Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Bug Reports

Report a bug

  • "Compare response" button causes Java errors, and sometimes doesn't render window

    Using Java 1.8.0_66 on Mac OS X (fully patched and up to date for OS) I see Java exception when I click "Compare Response" on issues detected that have two requests. Sometimes the window renders as expected, sometimes it fails. I assumed it was just out of memory, but seems to be consistent(ish). Anyone else seeing same? java.lang.NullPointerException at javax.swing.text.FlowV...

    2 Agent Answers    1 Community Answer
    Dec 28, 2015 09:58PM UTC
  • Remove duplicates from output of "Copy URLs in this host" (Site map)

    The output of this menu option contains exact duplicates, including matching (or blank) query strings. Please deduplicate the list of URLs before output.

    2 Agent Answers    1 Community Answer
    Dec 17, 2015 04:22PM UTC
  • Small Bug - onload instead of onerror

    Burp is generating the following attack string: GET /asdf/cf941%3cimg%20src%3da%20onload%3dalert(1)%3e HTTP/1.1 URL decoded: <img src=a onload=alert(1)> When it should be using the following attack string: GET /asdf/cf941%3cimg%20src%3da%20onerror%3dalert(1)%3e HTTP/1.1 URL Decoded: <img src=a onerror=alert(1)> Even though this site is returning a 200 (the content for /a ...

    2 Agent Answers    0 Community Answer
    Dec 15, 2015 04:30PM UTC
  • Filtering of long extension doesn't seem to work

    Burp doesn't seem to be hidding extension as expected when the extension is long like ".woff2" file. (Tested with 1.6.31)

    1 Agent Answer    0 Community Answer
    Dec 14, 2015 10:39AM UTC
  • Correctly sort Issue Definitions

    When sorting by Name, the list is incorrectly being sorted. Capital letters are sorted before lower case letters. For example: PHP code injection comes before Password field with autocomplete enabled.

    1 Community Answer
    Dec 13, 2015 08:47PM UTC
  • making repeater request with session handling rule changes request body

    I've set up a session handling rule to fetch csrf token and place valid value in request I wish to test. I've placed XSS code into one of the POST params. Unfortunatelly, after the request was issued and response received, entire XSS code was removed from the request, and only original request param value remained. It didn't happen when rule was disabled. Why did it happen? Cheer...

    1 Agent Answer    0 Community Answer
    Dec 11, 2015 10:57AM UTC
  • Missing legal value in "Frameable responce (potential Clickjacking)"

    The "Remediation detail" claims: "The X-Frame-Options header should only have one of the expected values: DENY or SAMEORIGIN." That used to be the case, but today even: "ALLOW-FROM <url>" is allowed, as described in the Mozilla-page under References. According to OWASP ALLOW-FROM has been around since 2012:

    1 Agent Answer    0 Community Answer
    Dec 10, 2015 03:36PM UTC
  • Content type incorrectly stated

    Somewhere in the last couple of updates the scanner has started flagging responses as "Content type incorrectly stated", when they appear correct. Something to do with the response being encoded with gzip? GET /fastcgitest/js/jquery.min.js HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: */* Accept-Lang...

    1 Agent Answer    1 Community Answer
    Dec 10, 2015 12:20PM UTC
  • request in browser feature missing proxy port

    Since the port is missing a copy and paste will not work without the user modifying the link. Perhaps this is intentional (I realize there could be more than one proxy listener on different ports). If there is multiple proxy listeners it would suffice to simply list all links with different ports, otherwise if only one listener, default to including the port?

    1 Agent Answer    0 Community Answer
    Dec 09, 2015 11:47PM UTC
  • Decoder hash buttons broken?

    Are the decoder Hash buttons working? text would put of MD5 hash of 'Foobar' shows as '‰Õs›ª»¾e¾5Ëæˆàm' instead of '89D5739BAABBBE65BE35CBE61C88E06D'. I'm on Burp v1.6.31

    1 Agent Answer    0 Community Answer
    Dec 09, 2015 11:05PM UTC