Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

How Do I?

Make a new post

  • Test thick client which is hard coded with server IP address?

    I understand that the Invisible Proxy mode can be used to proxy thick client's HTTP request. However, is this approach feasible for thick client that is hard-coded with server's IP address? The reference below is only applicable for situation where the thick client is coded to a hostname.

    1 Agent Answer    0 Community Answer
    Aug 28, 2017 09:21AM UTC
  • not comparing username and password at the time of performing attack

    Hey, When I perform brute force attack with DVWA and burp suit, some times HTTP request can not be shown. and another problem is after performing final step and click in "start attack" user name and password is not match all result shold be same no checkboxes are checked all are unchecked when it comparing from the file. what shoud i do? please guide me who has solution.

    1 Agent Answer    0 Community Answer
    Aug 27, 2017 07:11PM UTC
  • Scanning large of threads

    Hello needing help with the best way to scan a website that has over 1000 items to scan. Recently, I have been given a task to scan a internal only website. This website has over 1000 items to scan from the scanning wizard. This is not a fast scan, I have increase the amount of threads will scan to help get this scan done faster. After talking the person that maintains this website, it is goin...

    3 Agent Answers    3 Community Answers
    Aug 24, 2017 09:08PM UTC
  • The Inferred Items in Site Map

    Hi, As you know, in the Site Map View, the inferred items are displayed in gray, as they are not actually requested, but Burp discovered links to them in the content requested. My question is: for a specific inferred item, how can I know from which content it is inferred? Thanks a lot. Regards, Keqin Li

    1 Agent Answer    0 Community Answer
    Aug 22, 2017 02:32PM UTC
  • How do I make Burp follow redirects (302)

    Hi all, I currently try to scan an application with the scanner, but for some reasong Burp Scanner is not following the sent redirects. The response looks e.g., like this: HTTP/1.1 302 Found Date: Mon, 21 Aug 2017 14:24:36 GMT Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Length: 0 Location:

    1 Agent Answer    0 Community Answer
    Aug 21, 2017 02:39PM UTC
  • Expected a value for option project-file

    I am getting the above error whenever I try to load a project from command line in burp. Please let me know how do I get rid of this error or is there any other way of doing this through command line. I am using the following command: java -jar burp.jar --project-file "path_to_project_file" --config-file "path_to_config_file"

    1 Agent Answer    0 Community Answer
    Aug 21, 2017 07:38AM UTC
  • How to change the Authorization header in scanner rule?

    I'm attempting to perform an active scan on a few requests that don't have the current authorization header. Every response in the logger++ output shows a 401 unauthorized because each scanner request is using an invalid auth header. I've looked at the rules creation wizard in the project options -> sessions tab, but it only allows you to modify cookies or parameters, not header ...

    1 Agent Answer    0 Community Answer
    Aug 17, 2017 06:17PM UTC
  • Configure Burp to recoginze traffic from a Visual Studio debug (Start)

    When I start up my application from Visual Studio and I hit "Intercept is on" in Burp, it doesn't seem to see what is happening in the web application. Any help on how to do this?

    1 Agent Answer    0 Community Answer
    Aug 16, 2017 08:48PM UTC
  • Include Intruder in project/state file?

    Is there a way to include the Intruder tool in the auto-saved project files, or in a state file? I know I can export each Intruder attack separately, but I'd love to not have to remember to do that manually at the end of the day...

    1 Agent Answer    1 Community Answer
    Aug 11, 2017 01:55PM UTC
  • More info on "Identify Backend Parameters"

    During a scan I have found an endpoint with the issue "Interesting input handling: Backend Parameter Injection". In the advisory there is the suggestion to click on the "Identify Backend Parameters" entry of the context menu. I did that, but I got no feedback: where should I look for any result and or progress? Do I have to leave some window open? Can you please give me more ...

    1 Agent Answer    1 Community Answer
    Aug 11, 2017 08:10AM UTC