Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Bug Reports

Report a bug

  • Mouse events ignored in filter text boxes

    In some text inputs like the filters (by search term, by file extension: show/hide) in both the Target and Proxy tab seem to update the internals only when there's a keystroke event fired in them (the user either deletes or types some characters using the keyboard). This ignores mouse events, which in case of Burp means that people on Unix-like systems (tested on Linux/X11) can paste into the...

    1 Agent Answer    0 Community Answer
    Dec 15, 2016 09:26AM UTC
  • Java crypto policy files overwritten on upgrade

    I'm testing a site which requires the alternative Java crypto policy files, I put them in place but after a Burp upgrade they were put back to the original ones. Left me confused as to why I could no longer access the site. It would be nice to be able to place them somewhere and reference them rather than having them overwritten.

    1 Agent Answer    1 Community Answer
    Dec 14, 2016 09:48AM UTC
  • Cacheable responses

    HTTP, not just HTTPS responses obey the cache control headers, yes? So, shouldn't the finding for 'https://portswigger.net/KnowledgeBase/issues/Details/00700100_CacheableHTTPSresponse' be more generic. I noted in a recent test the burp does NOT catch these cache issues when HTTP is the protocol in use. I guess I'll research the standards more, but thought to ask for yo...

    1 Agent Answer    1 Community Answer
    Dec 13, 2016 10:54PM UTC
  • Burp not working correctly if WAF uses connection reset

    Hi, I am currently expecting a strange issue with Burp, which affects the active scanner. I have used the active scanner against a web application which is protected by some kind of WAF. The WAF works like this: if the request contains "alert(" (without quotes), then reset connection I have analysed the requests with the "Flow" extension and it looks like that a few XSS pa...

    1 Agent Answer    0 Community Answer
    Dec 13, 2016 10:25AM UTC
  • Missing Directory Listing vulnerability

    Hello, In a recent engagement I found page that indeed there is directory listing but burp cannot identify it in any way. The source page also contains the string "Directory Listing For /....". I have run active and passive scan on the affected URL. Thank you

    1 Agent Answer    0 Community Answer
    Dec 02, 2016 06:34PM UTC
  • Repeater Content-Length is not recalculated when json content is modified

    Hi, Quite often in the repeater when you deal with a POST with a Content-Type: application/json;charset=utf-8, when you modify the json body the repeater doesn't recalculate the content-length header. If you add some characters after the json structure the repeater recalcul√Ętes the content length, but if you modify the json structure the content-length is not recalculated. This is very ann...

    3 Agent Answers    3 Community Answers
    Dec 01, 2016 09:21AM UTC
  • Let's Encrypts certificates

    Burp appears to mark certs issued by Let's Encrypt as untrusted. Because of this, some plugins, like the relatively recent Dradis Framework plugin will fail.

    1 Agent Answer    3 Community Answers
    Nov 29, 2016 11:16AM UTC
  • Burp Suite SSL Certificate Error (peer not authenticated)

    Hi, We have encounter wired error while intercepting an application with SSL. 1480321180146 Repeater Auto-selected SSL parameters for domainstagxyz.domainxyz.com: default protocols, TLS_DH_anon_WITH_AES_256_GCM_SHA384 1480321180146 Repeater javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated 1480321252531 Proxy javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated ...

    3 Agent Answers    2 Community Answers
    Nov 28, 2016 09:40AM UTC
  • handshake failure using strong cipher suites

    Description: Clients requesting (exclusively) strong cipher suites are unable to connect to Burp proxy. Burp always causes handshake failure. Software used: oracle jdk1.8.0_122, burp suite 1.7.06 How to reproduce: remove restrictions for strong cipher suites in java setup burp proxy to listen transparently on e.g. 127.0.0.1:9999 run openssl s_client -cipher 'ECDHE-RSA-AES256-SHA384...

    6 Agent Answers    9 Community Answers
    Nov 21, 2016 10:19AM UTC
  • In the active scan, sqli and judgment has a problem

    My English is not good. In the active scan, (and 1=1) and (and 1=2 ) The returned result is different but the scan Not detected There is a problem

    1 Agent Answer    0 Community Answer
    Nov 20, 2016 01:59AM UTC