PortSwigger Launches Repeater Strike: AI-Powered Burp Extension Automates IDOR Discovery
PortSwigger Research has released Repeater Strike, an AI-driven Burp Suite extension that automates the detection of Insecure Direct Object Reference vulnerabilities by analyzing manual testing traffic and scanning proxy history.
PortSwigger Research has released Repeater Strike, a new AI-powered Burp Suite extension designed to automate the detection of Insecure Direct Object Reference (IDOR) and similar access control vulnerabilities during manual web application testing. The tool, introduced on July 15, 2025, leverages artificial intelligence to analyze requests sent through Burp's Repeater tool, generate smart regular expressions, and scan the tester's proxy history to uncover related issues across the target application.
Repeater Strike builds on earlier experimental work by PortSwigger researcher Gareth Hayes, who previously developed Shadow Repeater. The new extension takes the concept further by not only generating variations of a known vulnerability but also automatically hunting for similar flaws throughout the entire proxy history. Hayes explained that the tool uses AI to identify the vulnerability from a tester's manual probe, produce a structured JSON description of the parameter and response markers, and then mutate both the probe values and the response regexes to create a reusable "Strike Rule."
The technical workflow begins when a tester sends a request through Burp Repeater. The AI analyzes the request and response to identify the vulnerable parameter and unique response characteristics, such as reflected usernames or API key patterns. It then generates a set of mutated probes—like "admin," "testuser," or "anonymous"—along with corresponding response regexes that capture the expected patterns for each probe. Once the rule is created, Repeater Strike scans the proxy history for any requests that match the pattern, effectively amplifying a single manual finding into a broader set of actionable results.
One of the key advantages of Repeater Strike is its efficiency. According to Hayes, generating a single Strike Rule consumed only 61 tokens, and once the rule is created, no further AI tokens are needed for scanning. The extension also includes a Strike Rule editor that allows testers to manually adjust generated regexes if the AI's output is imperfect, enabling scanning without additional token costs. This makes the tool practical for continuous use during penetration testing engagements.
During development, Hayes encountered several challenges. Large responses from sites like Facebook overwhelmed the AI's ability to interpret context, and truncating data led to lost information. Inconsistent AI output, such as improperly escaped metacharacters in regexes, required programmatic workarounds. Generalizing the approach across different websites also proved difficult, as regex patterns that worked for one site often failed on another. Hayes experimented with response diffing to filter out noise but acknowledged that time constraints prevented a complete solution.
Repeater Strike represents a significant step in applying AI to offensive security workflows, particularly for automating the tedious process of hunting IDOR vulnerabilities—a class of bug that remains pervasive in web applications. By turning a single manual test into a broader automated scan, the tool promises to save penetration testers hours of repetitive work while increasing the likelihood of discovering hidden access control flaws. The extension is available now for Burp Suite users, and PortSwigger has open-sourced the code to encourage community contributions and further development.