login

Burp Suite, the leading toolkit for web application security testing

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways. This page contains technical details to help you develop Burp extensions. For help on loading extensions into Burp and using the Extender tool, please see the Burp Extender help.

Extensions can be written in Java, Python or Ruby.

Use the links below to access full technical details of the APIs for extending Burp:

The extensibility API is extremely rich and powerful, and lets extensions carry out numerous useful tasks. You can:

  • Process and modify HTTP requests and responses for all Burp tools.
  • Access key runtime data, such as the Proxy history, target site map, and Scanner issues.
  • Initiate actions like scanning and spidering.
  • Implement custom scan checks and register scan issues.
  • Customize the placement of attack insertion points within scanned requests.
  • Provide custom Intruder payloads and payload processors.
  • Query and update the Suite-wide target scope.
  • Query and update the session handling cookie jar.
  • Implement custom session handling actions.
  • Add custom tabs and context menu items to Burp's user interface.
  • Use Burp's native HTTP message editor within your own user interface.
  • Customize Burp's HTTP message editor to handle data formats that Burp does not natively support.
  • Analyze HTTP requests and responses to obtain headers, parameters, cookies, etc.
  • Build, modify and issue HTTP requests and retrieve responses.
  • Read and modify Burp's configuration settings.
  • Save and restore Burp's state.

For help on getting started, you can refer to Writing your first Burp Suite extension, which includes some sample stub code that you can use to base your extension on.

Below are some examples of simple extensions, including examples using Java, Python and Ruby:

For more help and examples of Burp extensions, you can refer to the Burp Extensions User Forum.

Note: Because of the way in which Jython and JRuby dynamically generate Java classes, you may encounter memory problems if you load several different Python or Ruby extensions, or if you unload and reload an extension multiple times. If this happens, you will see an error like:

java.lang.OutOfMemoryError: PermGen space

You can avoid this problem by configuring Java to allocate more PermGen storage, by adding a -XX:MaxPermSize option to the command line when starting Burp. For example:

java -XX:MaxPermSize=1G -jar burp.jar

 

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Tuesday, April 15, 2014

v1.6

Burp Suite Free Edition v1.6 contains significant new features added since v1.5, including support for WebSockets messages, PKCS#11 client SSL certificates contained in smart cards and physical tokens, a new Extender tool, allowing dynamic loading and unloading of multiple extensions, and the BApp Store, allowing quick and easy installation of extensions written by other Burp users.

Burp Suite Professional contains a number of bugfixes and tweaks, added since the last beta version.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.