Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Bug Reports

Report a bug

  • Issues not visible if related to 404 resources

    Hello, the scanner found a XSS in the referer header, and the answer is a custom 404 page with the XSS in the answer. However in the Target tab, the XSS is not visible if "Hide not-found items" is not disabled. Maybe vulnerabilities in the issues tab/window should be always visible... what you think? Thank you

    2 Agent Answers    2 Community Answers
    Sep 11, 2015 10:31AM UTC
  • Failure to open a Macro Recorder dialog

    Hi, Sometimes Burp fails to open a Macro Recorder dialog ( Options / Sessions / Macros > Add > Record macro ). I confirmed that it happens when Burp Proxy receive requests frequently (1req/5sec or more, I'm testing web application with Ajax). When it occurs I can't close a Macro Editor dialog (frozen or there is an invisible modal dialog?). So I have to kill the burp instance ...

    2 Agent Answers    0 Community Answer
    Sep 09, 2015 07:19AM UTC
  • Cmd Key on mac not working within Burp v1.6.26 (Java 1.8.0_60)

    The Cmd key on Mac OS 10.10.5 does not seem to be working within Burp (attempted on multiple Burp versions <=1.6.26), thus hampering the use of copy / paste / select all functions. Below are env details: java version "1.8.0_60" Java(TM) SE Runtime Environment (build 1.8.0_60-b27) Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode) Any suggestions or workarounds...

    1 Agent Answer    2 Community Answers
    Sep 08, 2015 10:22PM UTC
  • Hydra (http-get-form) + Burp = Missing GET parameters

    ## Issue * When using `http-get-form` with `HYDRA_PROXY_HTTP` set and using Burp as the proxy, the GET parameters are not being passed on. * Using other proxies (such as ZAP), or not using a proxy at all, the GET requests are correct. The issue only happens when you use burp. **Summary** ``` export HYDRA_PROXY_HTTP=http://127.0.0.1:8080 hydra -l admin -p password -e ns -F -t 1 -w 5 -v ...

    2 Agent Answers    1 Community Answer
    Sep 08, 2015 04:39PM UTC
  • Burp proxy doesn't show responses with 1xx codes in HTTP history

    On a recent engagement, we encountered an application that uses websockets. The application upgrades the connection post-login. For example, (borrowed from Wikipedia) GET /test HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw== Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 Origin: http://example.com ...

    1 Agent Answer    1 Community Answer
    Sep 04, 2015 02:37PM UTC
  • Burp does not process cookies when initializing Intruder

    I am using a site which has multiple redirects after submitting a form. After the initial POST request, Burp does not use cookies on subsequent requests. Behavior from the browser: POST request sent with cookies => 302 Redirect GET request from 302 with cookies => Another 302 GET request from second 302 with cookies => Return to page with information reflected in page Behavior u...

    2 Agent Answers    1 Community Answer
    Sep 02, 2015 11:20PM UTC
  • XSS detection is inconsistent

    HI, I did Active scan for one request on form submission using burp pro v 1.6.17 . It didn't listed any XSS for one hidden parameter which is not encoded . It I do same thing using Intercept proxy XSS is listed . Later We have encoded the parameter and tested for same hidden parameter using manual scan .Its not listed XSS . Just to ensure how Automated scan is working again we removed...

    1 Agent Answer    0 Community Answer
    Aug 30, 2015 10:17AM UTC
  • Error while running Burp

    # # A fatal error has been detected by the Java Runtime Environment: # # EXCEPTION_UNCAUGHT_CXX_EXCEPTION (0xe06d7363) at pc=0x000007fefd97b3dd, pid=1172, tid=5828 # # JRE version: Java(TM) SE Runtime Environment (7.0_76-b13) (build 1.7.0_76-b13) # Java VM: Java HotSpot(TM) 64-Bit Server VM (24.76-b04 mixed mode windows-amd64 compressed oops) # Problematic frame: # C [KERNELBASE.dll+0xb3...

    1 Agent Answer    0 Community Answer
    Aug 27, 2015 09:20AM UTC
  • "Open redirection" issues share duplicite information with "Cross-domain Referer leak...

    After running Burp Active scan, I observed few Open redirection issues. However, when I check Cross-domain Referer leakage issues, there are many reported which I don't think should be there as they were caused by an Open redirection during active scan, for example: https://a40656bd271/a? https://a70b9fe5e59/a? https://a9662d67c39/a? https://aa0a4afcf8c/a? I'm not sure if it was...

    1 Agent Answer    0 Community Answer
    Aug 21, 2015 08:42AM UTC
  • off by one when saving intruder responses

    When you save server responses from the Intruder the files are labelled from 1 but looking at the requests in the Intruder panel they start at 0 with the baseline request. I think the file naming should match the request numbering.

    1 Agent Answer    0 Community Answer
    Aug 19, 2015 08:32AM UTC