Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Burp Extensions

Make a new post

  • updateCookieJar: Domain cannot be null

    I have written an extension that submits a login, reads a cookie in the response, and adds it to the cookie jar. The cookie in the response does not include a domain attribute. Set-Cookie: token=znNMQ6l4WvwAQDdmu1rIMxWHiC84Hy4YJ4B1vgQ05oPPuKh-SxG3g_DjhfRbgaTDqMCmAFnUQ9_3M; Path=/; Expires=Wed, 16 Nov 2016 00:16:39 GMT; HttpOnly; Secure I get the cookie as an ICookie from the response: I...

    1 Agent Answer    1 Community Answer
    Nov 15, 2016 12:40AM UTC
  • Add a relative url to a scoped domain

    I'm trying to dynamically add relative URLs to a scoped domain using the addToSiteMap() method via the python api and am having a lot of trouble. addToSiteMap(IHttpRequestResponse item) It requires an IHttpRequestResponse object which can be retrieved using... * getProxyHistory() * getSiteMap(java.lang.String urlPrefix) * makeHttpRequest(IHttpService httpService, byte[] request) ...

    1 Agent Answer    1 Community Answer
    Nov 03, 2016 08:36PM UTC
  • ISessionHandling - use toolflags to find out where the request comes from

    Hello, something really cool is, that the IHttpListener interface provides a method: " processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) " where you can use the toolFlag variable to find out where the request comes from (Proxy,Repeater etc.) I was wondering if I could use this (toolFlags) somehow in the peformAction()-Method? Is it p...

    2 Agent Answers    1 Community Answer
    Nov 02, 2016 01:22PM UTC
  • Macro

    Hopefully this question isn't too stupid but, is it possible to run a macro from an extension? I'm trying to set up an automation process where burp will run my extension, the extension will run a login macro and then analyze the results. Thanks

    2 Agent Answers    1 Community Answer
    Nov 01, 2016 12:25PM UTC
  • Pasting dynamic generated text into an intercepted HTTP request / response

    Hi everyone I am attempting to add a new feature to my extension. Basically I would like to add dynamic generated text (for instance plain HTML) into an intercepted HTTP request or response. Currently I am not sure what is the best (or easiest) way to achieve this. It would be nice if I am able to implement it like the following: 1. The user enables the HTTP interceptor 2. The user sele...

    1 Agent Answer    1 Community Answer
    Oct 29, 2016 02:22PM UTC
  • ISessionHandling - detect if proxy is clicked in the tools scope (programmitacally) - Java

    Hello, I would like to know, if there is a solution for detecting, if the checkmark is clicked on "Proxy (use with caution)" in the session handling rule editor (programatically) ? I am using the ISessionHandling interface to manipulate some requests and I have one method which should be only called, when the checkmark is clicked (something like isProxyActive...). I also would li...

    3 Agent Answers    3 Community Answers
    Oct 27, 2016 07:10AM UTC
  • Type is showing up as "Legacy Java" ??

    Hi, I am just starting to learn about writing extensions for Burp and am using Eclipse/Java. I have built and run my first "Hello World" extension and am wondering why Burp is showing it as "Legacy Java" on the Extender/Extensions tab. Is it because I have added the BurpSuite jar to my project by going to Project->Properties on the top toolbar, selecting "Java Build ...

    1 Agent Answer    0 Community Answer
    Oct 25, 2016 04:58PM UTC
  • decoding/encoding http request

    Hello, I want to use following request to send it to the server!. /**********************************************/ POST /vaadin_vulnerabilities/UIDL/?v-uiId=2 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0....

    1 Agent Answer    0 Community Answer
    Oct 19, 2016 12:56PM UTC
  • Intruder/Payload pattern-matching algorithms

    Hello everyone, I have to "copy" some of the functionalities within burp for writing my own extension. This includes the "Intruder" tab aswell. To be honest the "Intruder" tab in burp is really really amazing. It automatically preselects some variables which can be interesting for you. You are also able to add variables in a manual way. What I need to know is h...

    1 Agent Answer    0 Community Answer
    Oct 18, 2016 01:40PM UTC
  • IHttpRequestResponse - setRequest(byte[] message)

    I am currently working on writing my own extension for burp suite: I get an exception when using the "setRequest(byte[] message)"from the IHttpRequestResponse interface, which looks like: java.lang.UnsupportedOperationException: Data is read only at burp.wgf.setRequest(Unknown Source) at burp.BurpExtender.sendRequest( at burp.BurpExtender$1$1.actionPerform...

    2 Agent Answers    1 Community Answer
    Oct 13, 2016 12:50PM UTC