SwordfishSuite: A Beginner‑Friendly Burp Alternative with Extensible Plugins

1. What is SwordfishSuite?

SwordfishSuite is a modern web security testing platform designed for security researchers and penetration‑testing engineers. Its core positioning is to be lightweight and stable, provide a user‑friendly graphical interface, support a plugin‑based extension model, and handle both web and app traffic analysis.

Lightweight and efficient – no crashes or lag.

GUI‑driven, quick to learn.

Plugin architecture allows users to write their own extensions.

Supports both web and mobile traffic analysis.

In one sentence: daily capture, replay, scanning, and plugin extension are all handled in a single tool.

2. Core Features

1. Smart Proxy + HTTPS Interception

Seamlessly intercept, view, and modify HTTP/HTTPS traffic with multi‑client support. The first run installs a CA certificate, enabling HTTPS decryption without complex configuration.

2. Graphical GUI, Intuitive Operation

No need to memorize commands; a few clicks let you enable/disable the proxy, view request/response details, resend packets, launch payload scans, etc., making it very friendly for beginners.

开启/关闭代理
查看请求/响应详情
数据包重发
发起负载扫描
对新手非常友好

3. Powerful Plugin System, Python One‑Click Extensions

The platform uses a Python‑based plugin ecosystem and ships with useful plugins such as:

JS Sensitive Information Extraction – automatically pulls cloud provider keys (AK/SK) from JavaScript.

Custom Rules – users can write dictionary rules in extract-string-list.json to add scanners or analysis scripts, achieving high customizability.

4. App Traffic Analysis (Beta)

Supports integration with cloud phones to view and analyze app traffic directly within the tool. Although not fully open yet, it shows the author’s intention to cover mobile security testing.

5. Traffic Forwarding and Data Export

Supports raw traffic and HAR format re‑forwarding, facilitating integration with other tools, automation workflows, and test scenario reproduction.

3. Quick Start (5‑Minute Setup)

Prerequisites

Python 3.10 or newer (for plugin development).

Dependencies:

pip install grpcio grpcio-tools protobuf numpy

Installation & Launch

Download the release package from GitHub Releases.

Extract the archive and enter the directory.

Double‑click or run Swordfish.exe to open the GUI.

On first use, click “Install Certificate” and follow the prompts to import the trusted root certificate.

Click “Start” to begin intercepting, replaying, and scanning traffic.

4. Who Is It Suitable For?

Penetration‑testing engineers – daily capture, modification, replay, and batch scanning.

Security researchers – analysis of JavaScript keys, app interfaces, and protocol behavior.

Developers / Ops – self‑testing API security and detecting sensitive data leaks.

Students / Beginners – friendly GUI lowers the learning curve.

5. Summary

SwordfishSuite follows a lightweight, easy‑to‑use, and extensible roadmap, focusing on the most common web‑security testing functions—proxy, replay, scanning, and plugins—while optimizing resource consumption so it remains responsive during long sessions.

For anyone tired of heavyweight tools and looking for a smooth, domestically‑developed security testing platform, SwordfishSuite is well worth a try.