Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Bug Reports

Report a bug

  • Scanner issue 0x00000000

    Hello, Since v1.6.30 an issue with 0x00000000 index has been added which contains OS command injection description. I guess that's a mistake. Davy

    1 Agent Answer    0 Community Answer
    Nov 12, 2015 01:08PM UTC
  • Self-signed certificate with CN=PortSwigger in invisible mode

    Hi, When I'm using an proxy listener with "invisible proxying support" in "Per-host" certificate mode. I get a wrong self-certificate with CN=PortSwigger. It works as expected if I use a browser like firefox or curl: curl --insecure --verbose www.google.com: ... * Server certificate: * subject: C=PortSwigger; O=PortSwigger; OU=PortSwigger CA; CN=www.google.com...

    2 Agent Answers    1 Community Answer
    Nov 09, 2015 06:09PM UTC
  • External service interaction finding masks XXE finding

    Hey folks, Not sure if this would be considered a bug, but I'm running 1.6.30 and have a finding where an XXE payload is being used to tickle the collaborator, but only the latter is reported (External service interaction DNS|HTTP, type id 3146240 and 3146256). There's no finding for the XXE. Thanks Bob

    1 Agent Answer    2 Community Answers
    Nov 08, 2015 02:07PM UTC
  • Repeater and content-encoding

    I think I have two issues: The first is that the settings in proxy for encoding/decoding compression don't seem to apply to repeater. The second is that if I send a HEAD method request via repeater, it tries to uncompress an empty body, removes the content-encoding header, then sets the content-length to zero. It should probably ignore a response to a HEAD request... #loveyoulongtime

    1 Agent Answer    1 Community Answer
    Nov 06, 2015 06:37PM UTC
  • burpsuite free crashes in kali linux

    With the recent update in java, when i try to run burpsuite in kali linux 2.0, as soon as i try to use the application, burpsuite crashes. and the system crashes and logs me out. I have the following version of java in my machine: java version "1.7.0_85" OpenJDK Runtime Environment (IcedTea 2.6.1) (7u85-2.6.1-6+deb8u1) OpenJDK Client VM (build 24.85-b03, mixed mode, sharing) B...

    7 Agent Answers    11 Community Answers
    Nov 06, 2015 03:13PM UTC
  • Strange behaviour with XSS payloads in Active Scanner.

    I am having a strange behaviour on doing an active scan on this particular request: https://cld.pt/dl/download/5b8963fe-6f9f-4e4a-970d-a788e776258e/http_request.JPG Burp only does 10 requests and does not identify the XSS. I also have tried to define the insert point as the 11 value itself. Burp Scanner Options: Scan speed: Thorough; Scan accuracy: Minimize false negatives; Us...

    3 Agent Answers    3 Community Answers
    Nov 05, 2015 04:26PM UTC
  • Intruder silently changes content type of request from application/json to text/plain

    When using intruder to masticate a RESTful interface, it will silently change the content-type from the original request's application/json to text/plain. For RESTful interfaces that enforce type, this means that all the requests that are changed thus will fail.

    1 Community Answer
    Oct 31, 2015 07:23PM UTC
  • Problem with multihost angularjs site

    We have an angularjs/REST web app (IE11) at a client that works fine (no proxy) but is broken when burp is in the middle. The web page normally pulls in several js and css files from a second domain, also owned by the client. When we look at the target page, the foreign domain host is listed along with the paths to the included files, but they are in gray, indicating they were never fetched (and...

    1 Agent Answer    1 Community Answer
    Oct 28, 2015 06:03PM UTC
  • content-type: application/json

    An application/json response is by definition unicode (utf-8 by preference, but any multibyte unicode is acceptable). However, if the content-type header does not also include a charset=utf-8 attribute (which is actually not as per standard, but is expected by some web services) then burp seems to decode the response in the viewer incorrectly as ASCII or latin-1. Screen shots available if re...

    1 Agent Answer    0 Community Answer
    Oct 28, 2015 07:06AM UTC
  • v 1.6.30 spider

    I just downloaded/ran version 1.6.30. The when right clicking and selecting "Spider this host" the host above the selected item is spidered and the item that was actually selected is not spidered. I've restarted that app from scratch and experienced the same behavior. In addition the first time selecting to stop the spider and clear the queue did not function. I had to actually clos...

    2 Agent Answers    2 Community Answers
    Oct 26, 2015 04:37PM UTC