API Model Importer is a Burp Suite extension I put together to solve a specific pain point: getting API definitions into Burp fast without manually crafting every request. If you have an OpenAPI spec, a Postman collection, a HAR file, or about eight other formats, this extension parses it and turns every endpoint into a ready-to-test request you can fire straight to Repeater or Intruder.
Supported Formats
The extension handles 11 formats through auto-detection. You load a file and it figures out what it is:
- OpenAPI 3.x and Swagger 2.x (JSON or YAML)
- Postman Collection v2.x
- Insomnia workspace exports
- RAML 0.8 and 1.0
- HAR files from browser DevTools
- WSDL/SOAP definitions
- gRPC/Protobuf
- AWS Smithy, C2J, and SDF model files
That last set is the one I actually built this for. AWS SDK service models describe every API operation in a structured format, and being able to load those directly into Burp saves a significant amount of setup time when you are testing a new AWS service and want to cover every endpoint systematically.
Authentication
The credentials tab handles the auth types you actually encounter:
- AWS SigV4 with access key, secret, and session token. Supports pasting directly from Fish or Bash export format.
- Bearer token
- Basic auth
- API key with custom header name
- OAuth2 client credentials flow with automatic token fetch
How I Use It
The most common use case for me is loading an OpenAPI spec or an AWS service model at the start of an engagement, getting all the endpoints into Repeater in bulk, then working through them systematically. It beats building requests by hand from documentation.
HAR file support is also useful when you want to capture what a client application is actually sending and pull those requests into Burp for further testing without going through the proxy flow. The extension deduplicates similar requests and extracts unique endpoints, so you get a clean list rather than a flood of duplicates.
You can also add custom headers in the Settings tab that get included in every generated request, which is useful for setting a consistent User-Agent or audit identifier across all requests on an engagement.