Research Academy
My account Customers About Blog Careers Legal Contact Resellers
  1. Support Center
  2. BApp Store
  3. TruffleHog Integration

Professional

TruffleHog Integration

Download BApp

Scan Burp Suite traffic for 800+ different types of secrets (API keys, passwords, SSH keys, etc) using TruffleHog!

How it works

Every 10 seconds the extension runs TruffleHog to check for secrets in Burp Suite traffic.

  1. The extension writes all HTTP traffic (from the configured Burp Suite tools - proxy, repeater, intruder, etc.) to disk in a temp directory.
  2. Every 10 seconds, the extension invokes TruffleHog to scan the files in that temp directory and then immediately deletes them.
  3. If secrets are found, they're reported in the "TruffleHog "tab. When you click into a detected secret, the "Location URLs" table will populate all endpoints containing that exact secret. When you click on a specific URL, you'll see the secret details, as well as the actual request or response containing that secret.

Note: If we can't automatically find the TruffleHog binary in your PATH, you'll need to specify the path to TruffleHog in the TruffleHog Burp Suite tab.

Secrets results

If "Verify Secrets" is enabled (default), the TruffleHog tab will only show secrets that are currently live.

Scanning interval

Because we're scanning in 10 second intervals, there may be a lag of up to 15 seconds between loading a page containing a secret and seeing it displayed in the TruffleHog tab.

Keyword Preflighting

We separate the request/response headers from the request/response body content for analysis. We do this to add additional keyword context to the headers, which helps maximize the amount of secrets the extension can find.

Additional configuration

Click on the TruffleHog tab to see available configuration options. When configuration changes are made,canges will take effect immediately.

Burp Suite

By default, only "Proxy" traffic will be scanned. Configure analyzed traffic in the TruffleHog tab.

TruffleHog

Secret Verification is Enabled by default. This means that the extension will attempt to verify each secret that it finds via an HTTP request. You can turn this off by de-selecting the "Verify Secrets" checkbox.

Overlapping Secret Verification is Disabled by default. This means that the extension will not allow overlapping secret checks. You can turn this on by selecting the "Allow Overlapping Verification" checkbox.

Author

 Author

Truffle Security

Version

 Version

1.0.0

Rating

 Rating

Popularity

 Popularity

Last updated

 Last updated

11 March 2025

Estimated system impact

 Estimated system impact

Overall impact: Empty

Memory
Empty
CPU
Empty
General
Empty
Scanner
Empty

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.