Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Bug Reports

Report a bug

  • Opening and saving an Intruder attack saves nothing

    Steps to reproduce: 1. Open a previously saved Intruder attack using the "Intruder | Open saved attack" menu item in the main window. 2. Save the attack using the "Save | Attack" menu item. Expected results: Attack state is saved to disk. Actual results: File is created on disk, but with no content (valid ZIP file with an empty Intruder file within). Burp holds a lock...

    2 Agent Answers    0 Community Answer
    Jan 12, 2017 04:15PM UTC
  • ECB Block Shuffler Payload type behaviour

    Not sure if this is bug or im doing it wrong but i tried using the ECB Payload of Burpsuite with base request of: GET /payment/callback?data=5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c80cf1fc4796100e1128df361f896eb3c3706cda0474915040 HTTP/1.1 As you can see the "data" is a sequence of 96 characters. And what i expected when i run intruder w/ "ECB Block Shuffler" would...

    2 Agent Answers    2 Community Answers
    Jan 02, 2017 02:23AM UTC
  • Version burpsuite_pro_v1.7.15 (OSX) is crashing when trying to start

    While trying to start, the burp window opens but closes just after the screen refresh. It is strange because the JVM don't crash. The worst part is, I can not use the older version to reopen the project as now burps understand it was created for a newer version. Thanks

    1 Agent Answer    0 Community Answer
    Dec 21, 2016 06:33PM UTC
  • Viewing aspx extensions

    Hi, When using Burp Suite Pro I've come across a problem where the response tabs are unable to display the raw response from aspx file extensions. When copying the raw response into both classic Notepad and Notepad++ the raw response displays fine as HTML. Sending the response to the decoder also displays HTML - without using any of the encode or decode options. The proxy, intercept, i...

    1 Agent Answer    0 Community Answer
    Dec 20, 2016 04:49PM UTC
  • Cancelling a repeater request looses history

    In the repeater, if a request is timing out and it is cancelled then the history is lost, i.e. the arrows stop working and you can't see other requests. Done it for me a few times on current test so very repeatable.

    1 Agent Answer    1 Community Answer
    Dec 15, 2016 10:51AM UTC
  • Mouse events ignored in filter text boxes

    In some text inputs like the filters (by search term, by file extension: show/hide) in both the Target and Proxy tab seem to update the internals only when there's a keystroke event fired in them (the user either deletes or types some characters using the keyboard). This ignores mouse events, which in case of Burp means that people on Unix-like systems (tested on Linux/X11) can paste into the...

    1 Agent Answer    0 Community Answer
    Dec 15, 2016 09:26AM UTC
  • Java crypto policy files overwritten on upgrade

    I'm testing a site which requires the alternative Java crypto policy files, I put them in place but after a Burp upgrade they were put back to the original ones. Left me confused as to why I could no longer access the site. It would be nice to be able to place them somewhere and reference them rather than having them overwritten.

    1 Agent Answer    1 Community Answer
    Dec 14, 2016 09:48AM UTC
  • Cacheable responses

    HTTP, not just HTTPS responses obey the cache control headers, yes? So, shouldn't the finding for '' be more generic. I noted in a recent test the burp does NOT catch these cache issues when HTTP is the protocol in use. I guess I'll research the standards more, but thought to ask for yo...

    1 Agent Answer    1 Community Answer
    Dec 13, 2016 10:54PM UTC
  • Burp not working correctly if WAF uses connection reset

    Hi, I am currently expecting a strange issue with Burp, which affects the active scanner. I have used the active scanner against a web application which is protected by some kind of WAF. The WAF works like this: if the request contains "alert(" (without quotes), then reset connection I have analysed the requests with the "Flow" extension and it looks like that a few XSS pa...

    1 Agent Answer    0 Community Answer
    Dec 13, 2016 10:25AM UTC
  • Missing Directory Listing vulnerability

    Hello, In a recent engagement I found page that indeed there is directory listing but burp cannot identify it in any way. The source page also contains the string "Directory Listing For /....". I have run active and passive scan on the affected URL. Thank you

    1 Agent Answer    0 Community Answer
    Dec 02, 2016 06:34PM UTC