- Supported Tools: Proxy History, Repeater
- Theme Support: Automatic dark/light theme detection and optimization
- Character Encoding: UTF-8 with full Unicode support
- Build Systems: PowerShell (Windows), Bash (Linux/macOS), Manual
-
v2.0: Major update with enhanced features
- Multi-format export (Markdown, JSON, CSV)
- Import/export functionality for persistence
- Advanced dark/light theme support with automatic detection
- CRUD operations for notes (Create, Read, Update, Delete)
- Windows PowerShell build script with Java validation
- UTF-8 encoding support for Unicode characters
- Improved UI with theme-aware styling
- Enhanced error handling and user feedback
-
v1.0: Initial release with core functionality
- Custom main tab
- Context menu integration
- Note-taking dialog
- Basic Markdown export
- Complete Montoya API implementation
- Java Development Kit (JDK) 11 or higher
- Burp Suite Community or Professional Edition
- Windows 10+ (for PowerShell script) or Linux/macOS (for Bash script)
- Java Development Kit (JDK) 17 or higher
- Burp Suite Professional Edition (latest version)
- 4GB+ RAM for handling large note collections
This extension is provided as-is for educational and professional penetration testing purposes. See LICENSE file for details.
For issues, questions, or contributions:
- Check the troubleshooting section above
- Review the source code comments for implementation details
- Refer to Burp Suite extension development documentation
- Test with the latest Burp Suite version
- Built using the Burp Suite Montoya API
- Designed for professional penetration testing workflows
- Optimized for both individual testers and team environments