Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Bug Reports

Report a bug

  • Fatal alert: handshake_failure for TLS1.2 enabled site

    Hey forum, I've got a problem where Burp is not able to proxy traffic to a certain domain due to SSL/TLS handshake failure. The site is configured to use TLS1.2 with a strong key exchange and key. This is from Chrome's Dev Tools: "The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher...

    5 Agent Answers    14 Community Answers
    Oct 18, 2016 05:12PM UTC
  • Cert validity too long

    Hi, The error described in the following link still happens with the latest version of Burp (1.7.07), despite being resolved as fixed in the September 8 release (1.7.06):

    2 Agent Answers    5 Community Answers
    Oct 14, 2016 03:41AM UTC
  • IMessageEditor.isMessageModified() does not detect modification

    I have an extension that uses IMessageEditor.isMessageModified() to determine when a user has modified a request. This works when a user explicitly types a change, however, it does not return true after a user has right-clicked the request and selected either "Change request method" or "Change body encoding" with no keyboard interaction.

    3 Agent Answers    3 Community Answers
    Oct 07, 2016 01:21AM UTC
  • Send to Decoder character limit

    Hi there Any reason Send to Decoder only transfers the first 10,000 characters? When I copy and paste, the whole lot comes over - granted, that's a different buffer, but given that Send to Repeater handles larger blocks, this seems like a bug. If it *is* necessary, a warning would be useful. Thanks Jerome

    1 Agent Answer    0 Community Answer
    Sep 27, 2016 09:25AM UTC
  • processProxyMessage doesn't take changes from processHttpMessage into account

    Hey guys, I am not sure if this is a bug or intended behavior but I wanted to let you know anyway. At work I recently made a small plugin that simply adds a custom header to outgoing requests by overriding processHttpMessage of IHttpListener. Obviously this doesn't show in the HTTP History tab but usually plugins like Logger++ log the request exactly as it hits the wire. In my partic...

    3 Agent Answers    2 Community Answers
    Sep 26, 2016 08:43PM UTC
  • SSL SNI not used with upstream proxy

    Hello, SSL SNI works properly on regular connections but not on connections through upstream http proxy. After getting Handshake_Failure alerts when using an upstream http proxy I've confirmed that the "Server_Name" extension is missing for SSL handshakes when an upstream proxy is enabled. Could you please confirm if it is a bug or should I check anything else? Det...

    1 Agent Answer    3 Community Answers
    Sep 21, 2016 07:08PM UTC
  • Burp Active Scanner in Normal mode misses trivial Postgresql SQL Injection

    Hi, Burp Active Scanner in 'normal' mode misses trivial Postgresql SQL Injection such as the following:;SELECT+PG_SLEEP(5)+-- Changing the 'scan speed' option to 'thorough' and the 'scan accuracy' to 'minimize false negatives' does detect the issue, however, it detects it as 'tentative'; by using a ...

    0 Community Answer
    Sep 21, 2016 02:40PM UTC
  • Burp Active Scanner Issue

    Hi, We have recently come across an issue with the active scanner. As soon as the scanner is launched with default settings , the load of the java process on the CPU increases exponentially and reaches 400% at which point burp scanner stops sending out requests (this is with less than 10 threads in the queue). I have also tried to reduce the number of concurrent threads to 1, the load on ...

    8 Agent Answers    17 Community Answers
    Sep 15, 2016 09:42AM UTC
  • Incorrect statement regarding HTML5 cross-origin resource sharing

    Hello, In burp, the issue regarding "Access-Control-Allow-Origin: *" is described as follows: Issue detail The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request which allows access from any domain. Allowing access from all domains means that any domain can perform two-way interaction with the application via this request. Unless the resp...

    2 Agent Answers    1 Community Answer
    Sep 14, 2016 12:32PM UTC
  • buggy double click auto selection in response

    bellow is response: HTTP/1.1 200 OK Server: openresty Date: Wed, 14 Sep 2016 04:28:37 GMT Content-Type: text/html Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/5.4.11 Content-Length: 3600 4c34f891fdb738cacf2f58e7f05d78c20a38cf70d9f55d888c2c1e2ebb580020b81cdfd7651b613f5f2378af5d1e46ddcfec66790623bba7544b66412bd00555c59734e344ef736e04e22d84dfffed7b4d5163367e291606e685f8...

    2 Agent Answers    0 Community Answer
    Sep 14, 2016 05:06AM UTC