Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Feature Requests

Post a feature request

  • UI change

    Dark theme/something that colours your history based on certain values, be it regex, host or whether the request is get or post.

    1 Agent Answer    0 Community Answer
    Jun 22, 2017 04:00PM UTC
  • UI Changes on Repeater Tab

    the top tab list in Burp Repeater (the multiple web requests) is terrible for when you have tens of tabs open. Please consider replacing the top tab with a left side list of requests that could be reordered (sort of like the Target tab, but without the tree-like structure). One other idea is to automatically name the requests based on the URI, so it is easier to identify. Instead of the actu...

    1 Agent Answer    0 Community Answer
    Jun 08, 2017 10:14AM UTC
  • Macro - Clear Cookie Jar

    Hello, I would like a feature in Macro; the ability to clear the cookie jar. I have tested a WAF that sets several cookies (with a name that is NOT constant) and being able to clear the cookie jar would be very helpful. (In another case, I tested a web app that added a new cookie in every 10 requests, with the format cookie_name_{12 alphanum char}. This meant that, after 100ish requests, the...

    1 Agent Answer    0 Community Answer
    Jun 07, 2017 09:50AM UTC
  • Burp misses open redirect

    Hey, I was testing an application which is listening on HTTP and does a redirect to HTTP/S, without a trailing /. Example HTTP Request: http://[victim]/XYZ Example HTTP Response: HTTP 301 Location: https://[victim]XYZ As the / is missing from the document request, we control the domain name string. There are likely ample of ways to do this, but the most simple would be: http...

    1 Agent Answer    0 Community Answer
    May 18, 2017 06:39PM UTC
  • Burp Infiltrator JCR injection

    Hi Burp team, I tried Burp Infiltrator for the first time, nice tool! I noticed that it is missing out on Java JCR injections, which often have much lower impact than SQL injection but not always (and probably a lot of pentesters think it is a SQLi). Nevertheless it should be flagged. The API's of the implementation I looked at: javax.jcr.query.InvalidQueryException: Query: select * fr...

    1 Agent Answer    0 Community Answer
    May 18, 2017 09:37AM UTC
  • Strict transport security not enforced -- misstatement of facts/lack of proof

    I'm using Pro 1.7.22, and test a fairly normal web application I get an issue report 'Strict transport security not enforced', which from a general perspective is correct: the application does not provide a Strict-Transport-Security header. That far, I have no complaint. However, the issue text states: 'The application fails to prevent users from connecting to it over une...

    1 Agent Answer    0 Community Answer
    May 18, 2017 06:32AM UTC
  • external service interaction -- https

    I noticed Burp supports external service interaction -- DNS, http and SMPT. Do you have any plan to support external service interaction -- https? Recently we found our application is vulnerable (and exploitable) to external service interaction -- https. Thanks

    2 Agent Answers    1 Community Answer
    May 12, 2017 11:58AM UTC
  • Clean up extender tabs

    Good Morning, I just want to prefix by saying burp is fantastic, but i find all the tabs at the top really messy when i have like 10+ extensions loaded up at once. Would it be possible to add a feature/tickbox in the settings so that if enabled all the extra tabs that come up at the top alongside target, proxy, spider, scanner etc instead come up in the next menu down only when the Extende...

    2 Agent Answers    1 Community Answer
    May 09, 2017 01:55AM UTC
  • Grouping Threads for active scan

    Hi, would be great if you could allow threads "per group". You dont want to burn one target down, but you might want to test other bits in parallel. An idea would be to allow an identifier set for a group per target in scope and then set a maximum of groups to test in parallel and how much can be tested within each group. Mark

    1 Agent Answer    0 Community Answer
    May 05, 2017 09:10AM UTC
  • content discovery API access?

    Hello, I'm working on a project where I'd like programmatic access to the Content Discovery tool. On another thread I read this agent's response: "There isn’t currently any way to use Burp’s own Content Discovery feature via the API, sorry." However, since that was in June 2016, I was wondering whether this has changed at all?

    1 Agent Answer    0 Community Answer
    May 04, 2017 02:50PM UTC