Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Feature Requests

Post a feature request

  • Use long/verbose parameters for curl command

    At the moment the tool generates the following curl command: curl -i -s -k -X $'GET' $'https://10.10.10.10/' If using the long version of the parameters it will be presented as: curl --include --silent --insecure --request $'GET' $'https://10.10.10.10/' Using the long version of the commands improve readability and makes more clear which options...

    1 Agent Answer    1 Community Answer
    Jul 07, 2017 01:22PM UTC
  • Proxy: "Match and replace" target IP address/port of request (not just Host header)

    A new dropdown would be necessary. Would be handy to have a tick box to automatically do the host header also Thanks!

    1 Agent Answer    0 Community Answer
    Jun 29, 2017 11:45AM UTC
  • search results value extraction

    I couldn't find a way to do this in the current gui. Would it be possible to add a grep value extractor, similar to what we have in intruder, to the overall search window? eg. I may search for all requests with a certain value, but want to be able to see that, or another value in columns of the search window. Thanks

    2 Agent Answers    2 Community Answers
    Jun 27, 2017 03:04PM UTC
  • CSRF Token Bypass

    I really need to bypass CSRF token. in my case every time i request, the CSRF will generate new token in the header. so the next request in repeater i need to put the new csrf. i tried to use macro but support said its for token in the body only. so i cant use it for my case. please make a feature to able repeat with the new csrf token

    1 Agent Answer    0 Community Answer
    Jun 26, 2017 12:43AM UTC
  • After injecting the payload via POST/GET request, check if a specific string is present

    Hello, I'm trying to figure out if it's present an extension or a native Burp function to check if a string (or the payload by itself) is present on multiple (or individual) specified webpages after the payload gets processed via POST/GET request -- it would be very useful for Repeater and Intruder (and maybe others). Example: I do a GET request to http://example.org/jsonget.php?add=ยง...

    3 Agent Answers    4 Community Answers
    Jun 25, 2017 06:31PM UTC
  • UI change

    Dark theme/something that colours your history based on certain values, be it regex, host or whether the request is get or post.

    2 Agent Answers    1 Community Answer
    Jun 22, 2017 04:00PM UTC
  • UI Changes on Repeater Tab

    the top tab list in Burp Repeater (the multiple web requests) is terrible for when you have tens of tabs open. Please consider replacing the top tab with a left side list of requests that could be reordered (sort of like the Target tab, but without the tree-like structure). One other idea is to automatically name the requests based on the URI, so it is easier to identify. Instead of the actu...

    1 Agent Answer    0 Community Answer
    Jun 08, 2017 10:14AM UTC
  • Macro - Clear Cookie Jar

    Hello, I would like a feature in Macro; the ability to clear the cookie jar. I have tested a WAF that sets several cookies (with a name that is NOT constant) and being able to clear the cookie jar would be very helpful. (In another case, I tested a web app that added a new cookie in every 10 requests, with the format cookie_name_{12 alphanum char}. This meant that, after 100ish requests, the...

    1 Agent Answer    0 Community Answer
    Jun 07, 2017 09:50AM UTC
  • Burp misses open redirect

    Hey, I was testing an application which is listening on HTTP and does a redirect to HTTP/S, without a trailing /. Example HTTP Request: http://[victim]/XYZ Example HTTP Response: HTTP 301 Location: https://[victim]XYZ As the / is missing from the document request, we control the domain name string. There are likely ample of ways to do this, but the most simple would be: http...

    1 Agent Answer    0 Community Answer
    May 18, 2017 06:39PM UTC
  • Burp Infiltrator JCR injection

    Hi Burp team, I tried Burp Infiltrator for the first time, nice tool! I noticed that it is missing out on Java JCR injections, which often have much lower impact than SQL injection but not always (and probably a lot of pentesters think it is a SQLi). Nevertheless it should be flagged. The API's of the implementation I looked at: javax.jcr.query.InvalidQueryException: Query: select * fr...

    1 Agent Answer    0 Community Answer
    May 18, 2017 09:37AM UTC