Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Feature Requests

Post a feature request

  • "Parameter values extractor"

    Basically this is an advanced search feature which gives a list of all values assigned to a parameter. The parameter can appear either in GET, POST, etc. requests or responses, or JSON, XML, etc. messages. The parameter name should be flexible using regex, because some apps might use dynamic parameter name. This feature could help enumerate all valid and/or used values for a parameter, wh...

    1 Agent Answer    1 Community Answer
    Dec 06, 2016 03:01PM UTC
  • Session Handling Rule - On Failure - Switch Proxy

    I sometimes find in performing test that there are devices in place that lock out web activities for 5-10 mins if too many perceived attacks are seen. I think it would be great to have a session handling rule that would check if it's valid, and if not it would switch to a different forward proxy, reauth, and continue

    1 Agent Answer    0 Community Answer
    Nov 30, 2016 05:38PM UTC
  • Add HTTP Method as a value to the filter scope

    The current scope dialog uses protocol, host/ip, port and file as a filter, however, there are times when it would be useful to filter on HTTP method too. For example when working with a RESTful interface that uses the same URI to read (GET) and delete (DELETE) resources, it would be handy to exclude DELETE from the scope.

    1 Agent Answer    0 Community Answer
    Nov 28, 2016 11:28PM UTC
  • Monospaced font in the decoder tool

    It would be really great if the decoder tool could be made to use the font specified in the HTTP Message Display setting instead of the one used for the general UI, this would also improve the hex representation, thanks!

    1 Agent Answer    0 Community Answer
    Nov 23, 2016 07:22PM UTC
  • IResponseVariations - set attribute

    Hi, I saw the new IResponseVariations API... They are great! To increase the power of these new API, It would be great to be able to add custom attributes. In this way a user can add an attribute and write his own code to evaluate the variance of the attribute. Thank you for your great job! Federico

    2 Agent Answers    1 Community Answer
    Nov 23, 2016 11:10AM UTC
  • Add "Invoke Extension" to "Session Handling Action Editor"

    The "Session handling action editor" has a dropdown menu with two options to "Define behavior dependent on session validity": - Prompt for in-browser session recovery - Run a macro I would like to see "Invoke a Burp Extension" added as an option. Currently you can run a macro /and then/ invoke an extension, so why can't I just invoke the extension directl...

    1 Agent Answer    1 Community Answer
    Nov 14, 2016 09:59PM UTC
  • Preview insertion points in upcoming scans in scan queue

    It would be nice to see the insertion point count on upcoming scans in the queue to good idea of what kinda of time it's going to take to scan the upcoming items. if you see you have 40 links all with 200+ insertion points you could immediately know it would take a great deal more time than the same amount of links ranging in 1-10 insertion points. I think this would be pretty handy for gi...

    1 Agent Answer    0 Community Answer
    Nov 10, 2016 10:34AM UTC
  • Scan for ONLY burp suite plugin (custom insertion point)

    I'd like to be able to launch only my plugin during a scan. I think the scanner tab should perhaps have the option of enable/disabling a plugin in addition to the other [x] enable/disable buttons. Lets say I only want to do some custom injection test based on something I've seen in an app - I'd want to blast that string all over the place but don't care about anything else. ...

    1 Agent Answer    0 Community Answer
    Nov 10, 2016 10:24AM UTC
  • Collaborator Client

    Hi, It would be nice if the Collaborator Client also showed the Response, ie. bt0fqqbb5tbzo2v7jim1cvzjigz, when its copied to the Clipboard. I suspect there would be cases where I would want a different response for each Payload generated when using more than one. I'd also like to be able to save the entire set of requests and responses in one file. Thanks

    2 Agent Answers    98 Community Answers
    Nov 02, 2016 03:46PM UTC
  • A way to update previous requests in from your site map with your current authentication tokens

    Hi there I was wondering whether there was a feature and if not it would be useful if you could update requests from the HTTP history with current authentication cookies without the need of copy and pasting them. Just like active session management as opposed to manual. It would make retests easier and make my work flow faster. Just a thought anyway keep up the good work.

    1 Agent Answer    0 Community Answer
    Nov 01, 2016 04:17PM UTC