Proof-of-testing coverage tracker for Burp Suite.
ScopeProof gives pentesters a real-time view of which endpoints have been tested, how deeply, and what gaps remain. It captures traffic from every Burp tool automatically and aggregates it into a single coverage dashboard — no manual bookkeeping required.
- Engagements — Workspace-style isolation. Each engagement gets its own traffic, annotations, scope, and baseline. Create, switch, rename, and delete engagements from the toolbar pill or the Manage dialog. Existing data auto-migrates to a "Default" engagement on first run.
- Three views — Switch between Table, Triage, and Workflow layouts from the header.
- Table — The original coverage table with request list and request/response viewers.
- Triage — Faceted sidebar (Priority, Depth, Method, Auth, Tag) + endpoint table + detail panel showing coverage, attributes, and notes for the selected endpoint.
- Workflow — Hero cards (coverage donut, priority breakdown, activity sparkline) + a ranked "Next Up" queue of what to test next.
- Redesigned UI — Teal accent color, KPI strip with donut chart and progress bar, restyled filter pills, and updated typography.
- FlatLaf — Bundled for modern Swing component styling.
- Real-time traffic capture — Automatically tracks requests from Proxy, Repeater, Intruder, Scanner, and all other Burp tools. Auto-imports proxy history on first load.
- Engagements (workspaces) — Isolated workspaces per engagement, each with its own traffic records, annotations, scope, and Swagger baseline. Switch instantly from the toolbar.
- Endpoint aggregation — Groups requests by normalized endpoint (e.g.
/users/123and/users/456become/users/{id}), with smart grouping for Intruder/Scanner payloads. - Testing depth classification — Automatically classifies each endpoint as Thoroughly Tested, Fuzz Tested, Manually Tested, Observed, Untested, or Missing based on which tools have interacted with it.
- Smart priority scoring — Scores endpoints 0–100 based on factual signals: write methods, path parameters, sensitive parameters, auth state, status codes, testing depth, and payload coverage. Hover over any Priority cell to see the score breakdown.
- Three views — Table (classic coverage table), Triage (faceted filtering + detail panel), and Workflow (hero KPIs + Next Up queue).
- Filter chips — One-click filters: All, Next Up, Untested, Missing, High Priority, Has Exploits, Auth Only, and Tested.
- Faceted filtering — In Triage view, filter endpoints by Priority, Depth, Method, Auth, and Tag with checkbox facets and live counts.
- Next Up queue — Prioritized testing queue sorted by score. Flag any endpoint for review via right-click context menu and it appears in Next Up instantly.
- Auth state tracking — Dedicated Auth column shows whether each endpoint has been tested with authenticated, unauthenticated, or both types of requests.
- Swagger/OpenAPI baseline — Import an API spec to see which endpoints are missing from your traffic. Missing endpoints appear in the table with a distinct visual style.
- Attack payload detection — Tracks payload categories (XSS, SQLi, Path Traversal, CMDi, SSTI, SSRF, XXE) by matching user-defined signatures in request content. Add your own payloads per category and ScopeProof flags which endpoints have been hit.
- Confirmed exploit tracking — Right-click to mark an endpoint as exploited for a specific vulnerability category. Exploited endpoints are highlighted in the Tests column.
- Intruder payload generator — Registered payload generators let you fire your custom payloads directly from Intruder.
- Scope filtering — Filter by host (supports wildcards like
*.example.com), import from Burp's target scope, or load from file. - Persistent storage — All captured data, notes, tags, and flags survive Burp restarts. Auto-saves every 30 seconds. Per-engagement storage under
~/.scopeproof/engagements/. - Export — JSON and CSV export for reports. CSV output is sanitized against formula injection.
- Context menu integration — Right-click to mark requests as tested, flag for review, mark decoder usage, mark exploits, report findings, or tag selected text as a payload.
- ScopeProof Pro upload — Optionally upload coverage reports to ScopeProof Pro for team dashboards and historical tracking.
- Open Burp Suite.
- Go to Extensions > BApp Store.
- Search for ScopeProof.
- Click Install.
- Clone and build:
git clone https://github.com/ScopeProof/ScopeProof-BurpExtension.git cd ScopeProof-BurpExtension ./gradlew jar - In Burp Suite, go to Extensions > Installed > Add.
- Set Extension type to Java.
- Select
build/libs/ScopeProof-1.2.0.jar.
- Burp Suite Professional or Community Edition
- Java 17 or later (bundled with modern Burp releases)
Once installed, a ScopeProof tab appears in Burp Suite.
- Browse your target through Burp Proxy as usual. ScopeProof captures traffic automatically.
- Click Refresh to also import existing proxy history and site map entries.
- Use the Edit link next to Scope or Settings > Filters to set your scope hosts and exclude static resources or noise domains.
Engagements are isolated workspaces — each one has its own traffic, annotations, scope, and baseline.
- Click the engagement pill in the toolbar to switch, create, rename, or delete engagements.
- Click Manage Engagements for the full management dialog.
- Each engagement persists independently under
~/.scopeproof/engagements/{id}/. - Existing users' data auto-migrates to a "Default" engagement on first run.
Switch between views using the Table | Triage | Workflow toggle in the header.
| View | Best for |
|---|---|
| Table | Detailed endpoint inspection — coverage table + request list + request/response viewers |
| Triage | Filtering and review — faceted sidebar + table + detail panel with coverage, attributes, and notes |
| Workflow | Planning — hero KPI cards (coverage, priority, activity) + ranked "Next Up" queue |
The main table shows one row per unique endpoint with:
| Column | Description |
|---|---|
| Host | Target hostname |
| Endpoint | Normalized path (dynamic segments replaced with {id}, {uuid}, etc.) |
| Methods | HTTP methods observed (GET, POST, etc.) |
| Reqs | Total request count |
| Priority | Smart priority score: Critical (70+), High (45+), Medium (25+), Low. Hover for breakdown. |
| Depth | Testing depth: Thoroughly Tested, Fuzz Tested, Manually Tested, Observed, Untested, or Missing |
| Tested By | Which tools hit this endpoint and how many times |
| Auth | Auth state: Both, Auth Only, or Unauth Only |
| Status Codes | Response status code distribution |
| Tests | Detected payload categories and confirmed exploits |
| Tag | User-assigned tag (double-click to edit) |
| Notes | Free-text notes (double-click to edit) |
| Depth | Criteria |
|---|---|
| Thoroughly Tested | Fuzz tested + manually tested + 10 or more requests |
| Fuzz Tested | Hit by Intruder or Scanner |
| Manually Tested | Hit by Repeater, Extensions, or edited in Proxy |
| Observed | 3 or more passive requests |
| Untested | Fewer than 3 passive requests, no active testing |
| Missing | Expected from Swagger/OpenAPI baseline but not yet observed in traffic |
Open Settings > Payloads to manage payload signatures per category. You can:
- Add individual payloads or paste/load lists.
- Use the built-in Intruder payload generator (ScopeProof - All Payloads or per-category).
- Right-click selected text in the request editor and choose Tag Payload (ScopeProof) to add new signatures on the fly.
- JSON — Full coverage report including summary statistics and engagement metadata.
- CSV — Flat table export for spreadsheets and reporting tools.
ScopeProof stores data in ~/.scopeproof/:
| Path | Contents |
|---|---|
engagements.json |
Engagement manifest (list, active ID) |
engagements/{id}/scopeproof_records.json |
Captured traffic records |
engagements/{id}/scopeproof_annotations.json |
Notes, tags, and exploits |
engagements/{id}/scopeproof_baseline.json |
Swagger/OpenAPI baseline |
payloads.json |
Custom payload signatures |
./gradlew jarThe output jar is at build/libs/ScopeProof-1.2.0.jar.
- Montoya API 2025.3 (compile-only)
- Gson 2.11.0 (bundled in jar)
- FlatLaf 3.5.4 (bundled in jar)
Apache License 2.0. See LICENSE.