Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Feature Requests

Post a feature request

  • Allow Match and Replace to change destination hostname

    Please allow the Match and Replace function to change the destination address as well. It would make it easier to test certain scenarios where requests have to be rediredted to different hosts.

    3 Agent Answers    3 Community Answers
    Jul 20, 2017 01:23PM UTC
  • Burp Suite Enquiry about settings

    In proxy options, there is bind address option in which there is specific address option. In free edition, I cannot give a specific address manually, there is a list of addresses, we cannot give any specific address. So I wanted to know that is this functionality supported in burp Suite professional edition?

    1 Agent Answer    0 Community Answer
    Jul 20, 2017 06:33AM UTC
  • match and replace for the websocket

    Possible to add a match and replace for the websockets? Someone made a plugin for it in the past, but isnt working anymore.

    1 Agent Answer    0 Community Answer
    Jul 19, 2017 02:16PM UTC
  • Add a "Response Received" column in Proxy History

    As discussed ~ 1 year ago:

    0 Community Answer
    Jul 18, 2017 10:53PM UTC
  • Add "Extension provided checks" to "Active / Passive Scanning Areas"

    Currently, active and passive checks initiated by extensions are run for every scan (i.e. even if no "Scanning Areas" are selected). Having new Scanning Areas (one for passive, one for active) dedicated to extension-provided checks would be nice. I consider that disabling every checks but one (like "External interactions" for Infiltrator-based testing) and having extensio...

    1 Agent Answer    0 Community Answer
    Jul 18, 2017 08:56PM UTC
  • Use long/verbose parameters for curl command

    At the moment the tool generates the following curl command: curl -i -s -k -X $'GET' $'' If using the long version of the parameters it will be presented as: curl --include --silent --insecure --request $'GET' $'' Using the long version of the commands improve readability and makes more clear which options...

    1 Agent Answer    1 Community Answer
    Jul 07, 2017 01:22PM UTC
  • Proxy: "Match and replace" target IP address/port of request (not just Host header)

    A new dropdown would be necessary. Would be handy to have a tick box to automatically do the host header also Thanks!

    1 Agent Answer    0 Community Answer
    Jun 29, 2017 11:45AM UTC
  • search results value extraction

    I couldn't find a way to do this in the current gui. Would it be possible to add a grep value extractor, similar to what we have in intruder, to the overall search window? eg. I may search for all requests with a certain value, but want to be able to see that, or another value in columns of the search window. Thanks

    2 Agent Answers    2 Community Answers
    Jun 27, 2017 03:04PM UTC
  • CSRF Token Bypass

    I really need to bypass CSRF token. in my case every time i request, the CSRF will generate new token in the header. so the next request in repeater i need to put the new csrf. i tried to use macro but support said its for token in the body only. so i cant use it for my case. please make a feature to able repeat with the new csrf token

    1 Agent Answer    0 Community Answer
    Jun 26, 2017 12:43AM UTC
  • After injecting the payload via POST/GET request, check if a specific string is present

    Hello, I'm trying to figure out if it's present an extension or a native Burp function to check if a string (or the payload by itself) is present on multiple (or individual) specified webpages after the payload gets processed via POST/GET request -- it would be very useful for Repeater and Intruder (and maybe others). Example: I do a GET request to§...

    3 Agent Answers    4 Community Answers
    Jun 25, 2017 06:31PM UTC