Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Bug Reports

Report a bug

  • Scheme-relative URL are treated as root-relative ones

    Tested on v1.6.26 / Linux / Oracle 1.8.0_45-b14 In Repeater (at least), a header like "Location: //nicob.net" is treated as a redirection to "//nicob.net" on the same host. However, browsers will redirect to http(s)://nicob.net/, depending on the scheme used by the redirect page (cf http://tools.ietf.org/html/rfc3986#section-4.2). This can lead to Open Redirect false-negativ...

    1 Agent Answer    1 Community Answer
    Sep 15, 2015 11:54AM UTC
  • Burp Closes Randomly.

    Hi There! I'm a user of Burp Pro, I have recently switched to a Virtualized Environment (VirtualBox) running Kali Linux. Every so often Burp will randomly close. It can happen from using the Intruder or just capturing HTTP requests. As you can imagine it's quite an annoyance, especially when testing. A colleague of mine also has this issue, however it's less frequent on his Kali ...

    2 Agent Answers    1 Community Answer
    Sep 14, 2015 01:41PM UTC
  • Issue Definitions

    Not properly sorted by name. Capital letters should not make a difference. Findings should be mapped to OWASP Top 10 and WASC.

    1 Agent Answer    0 Community Answer
    Sep 13, 2015 10:55PM UTC
  • Issues not visible if related to 404 resources

    Hello, the scanner found a XSS in the referer header, and the answer is a custom 404 page with the XSS in the answer. However in the Target tab, the XSS is not visible if "Hide not-found items" is not disabled. Maybe vulnerabilities in the issues tab/window should be always visible... what you think? Thank you

    2 Agent Answers    2 Community Answers
    Sep 11, 2015 10:31AM UTC
  • Failure to open a Macro Recorder dialog

    Hi, Sometimes Burp fails to open a Macro Recorder dialog ( Options / Sessions / Macros > Add > Record macro ). I confirmed that it happens when Burp Proxy receive requests frequently (1req/5sec or more, I'm testing web application with Ajax). When it occurs I can't close a Macro Editor dialog (frozen or there is an invisible modal dialog?). So I have to kill the burp instance ...

    2 Agent Answers    0 Community Answer
    Sep 09, 2015 07:19AM UTC
  • Cmd Key on mac not working within Burp v1.6.26 (Java 1.8.0_60)

    The Cmd key on Mac OS 10.10.5 does not seem to be working within Burp (attempted on multiple Burp versions <=1.6.26), thus hampering the use of copy / paste / select all functions. Below are env details: java version "1.8.0_60" Java(TM) SE Runtime Environment (build 1.8.0_60-b27) Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode) Any suggestions or workarounds...

    1 Agent Answer    2 Community Answers
    Sep 08, 2015 10:22PM UTC
  • Hydra (http-get-form) + Burp = Missing GET parameters

    ## Issue * When using `http-get-form` with `HYDRA_PROXY_HTTP` set and using Burp as the proxy, the GET parameters are not being passed on. * Using other proxies (such as ZAP), or not using a proxy at all, the GET requests are correct. The issue only happens when you use burp. **Summary** ``` export HYDRA_PROXY_HTTP=http://127.0.0.1:8080 hydra -l admin -p password -e ns -F -t 1 -w 5 -v ...

    2 Agent Answers    1 Community Answer
    Sep 08, 2015 04:39PM UTC
  • Burp proxy doesn't show responses with 1xx codes in HTTP history

    On a recent engagement, we encountered an application that uses websockets. The application upgrades the connection post-login. For example, (borrowed from Wikipedia) GET /test HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw== Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 Origin: http://example.com ...

    1 Agent Answer    1 Community Answer
    Sep 04, 2015 02:37PM UTC
  • Burp does not process cookies when initializing Intruder

    I am using a site which has multiple redirects after submitting a form. After the initial POST request, Burp does not use cookies on subsequent requests. Behavior from the browser: POST request sent with cookies => 302 Redirect GET request from 302 with cookies => Another 302 GET request from second 302 with cookies => Return to page with information reflected in page Behavior u...

    2 Agent Answers    1 Community Answer
    Sep 02, 2015 11:20PM UTC
  • XSS detection is inconsistent

    HI, I did Active scan for one request on form submission using burp pro v 1.6.17 . It didn't listed any XSS for one hidden parameter which is not encoded . It I do same thing using Intercept proxy XSS is listed . Later We have encoded the parameter and tested for same hidden parameter using manual scan .Its not listed XSS . Just to ensure how Automated scan is working again we removed...

    1 Agent Answer    0 Community Answer
    Aug 30, 2015 10:17AM UTC