Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

How Do I?

Make a new post

  • Finding all forms on a site

    Once a site is fully spidered, are there any ways to quickly the total number of the forms or login prompts on that site?

    2 Agent Answers    1 Community Answer
    Nov 26, 2015 08:49PM UTC
  • How to re-enable AMF support

    Since AMF support is disabled by default since 1.6.29, how is it re-enabled when needed? Or is AMF testing now limited to the Blazer extension?

    1 Agent Answer    0 Community Answer
    Nov 24, 2015 08:43PM UTC
  • Define Location Component

    Is there any way for Extensions to use the "Define custom location" component that is part of the Sequencer and Intruder Grep - Extract functions? This component: This would be much easier than making Extension users enter their own regexes.

    1 Agent Answer    0 Community Answer
    Nov 24, 2015 06:16PM UTC
  • Proxy Listeners does not support for the specific address other than predefined proxy.

    My proxy is "". I am unable to edit under Proxy > Options > Proxy Listeners > Edit.

    2 Agent Answers    2 Community Answers
    Nov 24, 2015 07:20AM UTC
  • Can Burp suite be used for slow post http attack testing?

    Hello, I want to know either using burp suite (free or paid edition) is it possible to use it for testing "SLOW POST http attack". Please let me know what option exists and how can they be used. thanks. regards asad

    1 Agent Answer    1 Community Answer
    Nov 21, 2015 05:20PM UTC
  • how to list the cipher suite supported by the server

    I would like to validate the cipher suites that a web application supports. How could we do it?

    1 Agent Answer    1 Community Answer
    Nov 20, 2015 12:38AM UTC
  • Changing scan areas during scan

    If I change Active scanning areas during scan will it reflect in the current scan ? Scenario: 1. I have selected SQL injection checks and started scan 2. I pause the scan and select XSS Checks 3. I resume the scan Question 1: Will the current scan include the XSS as well or it will be applicable from the new scan only ? Question 2: If this change will be reflected in the current scan, ...

    1 Agent Answer    1 Community Answer
    Nov 19, 2015 07:44AM UTC
  • How do I manually reproduce ruby code injection in cookie parameters?

    One of the apps I'm testing is coming up with Ruby Code Injection alert. The confidence is listed as Firm. Issue Details: The payload '+sleep(20.to_i)+' was submitted in the foo parameter within the bar cookie. The application took 22015 milliseconds to respond to the request, compared with 15 milliseconds for the original request, indicating that the injected Ruby code caused a ...

    1 Agent Answer    0 Community Answer
    Nov 17, 2015 03:45PM UTC
  • how to detect the errors in webapplication

    How to login in burp suite tool in free version and how to detect the errors in webpage.

    1 Agent Answer    0 Community Answer
    Nov 17, 2015 12:04PM UTC
  • Content-location ip versus hostname

    Curious behavior difference between nikto output and burp output. From nikto a request like this: GET / HTTP/1.1 User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:headers: IIS internal IP) Connection: Keep-Alive Host: Has a response including this header: content-location: But in burp when this same request is made the re...

    1 Agent Answer    0 Community Answer
    Nov 16, 2015 10:37PM UTC