Burp Suite, the leading toolkit for web application security testing

BApp Store

The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities.

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

     Masks verbose parameter details in .NET requests.
     Extends Burp's active and passive scanning capabilities.
     Provides some additional passive Scanner checks.
     Allows encryption and decryption of AES payloads in Burp Intruder and Scanner.
     Provides a simple way to test authorization in web applications and web services.
     Helps test for authorization vulnerabilities.
     Automatically detects authorization enforcement.
     Generates and fuzzes custom AMF messages.
     Generates Intruder payloads using the Radamsa test case generator.
     Automatically renders Repeater responses in Firefox.
     Adds Ruby scripting capabilities to Burp.
     Enables collaborative usage of Burp using XMPP/Jabber.
     Integrates Crawljax, Selenium and JUnit into Burp.
     Identifies previously submitted inputs appearing in hashed form.
     Adds headers useful for bypassing some WAF devices.
     Provides a command-line interface to drive spidering and scanning.
     Adds various capabilities including SQL Mapper, User Generator and Prettier JS.
     Converts JSON To XML, XML to JSON, body parameters to JSON, and body parameters to XML.
     Copies selected request(s) as Python-Requests invocations.
     Passively scans for CSRF vulnerabilities.
     Hides and automatically handles anti-CSRF token defenses.
     Adds a new tab to log all requests and responses.
     View and modify compressed HTTP messages without changing the content-encoding.
     Passively checks for differing content in JavaScript files and aids in finding user/session data.
     Passively detects detailed server error messages.
     Processes and recognizes single sign-on protocols.
     Integrates Burp with the Faraday Integrated Penetration-Test Environment.
     Provides request history view for all Burp tools.
     Lets Burp users store Burp data and collaborate via git.
     Lets you run Google Hacking queries and add results to Burp's site map.
     Automatically identifies insertion points for GWT (Google Web Toolkit) requests.
     Converts data using a tag-based configuration to apply various encoding and escaping operations.
     Reports security issues in HTTP headers.
     Checks whether a server is vulnerable to the Heartbleed bug.
     Scans for usage of risky HTML5 features.
     Checks if a particular URL responds differently to various User-Agent headers.
     Passively scans images in responses for GPS location details.
     Extracts metadata from image files.
     Allows use of file contents and filenames as Intruder payloads.
     Posts discovered Scanner issues to an external web service.
     Adds scan checks focused on Java environments and technologies.
     Performs active and passive scans to detect Java deserialization vulnerabilities.
     Decompresses and beautifies compressed resources, to facilitate testing.
     Displays JSON messages in decoded form.
     Sends Burp Scanner issues directly to a remote Lair project.
     Logs requests and responses for all Burp tools in a sortable table.
     Allows users to manually create custom issues within the Burp Scanner results.
     Aids with documentation of OWASP Testing Guide V4 tests.
     Parses Nmap output files and adds common web ports to Burp's target scope.
     Lets you take notes and manage external documents from within Burp.
     Improves efficiency of manual parameter analysis for web penetration tests.
     Adds a custom Scanner check to identify Flex applications vulnerable to CVE-2011-2461 (APSB11-25).
     Generates payload lists based on a set of characters that are sanitized.
     Imports and passively scans Pcap files.
     Provides an additional passive Scanner check for metadata in PDF files.
     Allows viewing of PDF files directly within Burp.
     Decodes and beautifies protobuf responses.
     Allows execution of a custom Python script on each HTTP request and response.
     Automatically generates fake source IP address headers to evade WAF filters.
     Monitors traffic and looks for parameter values that are reflected in the response.
     This extension generates scripts to reissue selected requests.
     Reports issues discovered by Burp to an ElasticSearch database.
     Places a random value into a specified location within requests.
     Integrates with the Retire.js repository to find vulnerable JavaScript libraries.
     Adds a tab to Burp's message editor for decoding/encoding SAML messages.
     Adds a tab to Burp's main UI for decoding/encoding SAML messages.
     Provides a SAML message editor and a certificate management tool to help with testing SAML infrastructures.
     Performs custom scanning for vulnerabilities in web applications.
     Identifies authentication privilege escalation vulnerabilities.
     Determines server session timeout intervals.
     Fetches the responses of unrequested items in the site map.
     Passively reports server software version numbers.
     Initiates SQLMap scans directly from within Burp.
     Provides an interface to the ThreadFix vulnerability management platform.
     Allows Burp to view and modify binary SOAP objects.
     Integrates Burp with HP WebInspect.
     Displays information about IBM WebSphere Portlet state.
     Extends Intruder to aid in testing Web Application Firewalls.
     Scans a target server for WSDL files.
     Parses WSDL files and generates SOAP requests to the enumerated endpoints.
     Sends responses to a locally-running XSS-Detector server.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

If you have written, or are aware of, an extension that you would like to be included in the BApp Store, please submit your BApp to us.

Copyright © 2016 PortSwigger Ltd. All rights reserved.