login

Burp Suite, the leading toolkit for web application security testing

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways. This page contains technical details to help you develop Burp extensions. For help on loading extensions into Burp and using the Extender tool, please see the Burp Extender help.

Extensions can be written in Java, Python or Ruby.

Use the information below to access full technical details of the APIs for extending Burp:

  • View the online Javadoc for the latest Burp API.
  • To view or save a copy of the interface code files for your version of Burp, go to Extender / APIs.

Numerous extensions written by Burp users are available to install from the BApp Store.

The extensibility API is extremely rich and powerful, and lets extensions carry out numerous useful tasks. You can:

  • Process and modify HTTP requests and responses for all Burp tools.
  • Access key runtime data, such as the Proxy history, target site map, and Scanner issues.
  • Initiate actions like scanning and spidering.
  • Implement custom scan checks and register scan issues.
  • Customize the placement of attack insertion points within scanned requests.
  • Provide custom Intruder payloads and payload processors.
  • Query and update the Suite-wide target scope.
  • Query and update the session handling cookie jar.
  • Implement custom session handling actions.
  • Add custom tabs and context menu items to Burp's user interface.
  • Use Burp's native HTTP message editor within your own user interface.
  • Customize Burp's HTTP message editor to handle data formats that Burp does not natively support.
  • Analyze HTTP requests and responses to obtain headers, parameters, cookies, etc.
  • Build, modify and issue HTTP requests and retrieve responses.
  • Read and modify Burp's configuration settings.
  • Save and restore Burp's state.

For help on getting started, you can refer to Writing your first Burp Suite extension, which includes some sample stub code that you can use to base your extension on.

Below are some examples of simple extensions, including examples using Java, Python and Ruby:

For more help and examples of Burp extensions, you can refer to the Burp Extensions User Forum.

Note: Because of the way in which Jython and JRuby dynamically generate Java classes, you may encounter memory problems if you load several different Python or Ruby extensions, or if you unload and reload an extension multiple times. If this happens, you will see an error like:

java.lang.OutOfMemoryError: PermGen space

You can avoid this problem by configuring Java to allocate more PermGen storage, by adding a -XX:MaxPermSize option to the command line when starting Burp. For example:

java -XX:MaxPermSize=1G -jar burp.jar

 

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Monday, October 20, 2014

v1.6.06

This release includes some major enhancements to the Scanner engine. Burp can now automatically report the following new types of issues: Perl code injection, PHP code injection, Ruby code injection, Server-side JavaScript code injection, File path manipulation, Serialized object in HTTP message, Client-side JSON injection, Client-side XPath injection, Document domain manipulation, Link manipulation, and DOM data manipulation.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.