Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Burp Extensions

Make a new post

  • Building a Burp Intruder extension that generates multiple payloads for a single request.

    I'm working on a Burp Intruder extension for pen-testing our own custom API. As part of the protocol, a HMAC is generated by the client and added to the header, along with another custom header parameter. The body contains a number of JSON fields, the values of which are also used in the HMAC. I need to generate the HMAC from the JSON body and the custom header parameter for each request,...

    1 Agent Answer    0 Community Answer
    May 11, 2016 06:44AM UTC
  • Burp Extender socks5

    I want to developer extender by jython, The Extender is port scan. I want all the traffic through socks5, How do i

    1 Agent Answer    0 Community Answer
    May 11, 2016 04:53AM UTC
  • Variable Persistence

    Is there a way to persist a variable between requests in an extension? For example I want to take a parameter from one response and then in a later request use this to calculate a different parameter? The value which needs to be sent in the later request is based on the first response, but I need to do some calculations on it first so I can't just save it using a macro and replay it later.

    1 Agent Answer    1 Community Answer
    May 09, 2016 09:27PM UTC
  • Burp Extension

    I am trying to create a burp extension which scans for particular text in the response. Now I want this text to be dynamically defined by the user. How do I do that ? As in consider search functionality as extension which monitors all your responses and search for the keywords you want it to search . Whats tha best approach here ?

    1 Agent Answer    0 Community Answer
    May 09, 2016 10:07AM UTC
  • Manual Scan Issues Extension exception with Burp 1.7

    java.lang.NullPointerException at burp.BurpExtender.createMenuItems(BurpExtender.java:76) at burp.nbd.a(Unknown Source) at burp.bmc.a(Unknown Source) at burp.ofc.a(Unknown Source) at burp.ofc.a(Unknown Source) at burp.v7.a(Unknown Source) at burp.v7.mouseReleased(Unknown Source) at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source) at java.awt.Component.processMouseEv...

    1 Agent Answer    0 Community Answer
    Apr 25, 2016 08:40PM UTC
  • Modify Response depending on request

    Hi I need to write a python extension to modify responses depending on what the actual request was. Responses coming from server may be the same for different requests (like 400 Forbidden). I am using the IProxyListener interface, but I see that it handles requests and responses separately, ie(message is request OR message is not request) How can I adjust my response based on the what the ...

    1 Agent Answer    0 Community Answer
    Apr 07, 2016 01:54PM UTC
  • extension - Burp-hash

    I've been using the Burp-hash extension but its starting to be unreliable. Is anyone else getting a lot of false Issues reported with the Burp-hash extension? I get the following often and its not even valid within itself. Issue detail The REQUEST contains a SHA-384 hashed value that matches an observed parameter. Observed hash: 933dc2a4011e4e919771d764300888ad70d70357000000004...

    1 Agent Answer    0 Community Answer
    Apr 06, 2016 10:46PM UTC
  • wsdler and Basic Authentication

    I am using WSDLER against a web service which uses basic authentication. Even with 'Platform Authentication' enabled (Options>Connections) and the correct host/type/username/password set, attempting to parse the WSDL results in a "Can't parse WSDL" error. If I download the verbose version of wsdler (see https://blog.netspi.com/hacking-web-services-with-burp/) the stack ...

    1 Agent Answer    0 Community Answer
    Apr 05, 2016 07:00PM UTC
  • Request/response timing

    Hi, I've been playing with java api to try and extract timing info for intruder sessions. Using the custom logger as a base I'm putting the request url and current time into a map, then when a response is received looking up the url in the map, getting the time and subtracting it from the current time. Is this a reliable way of approaching it? It seems to produce reasonable results.

    1 Agent Answer    0 Community Answer
    Mar 22, 2016 04:37PM UTC
  • Highlighting in extension-generated IScanIssue instances

    Built-in scanner issues can apply highlight to both requests and responses, however I don't see any API to do so in IScanIssue instances generated by extensions. The method getHttpMessages() returns an array of IHttpRequestResponse instances, but that only has a get/setHighlight() used for color highlighting, not the positional highlights used by built-in scan issues. Am I missing something? ...

    1 Agent Answer    1 Community Answer
    Mar 18, 2016 01:05PM UTC