Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Bug Reports

Report a bug

  • Certs invalid on Chrome 58 due to CN Deprecation

    TL;DR: Chrome 58 only looks at the SAN in a cert for validating hostnames and not the CN. Please add a SAN for the hostname when generating the cert. In 2000, RFC 2818 (https://tools.ietf.org/html/rfc2818) "deprecated" checking CN in favor of using SAN. 17 years later, browsers are actually doing so, with Chrome 58 and Firefox 48: https://www.chromestatus.com/features/49810251804835...

    1 Agent Answer    0 Community Answer
    Mar 22, 2017 04:23PM UTC
  • cookie without secure flag - different issues

    Can you explain the difference in these two issue which have both been flagged on the same site? Issue:  SSL cookie without secure flag set Severity:  Medium Confidence:  Firm Host:  https://abc Path:  / Set-Cookie: ASP.NET_SessionId=054nklywi05mesavwtc3g4ck; path=/; HttpOnly Issue:  SSL cookie without secure flag set Severity:  Information Confidence:  Certain Host:  https://ab...

    1 Agent Answer    0 Community Answer
    Mar 20, 2017 10:26AM UTC
  • No API stack nor full parameter value when using Infiltrator with a private Collaborator server

    [Tested with Burp Suite Pro 1.7.19] I instrument Jenkins 1.580.2 like that: java -jar ${JENKINS_HOME}/infiltrator.jar --non-interactive --report-parameter-values=true --report-call-stacks=true --target-paths=/path/to/war/ If I use the public Collaborator server, everything is fine. But when I use my own Collaborator server (using a dedicated domain), I _never_ have the call stack or full pa...

    1 Community Answer
    Mar 18, 2017 06:28PM UTC
  • Illegal Unicode Payload seems to be not working

    I have burp professional and I'm trying to use Illegal Unicode payload on Intruder but it seems that is not working. As an example I tried the request below selecting xpto from URL as a payload position and Snipper as an attack type. From Payloads tab I've selected Illegal Unicode and under Items I've selected a-z list and click on Start attack. Payload count is showing me 52 apr...

    1 Agent Answer    0 Community Answer
    Mar 10, 2017 09:06PM UTC
  • Repeater - 307 Redirects broken

    It looks like the 307 Redirect is not implemented per spec in the Repeater. In Repeater, setting the "Follow Redirect", results in a 307 Redirect for a POST request gets converted to a GET request (and loses the POST body). Thanks

    1 Agent Answer    0 Community Answer
    Mar 09, 2017 08:12PM UTC
  • Burp Collaborator : Documentation typo

    In the tutorial for Burp Collaborator, the command to convert certificate from PEM to PKCS8 has a typo. https://portswigger.net/burp/help/collaborator_deploying.html#ssl ``` openssl pkcs8 -topk8 -inform PEM -in keys/burpcollaborator.example.com.key -outform PEM -out keys/burpcollaborator.example.com.key.pkcs8 -nocrypt ``` It should contain: -outform PKCS8

    1 Community Answer
    Mar 07, 2017 12:09AM UTC
  • Extension with JRuby (bug?)

    Hi, I downloaded the new release 1.7.19 that fixes a bug that was introduced in 1.7.18 that prevented Python and Ruby extensions from loading in Windows. But, I think there is still a problem, for example I take an error message when I want to install/reinstall/update the extension that requires 'JRuby' (for ex: dradis, faraday) and the tool shut down. Best regards.

    1 Agent Answer    0 Community Answer
    Mar 02, 2017 07:49AM UTC
  • Possible Path encoding error leading to loading failure of extentions

    When loading a stock extension (In this case, autorize), I encountered this error after updating this morning to the latest version. Version: 1.7.18 OS: Win10 Error: Traceback (most recent call last): File "<string>", line 1, in <module> OSError: (22, 'Invalid argument', 'C:\\Users\\[MYWINDOWSUSERNAME]\\AppData\\Roaming\\BurpSuite\x08apps\x0c9bb...

    1 Agent Answer    1 Community Answer
    Feb 28, 2017 10:09PM UTC
  • CONNECT request for plaintext resource fails

    Hi, While testing Metasploit modules during module development, I will often try to pass the HTTP requests Metasploit is making through burp. However, when Metasploit is interacting with a plaintext resource (no SSL), then proxying through burp doesn't work. Only proxying data through burpsuite to an SSL-enable port will allow me to successfully proxy the data. I have determined that th...

    1 Agent Answer    1 Community Answer
    Feb 28, 2017 04:41PM UTC
  • Burp Scanner doesn't use cookie from session handling rule (makro)

    So because I need some testcases for my new burp plugin I tried scanning the Hackerone bug bounty program of lyst.com https://hackerone.com/lyst . I found a potential bug in Burp's Makro/Session handling. The Makro is not always using the latest cookie that came back in a Set-Cookie header response. My setup: - Burp pro burpsuite_pro_v1.7.17.jar - Disable all scanner checks in "Ac...

    2 Agent Answers    4 Community Answers
    Feb 24, 2017 10:19AM UTC