Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Using Burp to Find SQL Injection Flaws

Almost every web application employs a database to store the various kinds of information it needs to operate. The means of accessing information within the database is Structured Query Language (SQL). SQL can be used to read, update, add, and delete information held within the database.

SQL is an interpreted language, and web applications commonly construct SQL statements that incorporate user-supplied data. If this is done in an unsafe way the application maybe vulnerable to SQL injection (SQLi). This flaw is one of the most notorious vulnerabilities to have afflicted web applications. In the most serious cases, SQL injection can enable an anonymous attacker to read and modify all data stored within the database, and even take full control of the server on which the database is running.

Using Burp to Test for SQLi

The articles below describe how to use Burp Suite to detect, investigate and exploit SQL injection flaws:

Using Burp to Test for Blind SQLi

The articles below describe how to use Burp Suite to detect and exploit Blind SQL injection flaws:

Using Burp to Test for SQLi in Different Statement Types and the Query Structure

The articles below demonstrate various techniques when performing SQLi in different statement types and in the query structure:

SQLi Filters

This article provides examples of how to beat SQLi filters: