Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

How Do I?

Make a new post

  • How do I manage JSON Web Token auth in Burp?

    So, while doing active scanning and such, what's the best way to handle JSON Web Tokens that expire quickly? Basically when burp receives an auth failure, to run a post request and retrieve the new JWT to place in the header.

    2 Agent Answers    5 Community Answers
    Jul 08, 2015 05:33PM UTC
  • Client certificate using Internet Explorer cert store?

    Greetings, Is it possible for Burp to use the Windows (IE) certificate store? I've got a client whose process requires client certificates, but the IE+applet procedure stores it directly. Trying to export the result for Burp's use does not appear to work. That would indeed be ideal however.

    1 Agent Answer    1 Community Answer
    Jul 07, 2015 04:44PM UTC
  • Clarification on Webservices scanning

    I have some clarifications on web service testing. Question 1: Is burp suite capable of performing testing webservices against all known vulnerabilities associated with web services ? All scanning options present under Active Scanning areas are applicable for web service testing ? or it is limited to subset of those ? Question 2: I browsed a website and it captured a webservice URL (and m...

    3 Agent Answers    2 Community Answers
    Jul 07, 2015 03:07PM UTC
  • Query Parameter in SSL Request, where is this?

    I am validating issues which were previously found. In the URL, the following information is available: GET /cleaned/servlet/ControllerServlet?commandLink=AppPriceReportList.jsp HTTP/1.1 Since the connection is via SSL, I would have expected that Burp would have flagged this as an issue. What happened?

    2 Agent Answers    1 Community Answer
    Jul 06, 2015 05:29PM UTC
  • Spidering - avoid getting all the products from store

    Hi there, I've been trying to spider a site and adding the results to the scope. The problem I'm facing is if we want to spider a store with a catalog of, for example, 10k items, it will try to crawl all those items (the URLs are different and no params are specified). Is there any configuration I am missing to avoid getting all the items crawled? If Burp does not have it yet, is ...

    1 Agent Answer    0 Community Answer
    Jul 06, 2015 03:26PM UTC
  • Transfer license from one user to another

    I have purchased Burp Suite for multiple users. Can you please tell me the steps to activate the second user using the license key that I have purchased ?

    2 Agent Answers    1 Community Answer
    Jul 06, 2015 09:03AM UTC
  • Intercept server request/client response

    Im running a game server and the masterserver request bunch of informations so it can show my server in a server list/browser this is the request from the server (wireshark) GET / HTTP/1.1 host: XX.XX.XX.XX:4545 (my game server ip) Connection: close and thats what my web server send back HTTP/1.1 200 OK Content-Type: application/json Access-Control-Allow-Origin: * Server: GameServer54...

    2 Agent Answers    1 Community Answer
    Jul 05, 2015 06:27AM UTC
  • Writing an extension to add a signature on requests

    Hello, I am testing a web service that expects one of the request parameters to contain a hash of the remaining parameters and a shared secret. If I do a scan of it with Burp Scanner the majority of the requests will be treated as invalid by the service, because of the signature mismatch. What I'd like to do is capture the request the scanner is making just before it is sent, calculate the...

    1 Agent Answer    0 Community Answer
    Jul 01, 2015 09:14AM UTC
  • Importing CA certificate into cert

    I have read the howto and i am trying to do the following in order to create new cert and import it into burp. 1. openssl req -x509 -days 730 -nodes -newkey rsa:2048 -outform der -keyout server.key -out ca.der 2. openssl rsa -in server.key -inform pem -out server.key.der -outform der 3. openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrypt ...

    1 Agent Answer    0 Community Answer
    Jun 29, 2015 03:01PM UTC
  • Set font via command line OR restore state via command line

    Is there a way to set the font size via a command line option, or restore a saved state via a command line option? For example: java -jar burp.jar --font-size=12 or java -jar burp.jar --restore-state settings.dat I am looking for a way to create two shortcuts to Burp that would automatically start with different font sizes (if possible!), for starting the GUI with the correct font size based...

    2 Agent Answers    2 Community Answers
    Jun 26, 2015 03:35AM UTC