Redaction Pipeline

The redaction pipeline transforms raw Burp context into privacy-safe payloads before data is sent to AI backends or external MCP clients.

Pipeline Overview

Design Goals

Prevent sensitive values from leaving Burp unexpectedly.
Preserve enough structure for useful security analysis.
Support deterministic outputs when reproducibility is required.

Privacy Modes

Mode

Auth Tokens

Hostnames

STRICT

Stripped

Redacted

Anonymized

BALANCED

Stripped

Redacted

Preserved

OFF

Preserved

Redaction Steps

Removes Cookie: and Set-Cookie: values.

Applies to: STRICT, BALANCED
Skipped in: OFF

2. Auth Token Redaction

Redacts values from authentication headers (Authorization, Proxy-Authorization, X-API-Key, API-Key) and JWT-like tokens.

Applies to: STRICT, BALANCED
Skipped in: OFF

3. Host Anonymization

In STRICT, hostnames are pseudonymized using a salt-based hash.

pseudonym = "host-" + SHA256(salt + ":" + hostname)[0:6] + ".local"

The mapping is stable for the same salt and can be rotated per engagement.

Important Notes

Redaction applies to prompt/tool output data, not to active scanner network traffic.
MCP tool results are also filtered by the active privacy policy.
Rotate salt between engagements to reduce cross-project correlation.

Testing

RedactionTest.kt covers cookie stripping, token redaction patterns, hostname anonymization stability, and malformed input edge cases.

PreviousData Flow NextSupervisor & Backends

Last updated 15 days ago

Good afternoon

hashtagPipeline Overview

hashtagDesign Goals

hashtagPrivacy Modes

hashtagRedaction Steps

hashtag1. Cookie Stripping

hashtag2. Auth Token Redaction

hashtag3. Host Anonymization

hashtagImportant Notes

hashtagTesting