Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Bug Reports

Report a bug

  • SSL SNI not used with upstream proxy

    Hello, SSL SNI works properly on regular connections but not on connections through upstream http proxy. After getting Handshake_Failure alerts when using an upstream http proxy I've confirmed that the "Server_Name" extension is missing for SSL handshakes when an upstream proxy is enabled. Could you please confirm if it is a bug or should I check anything else? Det...

    0 Community Answer
    Sep 21, 2016 07:08PM UTC
  • Burp Active Scanner in Normal mode misses trivial Postgresql SQL Injection

    Hi, Burp Active Scanner in 'normal' mode misses trivial Postgresql SQL Injection such as the following: https://www.example.com/x?a=10;SELECT+PG_SLEEP(5)+-- Changing the 'scan speed' option to 'thorough' and the 'scan accuracy' to 'minimize false negatives' does detect the issue, however, it detects it as 'tentative'; by using a ...

    0 Community Answer
    Sep 21, 2016 02:40PM UTC
  • Burp Active Scanner Issue

    Hi, We have recently come across an issue with the active scanner. As soon as the scanner is launched with default settings , the load of the java process on the CPU increases exponentially and reaches 400% at which point burp scanner stops sending out requests (this is with less than 10 threads in the queue). I have also tried to reduce the number of concurrent threads to 1, the load on ...

    7 Agent Answers    16 Community Answers
    Sep 15, 2016 09:42AM UTC
  • Incorrect statement regarding HTML5 cross-origin resource sharing

    Hello, In burp, the issue regarding "Access-Control-Allow-Origin: *" is described as follows: Issue detail The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request which allows access from any domain. Allowing access from all domains means that any domain can perform two-way interaction with the application via this request. Unless the resp...

    2 Agent Answers    1 Community Answer
    Sep 14, 2016 12:32PM UTC
  • buggy double click auto selection in response

    bellow is response: HTTP/1.1 200 OK Server: openresty Date: Wed, 14 Sep 2016 04:28:37 GMT Content-Type: text/html Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/5.4.11 Content-Length: 3600 4c34f891fdb738cacf2f58e7f05d78c20a38cf70d9f55d888c2c1e2ebb580020b81cdfd7651b613f5f2378af5d1e46ddcfec66790623bba7544b66412bd00555c59734e344ef736e04e22d84dfffed7b4d5163367e291606e685f8...

    2 Agent Answers    0 Community Answer
    Sep 14, 2016 05:06AM UTC
  • Intruder: Make it easier to retrieve long payloads from attack results

    If a payload is quite long (when using, for example, the Bit Flipper payload on a long session token), it's truncated in the displayed results grid when the column is expanded. This isn't great, but it's livable if the whole original value could be retrieved by another method. Unfortunately there doesn't appear to be a way to do that. The Save Results Table function also tru...

    1 Agent Answer    0 Community Answer
    Sep 13, 2016 04:53PM UTC
  • Unable to Repeat a Saved Attack

    I am using Burp Suite Pro 1.7.06 with Java version 1.8.0_102 on Windows 10. I am able to open saved attacks via the "Intruder" > "Open Saved Attack" menu, but when I then select "Attack" > "Repeat" in the resulting pop-up nothing happens. I have checked the "Alerts" tab and there are no messages generated.

    1 Agent Answer    0 Community Answer
    Sep 08, 2016 04:07PM UTC
  • Burp Scanner does not recognize Open Redirect

    Burp Scanner does not recognize Open Redirect: When checking the raw scanner requests/responses with Logger++ I spotted the following Open Redirect situation that was not recognized/reported by the scanner: POST-parameter xxx can be used to set redirect target Website replies with "HTTP/1.1 302 Found" with user-controlled Location header with value of parameter xxx The followin...

    2 Agent Answers    2 Community Answers
    Sep 08, 2016 11:33AM UTC
  • Burp fails loading CSS, responds extremely sluggish, CPU up to 100%

    Hi, I am using Burp on a Mac Book Pro (End 2013, 16 GB Ram) latest version (1.7.05). Burp has come to a point, that I can hardly use it for my day to day work: When doing an application test with Burp and Firefox (most recent, 48.0.2 at this time), the connection via burp is quite slow (and gets slower over time), and the browser fails to display CSS scripts. Also, every now and then, the CPU of ...

    1 Agent Answer    1 Community Answer
    Sep 07, 2016 09:47AM UTC
  • Match-Replace Doesn't Work With External js Files

    Hi, I'm not sure that this phenomenon is a bug or is an intentional "feature" and I've searched support and the community, but... I set up a series of rather heavy-handed filters, using "Match and Replace" - 4 to be exact - matching a string literal ("facebook" :) ). Items: Request header, Request body, Response header, Response body. Everything wo...

    1 Agent Answer    0 Community Answer
    Sep 04, 2016 01:43AM UTC