Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

How Do I?

Make a new post

  • How do I send multiple requests at one time?

    I want to take a single request, let's say a POST request to google.com. I want to send, let's say, five requests almost parallel with each other.

    2 Agent Answers    1 Community Answer
    Apr 28, 2015 04:47AM UTC
  • Command line commands

    We installed Carbonator and want to execute commands in "headless" mode. What are the commands to set a target, set a proxy, scan (active and passive), spider, etc.? Thanks!

    2 Agent Answers    1 Community Answer
    Apr 27, 2015 11:20PM UTC
  • Interception of Citrix Netscaler traffic

    I am testing an application that tunnels traffic through a Citrix NetScaler connection and so far have had no success in defeating certificate validation. Evidently, Citrix requires a certificate with the "serverAuth" extendedKeyUsage field enabled. Providing this requires generation of a new CA certificate with this attribute. According to Citrix, the following configuration works when ...

    0 Community Answer
    Apr 27, 2015 04:57PM UTC
  • Manually reproduce Cross-site scripting (DOM-based) vulnerability using info from Burp report

    Hi, Ran test to look for “Cross-site request forgery” & Burp came back with issue. How can we use the info in the report to reproduce this manually so as to confirm that it's not a false positive? Thx.

    1 Agent Answer    0 Community Answer
    Apr 23, 2015 06:21PM UTC
  • no details for proxy history

    In my case, the proxy history are logged correctly for each internet request. But when I click on the request, there is no Request Raw(or Hex) showing in the bottom panel. The filter is "showing all items". Can someone help?

    2 Agent Answers    2 Community Answers
    Apr 23, 2015 03:05PM UTC
  • Collaborator Server issues "expected record not found"

    I've got a private collaborator server up and running. It has it's own domain, it's resolving fine, wildcard certs are installed and confirmed working on both interaction and collaboration ports. When I run a health check in the app everything comes out green (Success) except for: Verify DNS Interaction Verify HTTP Interaction Verify HTTPS Interaction The summary text is: &quo...

    2 Agent Answers    2 Community Answers
    Apr 23, 2015 02:25PM UTC
  • In consistency while reproducing XSS vulnerability

    Burp has reported some XSS vulnerability for a website. For the below discussion let us use this URL entry www.example.com/nagiosxi/reports/execsummary.php/19537"-alert(1)-"28ffd?hostgroup=&host=&startdate=&servicegroup=&reporttimesubmitbutton=reporttimesubmitbutton%253dGo&enddate=&reportperiod=today Case 1: Right click on a XSS Vulnerability result e...

    3 Agent Answers    2 Community Answers
    Apr 22, 2015 07:22AM UTC
  • Add Proxy Listener to listen to Terminal (Linux)

    How would I add a proxy listener so that if I were running a tool in my terminal I could have burp scan all websites that are run through it?

    1 Agent Answer    0 Community Answer
    Apr 22, 2015 02:41AM UTC
  • Scanning a "POST" causes a "GET" with no parameters

    I'm doing an active scan of a POST that has parameters for session ID, which is also stored in the cookie jar. However the attacks created by that scan produce "GET"s that have no parameters (no session ID) which causes my website to regenerate the session ID and thus subsequent attacks are all failing. So, how to I stop Burp Suite from generate a "GET" or alternativel...

    1 Agent Answer    0 Community Answer
    Apr 17, 2015 06:56PM UTC
  • Collaborator Server with private address

    My collaborative server has a private address. My configuration is "dns": { "interfaces" : [{ "name":"ns1", "localAddress":"172.31.10.5", "publicAddress":"50.0.1.4" }], } Anyhow if I use dig dig burp.domain.com @burp.domain.com I get an answer like ;; ANSWER ...

    1 Agent Answer    0 Community Answer
    Apr 17, 2015 05:31PM UTC