403 Bypasser
A Burp Suite extension made to automate the process of bypassing 403 pages. Heavily based on Orange Tsai's talk 'Breaking Parser Logic
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
27 September 2022
Active Scan++
Extends Burp's active and passive scanning capabilities.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
23 November 2023
Add & Track Custom Issues
Create custom issues in Burp Scanner results, using predefined issue templates.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 February 2022
Additional Scanner Checks
Provides some additional passive Scanner checks.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
21 December 2018
AES Payloads
Allows encryption and decryption of AES payloads in Burp Intruder and Scanner.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
04 February 2022
Anonymous Cloud, Configuration and Subdomain Takeover Scanner
Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
17 January 2023
Asset Discovery
Custom passive scan checks for asset discovery.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
12 September 2019
Autowasp
Integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow for the modern-day penetration tester!
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
10 February 2022
AWS Cognito
Identify info from requests to AWS Cognito, provide passive scan checks and suggest request templates.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
13 December 2023
AWS Security Checks
Additional Scanner checks for AWS security issues.
Professional
Rating
Estimated system impact
Overall impact:
Medium
Popularity
Last updated
18 January 2018
Backslash Powered Scanner
Finds unknown classes of injection vulnerabilities.
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
10 October 2023
Batch Scan Report Generator
Generates multiple scan reports by host with just a few clicks.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
04 February 2022
BCheck Helper
This extension provides a quick way to view and download BChecks in any given GitHub repository.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
04 January 2024
BeanStack - Stack-trace Fingerprinter
Java Fingerprinting using Stack Traces.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
04 February 2022
Broken Link Hijacking
Discover broken links
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
23 July 2019
Buby
Adds Ruby scripting capabilities to Burp.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
14 February 2017
Burp Bounty, Scan Check Builder
Extend the Burp active and passive scanner by creating custom scan checks with an intuitive graphical interface.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
04 February 2022
Burp-hash
Identifies previously submitted inputs appearing in hashed form.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
28 August 2015
Carbonator
Provides a command-line interface to drive spidering and scanning.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
23 January 2017
Client-Site Path Traversal Exploitation
Find and exploit Client-Side Path Traversal.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
30 October 2024
Cloud Storage Tester
Test Amazon S3, Google Storage and Azure Storage for common misconfiguration issues.
Professional
Rating
Estimated system impact
Overall impact:
Medium
Popularity
Last updated
25 February 2022
CMS Scanner
Scan for common vulnerabilities in popular CMS.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
03 October 2017
Code Dx
Uploads scan reports directly to CodeDx, a software vulnerability correlation and management system.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
06 June 2018
Collabfiltrator
Exfiltrate blind remote code execution output over DNS via Burp Collaborator
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
21 February 2022
Collaborator Everywhere
Augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
09 January 2023
Cookie Decrypter
Decrypts/decodes various types of cookies.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
12 July 2019
Copy to BCheck
Converts requests into BCheck scripts.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
28 July 2023
CORS*, Additional CORS Checks
Test websites for CORS misconfigurations.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
08 June 2022
Cryptojacking Mine Sweeper
Detects script includes from over 14000+ known cryptojacking domains.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
24 October 2018
CSP-Bypass
Passively scans for CSP headers that contain known bypasses or other potential weaknesses.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
24 January 2017
CSRF Scanner
Passively scans for CSRF vulnerabilities.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
04 February 2022
Cypher Injection Scanner
A Burp Suite Extension that detects Cypher code injection
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
26 August 2021
Detect Dynamic JS
Passively checks for differing content in JavaScript files and aids in finding user/session data.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
17 December 2018
Discover Reverse Tabnabbing
Identify areas in your application that are vulnerable to Reverse Tabnabbing.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
06 December 2019
Distribute Damage
Evenly distributes scanner load across targets.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
06 January 2023
DNS Analyzer
Find DNS vulnerabilities in web applications.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
18 September 2023
DNS Exfilnspector
Automagically decode DNS Exfiltration queries to convert Blind RCE into proper RCE via Burp Collaborator.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
24 January 2024
Dradis Framework
Send Scanner issues to Dradis collaboration and reporting framework.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
23 February 2024
Encode IP
Encode an IP address focused to bypass application IP / domain blacklist.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 September 2023
Error Message Checks
Passively detects detailed server error messages.
Professional
Rating
Estimated system impact
Overall impact:
Medium
Popularity
Last updated
15 August 2023
Faction Integration
Integrates Burp with the Faction assessment collaboration framework.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
02 April 2024
File Upload Traverser
Checks whether file uploads are vulnerable to path traversal
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
03 August 2017
Freddy, Deserialization Bug Finder
Helps detect and exploit deserialization vulnerabilities in Java and .Net
Professional
Rating
Estimated system impact
Overall impact:
Medium
Popularity
Last updated
02 April 2020
GAT Security Platform Integration
Integrates with GAT Digital
Professional
Rating
Estimated system impact
Overall impact:
Medium
Popularity
Last updated
13 July 2023
GraphQL Raider
Test endpoints implementing GraphQL
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
12 August 2019
GWT Insertion Points
Automatically identifies insertion points for GWT (Google Web Toolkit) requests.
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 August 2021
Header Guardian
Identify missing, misconfigured, and unnecessary HTTP security headers
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
30 October 2024
Header Issue Reporter
Identifies and reports issues in headers
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
22 June 2023
Headers Analyzer
Reports security issues in HTTP headers.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
24 November 2014
History Explorer
Filter search results per host.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
28 February 2024
Host Header Inchecktion
Find host header injection vulnerabilities
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
10 February 2023
HTML5 Auditor
Scans for usage of risky HTML5 features.
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 August 2021
HTTPoxy Scanner
Scans for the HTTPoxy vulnerability.
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 August 2021
Identity Crisis
Checks if a particular URL responds differently to various User-Agent headers.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
22 January 2015
Image Location and Privacy Scanner
Passively scans jpeg / png / tiff for embedded GPS, IPTC, and camera-proprietary location & privacy exposures.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
26 February 2020
Image Size Issues
Detects potential denial of service attacks in image retrieval functions.
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 August 2021
iRule Detector
Detect a Remote Code or Command Execution (RCE) vulnerability in some implementations of F5 Networks’ popular BigIP load balancer
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
08 August 2019
Issue Poster
Posts discovered Scanner issues to an external web service.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
07 September 2015
J2EEScan
Adds scan checks focused on Java environments and technologies.
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
High
Popularity
Last updated
25 August 2021
JavaScript Security
Performs checks for cross-domain scripting against the DOM, subresource integrity checks, and evaluates JavaScript resources against threat intelligence data.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
10 September 2019
JS Link Finder
Burp Extension for passively scanning JavaScript files for endpoint links.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
05 September 2019
JS Miner
Tries to find interesting stuff inside static files; mainly JavaScript and JSON files.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
20 July 2023
Kollaborator Module Builder
Allows you to write your own Python script to handle collaborator interactions.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
09 January 2024
Lair
Sends Burp Scanner issues directly to a remote Lair project.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 January 2017
Log4Shell Everywhere
A Burp Suite extension which augments your proxy traffic by injecting log4shell payloads into headers.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
16 December 2021
Log4Shell Scanner
Enumerates hidden Log4Shell-affected hosts.
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
05 October 2023
Manual Scan Issues
Allows users to manually create custom issues within the Burp Scanner results.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
23 May 2017
NGINX Alias Traversal
Detects NGINX alias traversal due to misconfiguration.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
03 December 2021
Nmap Scanner
Integrate Nmap into Burp's interface.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
30 October 2024
NoSQLi Scanner
A scanner to detect NoSQL Injection vulnerabilities.
Professional
Rating
Estimated system impact
Overall impact:
Medium
Popularity
Last updated
01 February 2021
Nucleus Burp Extension
Allows Burp Suite scans to be pushed to the Nucleus platform
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
23 February 2021
OAUTH Scan
Provides some automatic security checks, which could be useful when testing applications implementing OAUTHv2 and OpenID standards.
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
01 December 2022
ParrotNG
Adds a custom Scanner check to identify Flex applications vulnerable to CVE-2011-2461 (APSB11-25).
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 August 2021
Passkey Scanner
Recognizes and scans Passkey (webauthn) protocols and detects security issues.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
16 January 2024
Pcap Importer
Imports and passively scans Pcap files.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
04 April 2017
PDF Metadata
Provides an additional passive Scanner check for metadata in PDF files.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
20 April 2017
Pentagrid Scan Controller
Improve automated and semi-automated active scanning
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
08 July 2022
PHP Object Injection Check
Finds PHP object injection vulnerabilities.
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
26 August 2021
Prototype Pollution Gadgets Finder
Detect and analyze server-side prototype pollution vulnerabilities in web applications.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
09 October 2024
Qualys WAS
Provides a way to easily push Burp scanner findings to the Qualys Web Application Scanning (WAS) module.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
22 October 2024
Quoted-Printable Parser
Parses Content-Transfer-Encoding
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 August 2020
Reflected Parameters
Monitors traffic and looks for parameter values that are reflected in the response.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
10 November 2014
Report To Elastic Search
Reports issues discovered by Burp to an ElasticSearch database.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
10 May 2017
Retire.js
Integrates with the Retire.js repository to find vulnerable JavaScript libraries.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
14 December 2021
RouteVulScan
This plug-in can recursively detect vulnerable paths. You can customize related paths, matching information and vulnerability names.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
08 March 2023
SameSite Reporter
Passively reports various SameSite flags
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
12 June 2020
Semgrepper
Use Semgrep inside Burp Suite
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
20 July 2023
Sentinel
Performs custom scanning for vulnerabilities in web applications.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
20 December 2022
Session Auth
Identifies authentication privilege escalation vulnerabilities.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
24 January 2017
Session Tracking Checks
Checks for the presence of known session tracking sites
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
05 January 2018
Software Version Reporter
Passively reports server software version numbers.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
22 April 2021
Software Vulnerability Scanner
Software vulnerability scanner based on Vulners.com audit API
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
09 April 2019
SQLMap DNS Collaborator
Helps you perform DNS exfiltration with Sqlmap with zero configuration needed.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
24 March 2021
SRI Check
Identifies missing Subresource Integrity attributes
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
12 July 2019
Swagger Parser
Parse Swagger documents - view in a table and send to other tools.
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
14 June 2024
Taborator
Improved Collaborator client in its own tab
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
20 December 2022
ThreadFix
Provides an interface to the ThreadFix vulnerability management platform.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 January 2017
Type Confusion Scanner
Compares HTTP response codes (200, 500, etc) when altering the
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
11 September 2023
Upload Scanner
Test file uploads with payloads embedded in meta data for various file formats.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
21 February 2022
URL Fuzzer - 401/403 Bypass
Fuzz URLs for HTTP parser inconsistencies
Professional
Rating
Estimated system impact
Overall impact:
Empty
Popularity
Last updated
09 January 2024
WAFDetect
Passively detects web application firewalls from HTTP responses.
Professional
Enterprise
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
25 August 2021
Web Cache Deception Scanner
Detect web cache misconfigurations with Burp.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
23 November 2017
WebInspect Connector
Integrates Burp with HP WebInspect.
Professional
Rating
Estimated system impact
Overall impact:
Low
Popularity
Last updated
10 August 2016
XSS Validator
Sends responses to a locally-running XSS-Detector server.
Professional
Rating
Estimated system impact
Overall impact:
High
Popularity
Last updated
10 February 2022