Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Bug Reports

Report a bug

  • Hard-to-read HTML pages such as Extender and Documentation

    I just noticed that most of the internally-accessible BurpSuite documentation isn't being shown correctly on my installation, as well as the Extender tool is difficult to read since the HTML source code is shown instead. Does anyone else see this behavior? I'm also attaching two screenshots to better explain what i mean. The Extender tool: http://imgur.com/nwW46yu The internal do...

    1 Agent Answer    4 Community Answers
    Nov 11, 2016 07:23PM UTC
  • XSS False positive

    I have some reflected XSS reported as high+certain when actually there's no vulnerability. There is a specific header (anti Csrf) which is added by some js on page. Since a request from another domain won't be able to add this header it is not possible to have the reflected work. I blelieve Burp should be able to identify this as a non-XSS. Tx for the great tool, Best regards, ...

    1 Agent Answer    1 Community Answer
    Nov 03, 2016 11:27AM UTC
  • negotiate authentication trouble

    i'm used Burp Suite Professional last V i try to login website with negotiate authentication Burp Suite don't accept negotiate authentication how can i fix that ??

    1 Agent Answer    0 Community Answer
    Nov 03, 2016 10:30AM UTC
  • Target of CONNECT Sends Data First, Data not seen by Client; Expected?

    Four scenarios: 1) Client -> Target 2) Client -> Squid -> Target 3) Client -> Burp Proxy (CONNECT) -> Target 4) Client -> Burp -> Squid -> Target * The underlying communications between the client and target in not HTTP; it's some custom protocol * Burp 1.7, Java 6 :sad_face:, Windows 32-bit :sadder_face: Scenarios 1 and 2 work no issue. Scenario 2 plays o...

    1 Agent Answer    1 Community Answer
    Nov 01, 2016 02:41PM UTC
  • Burp Suite 1.7.08 Infected/Backdoored?

    burpsuite_pro_v1.7.08.jar MD5: eb98fc4432cff3e288afd2bd2b6b3661 SHA256: 5b20bc2f1b236af3049a155fa8f122f5d91097041ebf17964bd640aa439ecaaf infected/backdoored? https://www.virustotal.com/ru/file/5b20bc2f1b236af3049a155fa8f122f5d91097041ebf17964bd640aa439ecaaf/analysis/1477760598/

    1 Agent Answer    0 Community Answer
    Oct 29, 2016 05:10PM UTC
  • Fatal alert: handshake_failure for TLS1.2 enabled site

    Hey forum, I've got a problem where Burp is not able to proxy traffic to a certain domain due to SSL/TLS handshake failure. The site is configured to use TLS1.2 with a strong key exchange and key. This is from Chrome's Dev Tools: "The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher...

    2 Agent Answers    9 Community Answers
    Oct 18, 2016 05:12PM UTC
  • Cert validity too long

    Hi, The error described in the following link still happens with the latest version of Burp (1.7.07), despite being resolved as fixed in the September 8 release (1.7.06): https://support.portswigger.net/customer/portal/questions/16671002-tls-certificate-validity-period-that-is-too-long

    2 Agent Answers    5 Community Answers
    Oct 14, 2016 03:41AM UTC
  • IMessageEditor.isMessageModified() does not detect modification

    I have an extension that uses IMessageEditor.isMessageModified() to determine when a user has modified a request. This works when a user explicitly types a change, however, it does not return true after a user has right-clicked the request and selected either "Change request method" or "Change body encoding" with no keyboard interaction.

    0 Community Answer
    Oct 07, 2016 01:21AM UTC
  • Send to Decoder character limit

    Hi there Any reason Send to Decoder only transfers the first 10,000 characters? When I copy and paste, the whole lot comes over - granted, that's a different buffer, but given that Send to Repeater handles larger blocks, this seems like a bug. If it *is* necessary, a warning would be useful. Thanks Jerome

    1 Agent Answer    0 Community Answer
    Sep 27, 2016 09:25AM UTC
  • processProxyMessage doesn't take changes from processHttpMessage into account

    Hey guys, I am not sure if this is a bug or intended behavior but I wanted to let you know anyway. At work I recently made a small plugin that simply adds a custom header to outgoing requests by overriding processHttpMessage of IHttpListener. Obviously this doesn't show in the HTTP History tab but usually plugins like Logger++ log the request exactly as it hits the wire. In my partic...

    3 Agent Answers    2 Community Answers
    Sep 26, 2016 08:43PM UTC