Burp Extender lets you use Burp extensions, to extend Burp's functionality using your own or third-party code. You can load and manage extensions, view details about installed extensions, install extensions from the BApp Store, view the current Burp Extender APIs, and configure options for how extensions are handled.
Burp extensions can customize Burp's behavior in numerous ways, such as modifying HTTP requests and responses, customizing the UI, adding custom Scanner checks, and accessing key runtime information, including the Proxy history, Target site map and Scanner results.
For help on creating your own Burp extensions, see the main extensibility documentation.
The table shows a list of any installed extensions. You can add, remove and reorder extensions using the buttons by the extensions table. Please note:
Selecting an item in the extensions table shows information about that extension in the lower panel.
The Details tab shows the following information:
The Output tab contains details of the extension's standard output stream, and the Error tab contains the same information about the standard error stream. For each stream, you can configure whether the application's output should be directed to the system console, or saved to file, or displayed in the UI. Please note:
The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities.
You can view the list of available BApps, install specific BApps, and submit user ratings for those you have installed.
If you do not have Internet access from the machine that is running Burp, you can download BApp files from the BApp Store web site, and manually install them into Burp.
Some BApps are written in Python or Ruby, and require you to download Jython or JRuby, and configure Burp with the location of the relevant language interpreters. Some BApps may require a more recent version of Burp, or a different edition of Burp.
This tab contains details of the APIs that are available for creating Burp extensions. The listing shows the APIs that are available in the version of Burp that is running. Select the name of an interface from the list to show the interface code in full.
You can also use the "Save interface files" and "Save Javadoc files" buttons to save local copies of these files, for use when developing extensions.
This setting controls how Burp handles extensions when starting up. When Burp starts up, it automatically restores the configured list of available extensions. If this option is selected, Burp will also automatically try to reload any extensions in the list that were loaded at the time when Burp was shut down.
Note: If Burp was shut down with this setting selected, and you nonetheless want to restart Burp without automatically reloading any extensions then you can start Burp with the command line flag noeextensions. This will prevent Burp from automatically reloading any extensions.
These settings let you configure the environment for executing extensions that are written in Java. If your extensions use any libraries, you can specify a folder from which libraries will be loaded. Burp will search this folder and any subfolders for JAR files, and will include these in the classpath of the classloader that is used to load Java extensions.
These settings let you configure the environment for executing extensions that are written in Python. To use Python extensions, you will need to download Jython, which is a Python interpreter implemented in Java. The following options are available:
Note: Because of the way in which Jython dynamically generates Java classes, you may encounter memory problems if you load several different Python extensions, or if you unload and reload a Python extension multiple times. If this happens, you will see an error like:
java.lang.OutOfMemoryError: PermGen space
You can avoid this problem by configuring Java to allocate more PermGen storage, by adding a -XX:MaxPermSize option to the command line when starting Burp. For example:
java -XX:MaxPermSize=1G -jar burp.jar
These settings let you configure the environment for executing extensions that are written in Ruby. To use Ruby extensions, you will need to download JRuby, which is a Ruby interpreter implemented in Java. Note that you can either configure the location of the JRuby JAR file here, or you can load the JAR file on startup via the Java classpath.
Note: If you load several Ruby extensions, the same issue may arise with PermGen storage as is described for the Python environment, and the issue can be resolved in the same way.
Get help and join the community discussions at the Burp Suite Support Center.
This release adds a new Scanner check for path-relative style sheet import (PRSSI) vulnerabilities.
These issues are not widely understood by security testers or application developers, and real vulnerabilities are quite prevalent in the wild. The impact of the vulnerability is in many cases serious, and equivalent to cross-site scripting (XSS).