Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Feature Requests

Post a feature request

  • Individual Enable/Disable Tickboxes for Platform Authentication Tickboxes

    At the moment (and in the future) it would help during my testing that each set of credentials would have a tickbox next to them to enable or disable them. p.e. I use my basic authentication to login as admin, then log in as a normal user, and then as admin again. Currently I would have to insert the credentials each time, with a tickbox, I would only have to select/deselect the credentials I ...

    1 Agent Answer    0 Community Answer
    Jan 08, 2016 11:15AM UTC
  • Update Header in Session Handling/Macros

    Hello, I'm working on an application that uses CSRF token for the login forms. The token is a hidden value in the webpage: E.g. <input name="CSRFToken" type="hidden" value="ZIlN2m8eqXX4mWOJr3wkNLGeobE2oUqGBaeKpYWaJe1yK7oQKRx8H2A-8X6rqiMIM7nQNwGPI1uryEA-3wWh5iii_kbq-Pkfp-z9uR5eGnxRCOkE0" /> The token is then applied to the subsequent login as an HTM...

    2 Agent Answers    1 Community Answer
    Jan 05, 2016 06:51PM UTC
  • Intruder Dates payload: extend functionality to include times

    The helpfulness of this payload when fuzzing a date/time parameter is automatic handling of the wrapping of values back to 1 when appropriate (i.e., avoid March 32nd). Extending the Dates payload with time components (down to 1-second resolution) would be logical and helpful to handle the wrapping of hours, minutes, and seconds.

    1 Agent Answer    1 Community Answer
    Dec 17, 2015 07:21PM UTC
  • Numbers Intruder payload: add an option to request all in a range randomly instead of sequentially

    .

    0 Community Answer
    Dec 17, 2015 07:02PM UTC
  • Improve flexibility of Proxy Match and Replace

    There are already a couple of requests to handle specific use cases of conditional Match and Replace that were declined -- and I have my own use case as well -- but I'd like to suggest a couple of generic options that could be implemented in the existing interface to avoid the need to write extensions for less complicated cases. - Add a checkbox to apply the rule to only the in-scope doma...

    1 Agent Answer    0 Community Answer
    Dec 17, 2015 05:57PM UTC
  • Remember setting for "Request in Browser: current/original session" In future just copy an...

    It would be nice if there was a permanent setting for "in future just copy and skip dialog." Bonus points for hotkeys for original/current session. Thanks for BSP...

    0 Community Answer
    Dec 16, 2015 05:51AM UTC
  • Map findings to OWASP and WASC Threat Classification v2.0

    Every finding should be mapped to OWASP at a minimum. Every effort should be made to also map to WASC Threat Classification v2.0: http://projects.webappsec.org/w/page/13246978/Threat%20Classification

    0 Community Answer
    Dec 13, 2015 08:51PM UTC
  • New and updated findings

    Scanner > Issue definition: Delete: Type index Add: Creation date Add: Modification date

    0 Community Answer
    Dec 13, 2015 08:45PM UTC
  • Burp Suite would be more useful if the software provided a server running version

    Potentially a web interface, so that it could sit on a test server as a stub, with the ability to inspect and reject packet history. The ability to only inspect the UI locally makes it limited in usefulness for sitting in the integration /soak test stack etc. Aside from that, it's a good product if it meets your use case.

    1 Agent Answer    0 Community Answer
    Nov 30, 2015 02:30PM UTC
  • How do I avoid referer header

    I am using burp to check the security level of our web application. But my application usually checking referer header. If this header is changed, session will be time out. So, how do I test my web application except for referer header? I have already tried some check box removed. ex) "HTTP header" from Attack Insertion Point and "Header manipulation" from Active scanning ...

    2 Agent Answers    1 Community Answer
    Nov 25, 2015 02:34AM UTC