Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Burp Extensions

Make a new post

  • Burp scanner: how to add support for csrf tokens

    I'm having an issue with the Burp Scanner: when anti-csrf tokens are present, it seems the scanner cannot handle it and it faild to perform active/passive scans. Would it be possible through Burp Extension capabilities to add a feature so Burp checks each requests, extracts the CSRF token, and adds it to the submittion request? Thanks,

    3 Agent Answers    2 Community Answers
    Sep 23, 2016 12:23PM UTC
  • applyMarker in Ruby - java Class Cast Exception

    I am using Ruby to develop an extender, that do passive scan for a particular string in response. Everything is working fine apart from applyMarkers. When applyMarkers method is called I am receive the below error. Any Idea how to fix this ? How to Cast? what is [I in java ? Error: java.lang.RuntimeException: java.lang.ClassCastException: org.jruby.RubyArray cannot be cast to [I Thanks

    1 Agent Answer    1 Community Answer
    Sep 21, 2016 06:58PM UTC
  • makeHttpRequest (timeout)

    Hi, I am creating a Burp extension which is using the makeHttpRequest functionality in order to send some requests, but I would like to assign a maximum timeout to these request. Some of them could not have a response. How I could do this? Cheers, Daniel

    1 Agent Answer    0 Community Answer
    Sep 20, 2016 03:26PM UTC
  • Potentially misconfigured headers from extension "Header Analyzer"

    The "Header Analyzer" extension reports the following issue: Potentially misconfigured headers: Header name: x-xss-protection. Header value: 1; mode=block My response contains this header: X-XSS-Protection: 1; mode=block As far as I know, that is a correct header? Can anyone explain why this extension says it is "potentially misconfigured? Thanks

    1 Agent Answer    0 Community Answer
    Sep 13, 2016 09:31PM UTC
  • Why Burp asks to activate license when starting by cmd.exe

    Hi all, I met a problem with Burp. I developed a java extension to launch burp in cmd.exe. I wrote a .bat file and call it by Java Runtime. It asks me to activate the license again. If I open the .bat file directly, it won't ask for activation. But if I open the .bat file by Java Runtime object like this: Runtime runtime = Runtime.getRuntime(); runtime.exec("cmd /k start...

    2 Agent Answers    1 Community Answer
    Sep 08, 2016 02:04AM UTC
  • Forcing Burp to open w/ scanner unpaused?

    Is is possible to force Burp to open in a state which scans are forcibly unpaused? I'm working on a project where we call doActiveScans() to a single entry from getProxyHistory(), and upon clicking on the "Scanner" tab, the scans in queue are marked as "waiting".

    1 Agent Answer    0 Community Answer
    Sep 06, 2016 08:42PM UTC
  • Loading external jars from extensions

    Hello, I am building a Burp extension and I would like to incorporate external JARs, for example the gson library to store some settings in a file. For the life of me I can't figure out how to get this configured correctly in Eclipse, even though I see some extensions in the bapp store actually do this. I have created a folder called lib in my eclipse project folder and included the ext...

    2 Agent Answers    2 Community Answers
    Aug 29, 2016 06:48AM UTC
  • How to enable SQLiPy on Burp

    I have added SQLiPy on Burp and I can see the tab too however I am not sure what to be added in the proxy and port to start it. Even when I tried adding it with my PC's proxy nothing is happening when I click on Start scanning.

    1 Agent Answer    0 Community Answer
    Aug 24, 2016 08:17AM UTC
  • Stop scanning form API call

    Hi, Is there any API to stop scanning and start scanning. I want to stop scanning when session is invalidated and resume on proper sessions. How can I achieve this. Regards, Sid

    1 Agent Answer    0 Community Answer
    Aug 24, 2016 07:10AM UTC
  • Spider treating active scan URLs with injected parameter queries as new urls to spider.

    I built an extension that successfully spiders the application, but I have a problem where when active scanning starts in earnest, eventually it starts adding injected URLs into the scanning scope, thus duplicated the amount of work that needs to be done. I cannot find a configuration to shut off the behavior of identifying a URL with query params as a unique URL. I know that OWASP's ZA...

    1 Agent Answer    0 Community Answer
    Aug 16, 2016 04:08PM UTC