How to install an Extension in Burp Suite

Burp Extender lets you use Burp extensions to extend Burp's functionality in various ways. For example:

  • Adding custom checks to the Scanner
  • Adding custom content renderers to the HTTP message viewer
  • Integrating with third-party tools
  • Adding completely new tools within the Burp user interface

This article describes how to install ready-made extensions from the BApp Store. For help on creating your own Burp extensions, see the main extensibility documentation.

The BApp Store

Go to the Extender tab, and the BApp Store sub-tab.

The table shows a list of all available BApps. You can read the explanation of each extension, and decide which ones you might need to install.

Note: It is generally not recommended to install and run a large number of extensions at the same time, as this may impair performance. Ideally, you should select extensions for particular purposes, and use them when needed.

 

Extension Environments

Burp extensions can be written in Java, Python or Ruby. Java extensions can be run directly within Burp without any additional configuration.

Before installing extensions written in Python or Ruby, you will need to download Jython or JRuby, which are interpreters for those languages, implemented in Java.

If you are installing a Python extension, you must download the standalone version of Jython.

To download Jython or JRuby click the "Download Jython/JRuby" button to the right of the extensions table.

 

After downloading the relevant software, you need to configure Burp with its location. Go to the Options tab and select the file in the relevant environment section.

You are then ready to install extensions written in Python or Ruby.

 

Installing BApps

To install an extension from the BApp Store, return to the "Bapp Store" tab, select the extension you wish to install and click "Install".

 

The extensions you have installed are shown in the Extensions tab.

You can add, remove and reorder extensions using the buttons by the extensions table.

The order that extensions are shown is the order in which any registered listeners and other extension resources will be invoked.

 

Extensions can be unloaded but retained in the table to enable easy reloading at a later time. To toggle an extension's loaded state without removing it from the list, click on the checkbox in the "Loaded" column or in the extension details panel.

 

Note: Because of the way in which Jython and JRuby dynamically generate Java classes, you may encounter memory problems if you load several different Python/Ruby extensions, or if you unload and reload a Python/Ruby extension multiple times. If this happens, you will see an error like:

java.lang.OutOfMemoryError: PermGen space

You can avoid this problem by configuring Java to allocate more PermGen storage, by adding a -XX:MaxPermSize option to the command line when starting Burp. For example:

java -XX:MaxPermSize=1G -jar burp.jar