BApp Store

The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities.

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Submit a BApp

If you have written, or are aware of, an extension that you would like to be included in the BApp Store, please submit your BApp to us .

Update a BApp

The process for updating a BApp is as follows:

  1. The author creates a pull request against PortSwigger's fork of their repository.
  2. The author emails support@portswigger.net to tell us that they've opened a pull request.
  3. We review the changes and merge them into the PortSwigger fork.
  4. We test the extension for loading errors.
  5. We publish the updated version to the BApp Store.

BApp Extensions

Sort by
Name Rating Popularity Last updated

Masks verbose parameter details in .NET requests.

Professional Community
Estimated system impact
Overall impact: Low
23 January 2017

A Burp Suite extension made to automate the process of bypassing 403 pages. Heavily based on Orange Tsai's talk 'Breaking Parser Logic

Professional
Estimated system impact
Overall impact: Low
27 September 2022

Allows you to assess 5G core network functions by parsing OpenAPI 3.0, and generate requests for intrusion testing purposes.

Professional Community
Estimated system impact
Overall impact: Low
23 September 2021

Extends Burp's active and passive scanning capabilities.

Professional
Estimated system impact
Overall impact: Low
23 November 2023

Create custom issues in Burp Scanner results, using predefined issue templates.

Professional
Estimated system impact
Overall impact: Low
25 February 2022

Add or update custom HTTP headers from session handling rules. Useful for JWT.

Professional Community
Estimated system impact
Overall impact: Low
08 July 2020

Read URLs from files or clipbaord and add the discovered information to the site map of the selected host(s)

Professional Community
Estimated system impact
Overall impact: Low
28 November 2022

Adds a context menu item to quickly add hosts to TLS pass through.

Professional Community
Estimated system impact
Overall impact: Empty
25 January 2024

Performs additional checks for CSRF vulnerabilities in a semi-automated manner.

Professional Community
Estimated system impact
Overall impact: Low
14 December 2018

Provides some additional passive Scanner checks.

Professional
Estimated system impact
Overall impact: Low
21 December 2018

Generate payload processors on the fly - without having to create individual extensions.

Professional Community
Estimated system impact
Overall impact: Low
31 January 2022

Decrypt AES traffic on the fly

Professional Community
Estimated system impact
Overall impact: Low
13 May 2021

Allows encryption and decryption of AES payloads in Burp Intruder and Scanner.

Professional
Estimated system impact
Overall impact: Low
04 February 2022

Helps identifying injection flaws (LFI, RCE, SQLi), authentication/authorization issues, and HTTP 403 access violations, while also converting HTTP requests to JavaScript for enhanced XSS exploitation.

Professional Community
Estimated system impact
Overall impact: Medium
30 August 2024

Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities.

Professional
Estimated system impact
Overall impact: Low
17 January 2023

Automatically takes care of anti-CSRF tokens by fetching them from the referer and replacing them in requests.

Professional Community
Estimated system impact
Overall impact: Low
28 February 2020

Custom passive scan checks for asset discovery.

Professional
Estimated system impact
Overall impact: Low
12 September 2019

Save previosuly loaded assets.

Professional Community
Estimated system impact
Overall impact: Empty
23 May 2024

Use static analysis to identify web app endpoints by parsing routes and identying parameters.

Professional Community
Estimated system impact
Overall impact: Low
16 December 2021

This Burp Extension helps you to find authorization bugs by repeating Proxy requests with self defined headers and tokens.

Professional Community
Estimated system impact
Overall impact: Low
08 May 2024

Helps automated scanning accessing/refreshing tokens, replacing tokens in XML and JSON body,replacing tokens in cookies.

Professional Community
Estimated system impact
Overall impact: Low
09 April 2024

Provides a simple way to test authorization in web applications and web services.

Professional Community
Estimated system impact
Overall impact: Low
15 October 2021

Helps test for authorization vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

This extension allows you to automatically Drop requests that match a certain regex.

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

Automatically repeat requests, with replacement rules and response diffing.

Professional Community
Estimated system impact
Overall impact: Low
06 June 2023

Automatically detects authorization enforcement.

Professional Community
Estimated system impact
Overall impact: Low
29 November 2024

Integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow for the modern-day penetration tester!

Professional
Estimated system impact
Overall impact: Low
10 February 2022

Identify info from requests to AWS Cognito, provide passive scan checks and suggest request templates.

Professional
Estimated system impact
Overall impact: Empty
13 December 2023

Additional Scanner checks for AWS security issues.

Professional
Estimated system impact
Overall impact: Medium
18 January 2018

Signs requests with AWS Signature Version 4

Professional Community
Estimated system impact
Overall impact: Low
08 June 2022

Used for signing AWS requests with SigV4.

Professional Community
Estimated system impact
Overall impact: Medium
03 August 2023

Finds unknown classes of injection vulnerabilities.

Professional Enterprise
Estimated system impact
Overall impact: Low
10 October 2023

Reviews backup, old, temporary and unreferenced files on web server for sensitive information

Professional Community
Estimated system impact
Overall impact: Low
04 August 2022

Generates multiple scan reports by host with just a few clicks.

Professional
Estimated system impact
Overall impact: Low
02 December 2024

This extension provides a quick way to view and download BChecks in any given GitHub repository.

Professional
Estimated system impact
Overall impact: Low
04 January 2024

Java Fingerprinting using Stack Traces.

Professional
Estimated system impact
Overall impact: Low
04 February 2022

Generates and fuzzes custom AMF messages.

Professional Community
Estimated system impact
Overall impact: Low
01 February 2017

Aids pentesting web applications that use Blazor Server/BlazorPack.

Professional Community
Estimated system impact
Overall impact: Empty
21 September 2023

Provides an easy way to save and revisit requests

Professional Community
Estimated system impact
Overall impact: Low
21 May 2020

Generates Intruder payloads using the Radamsa test case generator.

Professional Community
Estimated system impact
Overall impact: Empty
02 July 2014

A bridge between Burp Suite and Frida to help test Android applications.

Professional Community
Estimated system impact
Overall impact: Low
15 August 2023

Discover broken links

Professional
Estimated system impact
Overall impact: Low
23 July 2019

Automatically renders Repeater responses in Firefox.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Adds Ruby scripting capabilities to Burp.

Professional
Estimated system impact
Overall impact: Low
14 February 2017

Send raw HTTP requests to BugPoC.com

Professional Community
Estimated system impact
Overall impact: Low
22 June 2020

Allow Mass "Send to Repeater" Using Context Menu

Professional Community
Estimated system impact
Overall impact: Empty
29 July 2024

Extend the Burp active and passive scanner by creating custom scan checks with an intuitive graphical interface.

Professional
Estimated system impact
Overall impact: Low
04 February 2022

Enables collaborative usage of Burp using XMPP/Jabber.

Professional Community
Estimated system impact
Overall impact: Low
23 January 2017

Integrates Crawljax, Selenium and JUnit into Burp.

Professional Community
Estimated system impact
Overall impact: Low
23 March 2015

Enables the generation of shareable links to specific requests which other Burp Suite users can import.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Push notifications to Slack channel or to custom server based on BurpSuite response conditions.

Professional Community
Estimated system impact
Overall impact: High
27 November 2020

Push notifications to Telegram bot on BurpSuite response

Professional Community
Estimated system impact
Overall impact: Low
08 July 2022

A collection of burpsuite encryption plug-ins, support AES/RSA/DES/ExecJs(execute JS encryption code in burpsuite).

Professional Community
Estimated system impact
Overall impact: Low
25 November 2021

Adds Google Translate to Burp's context menu.

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

Identifies previously submitted inputs appearing in hashed form.

Professional
Estimated system impact
Overall impact: Low
28 August 2015

Looks for files, directories and file extensions based on current requests received by Burp Suite.

Professional Community
Estimated system impact
Overall impact: Low
22 January 2018

Pulls endpoint information from Teamserver and import it into Burp's sitemap.

Professional
Estimated system impact
Overall impact: Medium
26 November 2024

Adds headers useful for bypassing some WAF devices.

Professional Community
Estimated system impact
Overall impact: Low
29 March 2017

Convert Base64 data from a JSON response to an image.

Professional Community
Estimated system impact
Overall impact: Empty
12 November 2024

Provides a command-line interface to drive spidering and scanning.

Professional
Estimated system impact
Overall impact: Low
23 January 2017

Change the nesting level of extension-generated context menu items.

Professional Community
Estimated system impact
Overall impact: Empty
15 January 2024

Find and exploit Client-Side Path Traversal.

Professional
Estimated system impact
Overall impact: Empty
30 October 2024

Lets you share requests with just two clicks and a paste

Professional Community
Estimated system impact
Overall impact: Low
11 February 2021

Test Amazon S3, Google Storage and Azure Storage for common misconfiguration issues.

Professional
Estimated system impact
Overall impact: Medium
25 February 2022

Scan for common vulnerabilities in popular CMS.

Professional
Estimated system impact
Overall impact: Low
03 October 2017

Adds various capabilities including SQL Mapper, User Generator and Prettier JS.

Professional Community
Estimated system impact
Overall impact: Low
11 March 2024

Uploads scan reports directly to CodeDx, a software vulnerability correlation and management system.

Professional
Estimated system impact
Overall impact: Low
06 June 2018

Exfiltrate blind remote code execution output over DNS via Burp Collaborator

Professional
Estimated system impact
Overall impact: Low
21 February 2022

Augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator.

Professional
Estimated system impact
Overall impact: Low
09 January 2023

Customizable payload generator to detect and exploit command injection flaws during blind testing.

Professional Community
Estimated system impact
Overall impact: Medium
27 June 2018

Generates comments for selected requests based on regular expressions.

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

Allows users to create match and replace operations that execute only when a condition is matched (or not matched).

Professional Community
Estimated system impact
Overall impact: Low
12 September 2023

Converts JSON To XML, XML to JSON, body parameters to JSON, and body parameters to XML.

Professional Community
Estimated system impact
Overall impact: Low
23 January 2017

Decrypts/decodes various types of cookies.

Professional
Estimated system impact
Overall impact: Low
12 July 2019

Simplify the filtering of cookies in requests.

Professional Community
Estimated system impact
Overall impact: Empty
23 May 2024

Generate FFUF commands from requests.

Professional Community
Estimated system impact
Overall impact: Empty
12 June 2024

Burp Suite extension to copy requests as Go

Professional Community
Estimated system impact
Overall impact: Low
19 March 2024

Copies the selected requests as Node.JS request code.

Professional Community
Estimated system impact
Overall impact: Low
20 April 2021

Copies the selected request(s) as PowerShell invocation(s).

Professional Community
Estimated system impact
Overall impact: Low
25 November 2021

Generates async Python code from HTTP requests.

Professional Community
Estimated system impact
Overall impact: Empty
22 October 2024

Copies selected request(s) as Python-Requests invocations.

Professional Community
Estimated system impact
Overall impact: Low
24 September 2024

Copy methods in the context menu of selected messages and requests/responses.

Professional Community
Estimated system impact
Overall impact: Low
26 September 2024

Converts requests into BCheck scripts.

Professional
Estimated system impact
Overall impact: Empty
28 July 2023

Test websites for CORS misconfigurations.

Professional
Estimated system impact
Overall impact: Low
08 June 2022

Automatically modify parameters by using encoding/decoding, encrypting/decrypting or hashing algorithms set in configuration tabs.

Professional Community
Estimated system impact
Overall impact: High
14 December 2021

Detects script includes from over 14000+ known cryptojacking domains.

Professional
Estimated system impact
Overall impact: Low
24 October 2018

Displays CSP headers for responses, and passively reports CSP weaknesses.

Professional Community
Estimated system impact
Overall impact: Low
11 February 2022

Passively scans for CSP headers that contain known bypasses or other potential weaknesses.

Professional
Estimated system impact
Overall impact: Low
24 January 2017

Passively scans for CSRF vulnerabilities.

Professional
Estimated system impact
Overall impact: Low
04 February 2022

Provides a sync function for CSRF token parameters.

Professional Community
Estimated system impact
Overall impact: Low
14 February 2017

Allows request/response modification using a GUI analogous to CyberChef

Professional Community
Estimated system impact
Overall impact: Low
29 November 2024

Hides and automatically handles anti-CSRF token defenses.

Professional Community
Estimated system impact
Overall impact: Low
22 June 2023

Adds a new tab to log all requests and responses.

Professional Community
Estimated system impact
Overall impact: Medium
01 July 2014

Provides a simple way to automatically modify any part of an HTTP message.

Professional Community
Estimated system impact
Overall impact: Low
21 February 2022

Add a customizable "Send to..." menu to the context menu

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

Speeds up manual testing of web applications by performing custom deserialization.

Professional Community
Estimated system impact
Overall impact: Low
21 February 2022

Use different themes with Burp Suite.

Professional Community
Estimated system impact
Overall impact: Low
08 March 2021

Calculates CVSS v2 and v3 scores of vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Low
30 March 2017

A Burp Suite Extension that detects Cypher code injection

Professional Enterprise
Estimated system impact
Overall impact: Low
26 August 2021

A replacement for Burp decoder with tabs, an improved hex editor, and extensibiity.

Professional Community
Estimated system impact
Overall impact: Medium
19 February 2021

View and modify compressed HTTP messages without changing the content-encoding.

Professional Community
Estimated system impact
Overall impact: Medium
19 June 2018

Passively checks for differing content in JavaScript files and aids in finding user/session data.

Professional
Estimated system impact
Overall impact: Low
17 December 2018

Shows the differences between two Repeater responses

Professional Community
Estimated system impact
Overall impact: Low
27 September 2022

Import results from directory brute forcing tools including GoBuster and DirSearch

Professional Community
Estimated system impact
Overall impact: Low
13 June 2019

Identify areas in your application that are vulnerable to Reverse Tabnabbing.

Professional
Estimated system impact
Overall impact: Low
06 December 2019

Adds a new context menu item in Burp Suite to switch between defined Display Settings Profiles.

Professional Community
Estimated system impact
Overall impact: Empty
20 September 2024

Evenly distributes scanner load across targets.

Professional
Estimated system impact
Overall impact: Empty
06 January 2023

Find DNS vulnerabilities in web applications.

Professional
Estimated system impact
Overall impact: Empty
18 September 2023

Automagically decode DNS Exfiltration queries to convert Blind RCE into proper RCE via Burp Collaborator.

Professional
Estimated system impact
Overall impact: Empty
24 January 2024

Dynamically add or update the DPoP (Demonstrating Proof of Possession) HTTP header to outgoing HTTP requests based on configured criteria.

Professional Community
Estimated system impact
Overall impact: Empty
15 August 2024

Send Scanner issues to Dradis collaboration and reporting framework.

Professional
Estimated system impact
Overall impact: Low
23 February 2024

Stores requests/responses in an ElasticSearch index.

Professional Community
Estimated system impact
Overall impact: Empty
04 October 2018

Encode an IP address focused to bypass application IP / domain blacklist.

Professional
Estimated system impact
Overall impact: Low
25 September 2023

Passively detects detailed server error messages.

Professional
Estimated system impact
Overall impact: Medium
15 August 2023

Processes and recognizes single sign-on protocols.

Professional Community
Estimated system impact
Overall impact: Medium
24 June 2019

Reads metadata from various file types (JPEG, PNG, PDF, DOC, and much more) using ExifTool.

Professional Community
Estimated system impact
Overall impact: Low
20 May 2022

Provides a similar but extended version of the Burp Suite macro feature.

Professional Community
Estimated system impact
Overall impact: Low
27 June 2017

Integrates Burp with the Faction assessment collaboration framework.

Professional
Estimated system impact
Overall impact: Empty
02 April 2024

Integrates Burp with the Faraday Integrated Penetration-Test Environment.

Professional Community
Estimated system impact
Overall impact: Low
06 January 2023

Allows Burp to test applications that use Fast Infoset XML encoding

Professional Community
Estimated system impact
Overall impact: Low
02 October 2017

Checks whether file uploads are vulnerable to path traversal

Professional
Estimated system impact
Overall impact: Low
03 August 2017

Filters out OPTIONS requests from populating Burp's Proxy history.

Professional Community
Estimated system impact
Overall impact: Low
19 October 2023

Allows a tester to manually insert junk data and adds junk data to Active Scans by duplicating each scan check.

Professional
Estimated system impact
Overall impact: Empty
19 November 2024

Provides request history view for all Burp tools.

Professional Community
Estimated system impact
Overall impact: High
10 February 2022

Helps detect and exploit deserialization vulnerabilities in Java and .Net

Professional
Estimated system impact
Overall impact: Medium
02 April 2020

Augments Intruder to probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.

Professional Community
Estimated system impact
Overall impact: Low
27 February 2020

Find potential endpoints, parameters, and generate a custom target wordlist.

Professional Community
Estimated system impact
Overall impact: Empty
23 July 2024

Integrates with GAT Digital

Professional
Estimated system impact
Overall impact: Medium
13 July 2023

Lets Burp users store Burp data and collaborate via git.

Professional Community
Estimated system impact
Overall impact: Low
17 June 2015

Generate Google Authenticator OTPs in session handling rules.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Lets you run Google Hacking queries and add results to Burp's site map.

Professional Community
Estimated system impact
Overall impact: High
01 July 2014

Test endpoints implementing GraphQL

Professional
Estimated system impact
Overall impact: Low
12 August 2019

Automatically identifies insertion points for GWT (Google Web Toolkit) requests.

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

A burp suite extension to easily insert payloads into requests.

Professional Community
Estimated system impact
Overall impact: Low
15 April 2021

Converts data using a tag-based configuration to apply various encoding and escaping operations.

Professional Community
Estimated system impact
Overall impact: Low
29 November 2024

Assists with using Collaborator during manual testing.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Import HAR export files into Burp.

Professional Community
Estimated system impact
Overall impact: Low
14 September 2023

This extension integrates Burp Intruder with Hashcat Maskprocessor.

Professional Community
Estimated system impact
Overall impact: Empty
16 October 2020

Identify missing, misconfigured, and unnecessary HTTP security headers

Professional
Estimated system impact
Overall impact: Empty
30 October 2024

Identifies and reports issues in headers

Professional
Estimated system impact
Overall impact: Low
22 June 2023

Snip headers from requests.

Professional Community
Estimated system impact
Overall impact: Empty
04 January 2024

Reports security issues in HTTP headers.

Professional
Estimated system impact
Overall impact: Low
24 November 2014

Allows Burp Scanner to be automated, using Spider or an existing Site Map.

Professional Community
Estimated system impact
Overall impact: Low
09 July 2018

Checks whether a server is vulnerable to the Heartbleed bug.

Professional Community
Estimated system impact
Overall impact: Low
22 June 2023

Highlighter and Extractor (HaE) is used to highlight HTTP requests and extract information from HTTP response messages.

Professional Community
Estimated system impact
Overall impact: Medium
23 July 2024

Filter search results per host.

Professional
Estimated system impact
Overall impact: Empty
28 February 2024

Find host header injection vulnerabilities

Professional
Estimated system impact
Overall impact: Low
14 November 2024

Scans for usage of risky HTML5 features.

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

A Burp Suite extension to handle HTTP Digest Authentication, which is no more supported by Burp Suite since version 2020.7.

Professional Community
Estimated system impact
Overall impact: Low
12 January 2022

Makes an OPTIONS request and determines if other HTTP methods than the original request are available.

Professional Community
Estimated system impact
Overall impact: Low
06 May 2021

Provides mock responses that can be configured, based on real ones.

Professional Community
Estimated system impact
Overall impact: Low
28 June 2022

Helps you launch HTTP Request Smuggling attacks, supports scanning for Request Smuggling vulnerabilities and also aids exploitation by handling cumbersome offset-tweaking for you

Professional Community
Estimated system impact
Overall impact: Low
16 November 2023

Scans for the HTTPoxy vulnerability.

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Passively scan for potentially vulnerable parameters.

Professional Community
Estimated system impact
Overall impact: Low
29 July 2020

Checks if a particular URL responds differently to various User-Agent headers.

Professional
Estimated system impact
Overall impact: Low
22 January 2015

Enumerates all the shortnames in an IIS webserver by exploiting the IIS Tilde Enumeration vulnerability

Professional Community
Estimated system impact
Overall impact: Low
20 July 2023

Passively scans jpeg / png / tiff for embedded GPS, IPTC, and camera-proprietary location & privacy exposures.

Professional
Estimated system impact
Overall impact: Low
26 February 2020

Extracts metadata from image files.

Professional Community
Estimated system impact
Overall impact: Low
14 December 2021

Detects potential denial of service attacks in image retrieval functions.

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Import wstalker CSV file or ZAP export file into Burp Sitemap.

Professional Community
Estimated system impact
Overall impact: Low
17 January 2023

InQL - A Burp Extension for GraphQL Security Testing

Professional Community
Estimated system impact
Overall impact: High
10 October 2023

Allows use of file contents and filenames as Intruder payloads.

Professional Community
Estimated system impact
Overall impact: Low
02 September 2015

Lets you include the current epoch time in Intruder payloads.

Professional Community
Estimated system impact
Overall impact: Low
24 January 2017

Uses AWS API Gateway to change your IP on every request.

Professional Community
Estimated system impact
Overall impact: Low
21 February 2022

Detect a Remote Code or Command Execution (RCE) vulnerability in some implementations of F5 Networks’ popular BigIP load balancer

Professional
Estimated system impact
Overall impact: Empty
08 August 2019

Posts discovered Scanner issues to an external web service.

Professional
Estimated system impact
Overall impact: Empty
07 September 2015

Adds scan checks focused on Java environments and technologies.

Professional Enterprise
Estimated system impact
Overall impact: High
25 August 2021

Performs active and passive scans to detect Java deserialization vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Performs Java deserialization attacks using the ysoserial payload generator tool.

Professional Community
Estimated system impact
Overall impact: Low
30 January 2017

Generates Java serialized payloads to execute OS commands.

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

Performs checks for cross-domain scripting against the DOM, subresource integrity checks, and evaluates JavaScript resources against threat intelligence data.

Professional
Estimated system impact
Overall impact: Empty
10 September 2019

Analyze web applications that use JCryption

Professional Community
Estimated system impact
Overall impact: Low
14 July 2017

Apply jq queries to JSON content from the HTTP message viewer.

Professional Community
Estimated system impact
Overall impact: Low
11 January 2021

Burp Extension for passively scanning JavaScript files for endpoint links.

Professional
Estimated system impact
Overall impact: Low
05 September 2019

Tries to find interesting stuff inside static files; mainly JavaScript and JSON files.

Professional
Estimated system impact
Overall impact: Low
20 July 2023

Use JavaScript to run pre and post request scripts.

Professional Community
Estimated system impact
Overall impact: Empty
13 February 2024

Displays JSON messages in decoded form.

Professional Community
Estimated system impact
Overall impact: Low
24 January 2017

Easily escape JSON payloads

Professional Community
Estimated system impact
Overall impact: Low
24 September 2024

View and extract data from JSON responses.

Professional Community
Estimated system impact
Overall impact: Low
08 September 2020

JOSEPH - JavaScript Object Signing and Encryption Pentesting Helper

Professional Community
Estimated system impact
Overall impact: Medium
04 February 2022

Enables Burp to decode and manipulate JSON web tokens.

Professional Community
Estimated system impact
Overall impact: Low
29 August 2024

Parses JSWS responses and generates JSON requests for all supported methods.

Professional Community
Estimated system impact
Overall impact: Low
15 February 2017

Allows viewing and editing of JVM system properties.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Edit, sign, verify, encrypt and decrypt JSON Web Tokens (JWTs).

Professional Community
Estimated system impact
Overall impact: Low
11 September 2024

Adds support for performing Kerberos authentication.

Professional Community
Estimated system impact
Overall impact: Low
30 August 2017

Allow the use of Burp Suite with an upstream proxy that requires Kerberos authentication.

Professional Community
Estimated system impact
Overall impact: Empty
10 May 2024

Allows you to write your own Python script to handle collaborator interactions.

Professional
Estimated system impact
Overall impact: Empty
09 January 2024

Sends Burp Scanner issues directly to a remote Lair project.

Professional
Estimated system impact
Overall impact: Low
25 January 2017

Performs hash length extension attacks on weak signature mechanisms.

Professional Community
Estimated system impact
Overall impact: Low
25 January 2017

Build OpenApi specs from Burp's traffic using Levo.ai. Also detect and classify the PII and annotate specs with the PII details.

Professional Community
Estimated system impact
Overall impact: Low
30 April 2024

An open source python framework for auditing WAFs and Filters.

Professional Community
Estimated system impact
Overall impact: Low
21 February 2022

Log every request made by Burp to an SQLite database

Professional Community
Estimated system impact
Overall impact: Empty
22 September 2021

Lets you view log files generated by Burp in a graphical enviroment.

Professional Community
Estimated system impact
Overall impact: Low
28 January 2022

A Burp Suite extension which augments your proxy traffic by injecting log4shell payloads into headers.

Professional
Estimated system impact
Overall impact: Low
16 December 2021

Enumerates hidden Log4Shell-affected hosts.

Professional Enterprise
Estimated system impact
Overall impact: Empty
05 October 2023

Logs requests and responses for all Burp tools in a sortable table.

Professional Community
Estimated system impact
Overall impact: High
06 July 2023

Help Burp know where to look when scanning

Professional Community
Estimated system impact
Overall impact: Low
01 October 2024

Insert a magic byte into a request.

Professional Community
Estimated system impact
Overall impact: Low
22 September 2023

Allows users to manually create custom issues within the Burp Scanner results.

Professional
Estimated system impact
Overall impact: Low
23 May 2017

Provides a match and replace function as a Session Handling Rule.

Professional Community
Estimated system impact
Overall impact: Low
24 August 2017

Allows conversion of MessagePack messages to/from JSON format.

Professional Community
Estimated system impact
Overall impact: Empty
20 April 2017

Generates custom Intruder payloads based on the site map.

Professional Community
Estimated system impact
Overall impact: Low
24 January 2017

Aids with documentation of OWASP Testing Guide V4 tests.

Professional Community
Estimated system impact
Overall impact: Low
25 January 2017

Allows replay of requests in multiple sessions, to identify authorization vulnerabilities

Professional Community
Estimated system impact
Overall impact: Low
03 October 2017

Highlight the Proxy history to differentiate requests made by different browsers

Professional Community
Estimated system impact
Overall impact: Low
14 December 2018

Parse Nessus output to detect web servers and add to Site Map

Professional Community
Estimated system impact
Overall impact: Low
02 April 2019

Detects NGINX alias traversal due to misconfiguration.

Professional
Estimated system impact
Overall impact: Low
03 December 2021

Parses Nmap output files and adds common web ports to Burp's target scope.

Professional Community
Estimated system impact
Overall impact: Low
09 January 2017

Integrate Nmap into Burp's interface.

Professional
Estimated system impact
Overall impact: Empty
30 October 2024

This extension is for those times when Burp just says 'Nope, i'm not gonna deal with this.'. It adds a configurable DNS server and a Non-HTTP MiTM Intercepting proxy to Burp.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

A scanner to detect NoSQL Injection vulnerabilities.

Professional
Estimated system impact
Overall impact: Medium
01 February 2021

Lets you take notes and manage external documents from within Burp.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Decode NTLM SSP headers and extract domain/host information

Professional Community
Estimated system impact
Overall impact: Low
25 March 2021

Allows you to run Nuclei Scanner directly from Burp and transforms JSON results into the issues.

Professional Community
Estimated system impact
Overall impact: Low
22 June 2023

A plugin intended to help with nuclei template generation.

Professional Community
Estimated system impact
Overall impact: Low
29 November 2024

Allows Burp Suite scans to be pushed to the Nucleus platform

Professional
Estimated system impact
Overall impact: Low
23 February 2021

Provides some automatic security checks, which could be useful when testing applications implementing OAUTHv2 and OpenID standards.

Professional Enterprise
Estimated system impact
Overall impact: Low
03 December 2024

Grab OAuth2 access tokens and add them to requests as a custom header.

Professional Community
Estimated system impact
Overall impact: Low
08 September 2022

Provide additional authentication methods - currently this tool only supports OAuth v1

Professional Community
Estimated system impact
Overall impact: Low
05 January 2023

Lets you edit Office Open XML files directly in Burp; useful for exploiting XXE

Professional Community
Estimated system impact
Overall impact: Low
05 January 2018

OpenAPI parser fully compliant with OpenAPI 2.0/3.0 Specifications (OAS). Supports both JSON and YAML formats.

Professional Community
Estimated system impact
Overall impact: Low
22 February 2024

Helps penetration testers quickly identify and exploit the PKCS#7 and PKCS#1 v1.5 padding oracle vulnerability.

Professional Community
Estimated system impact
Overall impact: Low
10 September 2024

ParaForge is a handy tool that helps gather information from requests. It extracts parameters and the Request endpoint to create customized wordlists, which are saved in endpoint.txt and parameter.txt files.

Professional Community
Estimated system impact
Overall impact: Low
23 November 2023

This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Low
29 November 2024

Improves efficiency of manual parameter analysis for web penetration tests and helps find sensitive information leakage.

Professional Community
Estimated system impact
Overall impact: Low
25 October 2022

Adds a custom Scanner check to identify Flex applications vulnerable to CVE-2011-2461 (APSB11-25).

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Recognizes and scans Passkey (webauthn) protocols and detects security issues.

Professional
Estimated system impact
Overall impact: Empty
16 January 2024

Allow pasting cURL commands as raw HTTP requests in a new tab in Repeater.

Professional Community
Estimated system impact
Overall impact: Empty
13 May 2024

Generates payload lists based on a set of characters that are sanitized.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Imports and passively scans Pcap files.

Professional
Estimated system impact
Overall impact: Low
04 April 2017

Provides an additional passive Scanner check for metadata in PDF files.

Professional
Estimated system impact
Overall impact: Low
20 April 2017

Allows viewing of PDF files directly within Burp.

Professional Community
Estimated system impact
Overall impact: Medium
02 September 2015

Peach API Security integration, perform tests and view results from Burp.

Professional Community
Estimated system impact
Overall impact: Low
04 September 2019

Improve automated and semi-automated active scanning

Professional
Estimated system impact
Overall impact: Empty
08 July 2022

Integrates logging with a custom application testing checklist.

Professional Community
Estimated system impact
Overall impact: Low
23 November 2023

TODO

Professional Community
Estimated system impact
Overall impact: Low
11 January 2018

Finds PHP object injection vulnerabilities.

Professional Enterprise
Estimated system impact
Overall impact: Low
26 August 2021

Designed to help you find PHP Object Injection vulnerabilities on popular PHP Frameworks.

Professional Community
Estimated system impact
Overall impact: High
20 November 2019

Raw bytes manipulation utility, able to apply well known and less well known transformations.

Professional Community
Estimated system impact
Overall impact: Low
12 July 2019

Easily integrate external tools into Burp

Professional Community
Estimated system impact
Overall impact: Low
27 November 2020

Integrate with the Postman tool by generating a collection file.

Professional Community
Estimated system impact
Overall impact: Low
07 September 2022

Checks application requests and responses for indicators of vulnerability or targets for attack

Professional Community
Estimated system impact
Overall impact: Low
05 January 2023

Burp Suite extension to track vulnerability assessment progress.

Professional Community
Estimated system impact
Overall impact: Low
04 March 2020

Decodes and beautifies protobuf responses.

Professional Community
Estimated system impact
Overall impact: Low
04 August 2021

Detect and analyze server-side prototype pollution vulnerabilities in web applications.

Professional
Estimated system impact
Overall impact: Empty
09 October 2024

Automatically forward, intercept and drop requests based on rules.

Professional Community
Estimated system impact
Overall impact: Low
21 February 2022

Automatically configures Burp upstream proxies to match desktop proxy settings.

Professional Community
Estimated system impact
Overall impact: Low
24 October 2018

Converts Burp Suite's proxy traffic into interactive diagrams

Professional Community
Estimated system impact
Overall impact: Low
02 August 2023

A customizable payload generator suitable for detecting a variety of file path vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Medium
28 June 2018

Allows you to modify HTTP requests and responses passing through the Burp Suite proxy using Jython code or gRPC, especially when dealing with encrypted requests.

Professional Community
Estimated system impact
Overall impact: Empty
23 October 2024

Bypass client-side encryption using custom logic for manual and automation testing

Professional Community
Estimated system impact
Overall impact: Low
30 October 2024

Allows execution of custom Python scripts to be used with HTTP request and responses plus handling Macro messages.

Professional Community
Estimated system impact
Overall impact: Low
20 May 2022

Provides a way to easily push Burp scanner findings to the Qualys Web Application Scanning (WAS) module.

Professional
Estimated system impact
Overall impact: Low
22 October 2024

Quickly select context menu entries using a search dialog

Professional Community
Estimated system impact
Overall impact: Low
23 March 2020

Parses Content-Transfer-Encoding

Professional
Estimated system impact
Overall impact: Low
25 August 2020

Automatically generates fake source IP address headers to evade WAF filters.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Checks for reflected file downloads.

Professional Community
Estimated system impact
Overall impact: Low
24 January 2017

Monitors traffic and looks for parameter values that are reflected in the response.

Professional
Estimated system impact
Overall impact: Low
10 November 2014

This extension generates scripts to reissue selected requests.

Professional Community
Estimated system impact
Overall impact: Low
16 December 2021

Helps developers replicate findings discovered in pen tests.

Professional Community
Estimated system impact
Overall impact: Low
22 July 2024

Reports issues discovered by Burp to an ElasticSearch database.

Professional
Estimated system impact
Overall impact: Low
10 May 2017

Automatically highlights different HTTP requests based on headers content

Professional Community
Estimated system impact
Overall impact: Low
23 July 2018

Minimize requests by removing ad cookies, cachebusters, etc.

Professional Community
Estimated system impact
Overall impact: Low
20 December 2022

Places a random value into a specified location within requests.

Professional Community
Estimated system impact
Overall impact: Low
21 December 2018

Captures response times for requests made by all Burp tools.

Professional Community
Estimated system impact
Overall impact: Low
08 November 2017

Trigger actions and reshape HTTP request and response traffic using configurable rules

Professional Community
Estimated system impact
Overall impact: Low
29 November 2024

Auto-extract values from HTTP responses based on a Regular Expression.

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

Find exotic responses by grouping response bodies

Professional Community
Estimated system impact
Overall impact: Low
05 September 2022

Uses a list of payloads to pattern match on HTTP responses highlighting interesting and potentially vulnerable areas.

Professional Community
Estimated system impact
Overall impact: Low
15 August 2023

Integrates with the Retire.js repository to find vulnerable JavaScript libraries.

Professional
Estimated system impact
Overall impact: Low
14 December 2021

Detects reverse proxy servers.

Professional Community
Estimated system impact
Overall impact: Low
13 February 2017

This plug-in can recursively detect vulnerable paths. You can customize related paths, matching information and vulnerability names.

Professional
Estimated system impact
Overall impact: Low
08 March 2023

Detects same origin method execution vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Low
26 January 2017

Passively reports various SameSite flags

Professional
Estimated system impact
Overall impact: Low
12 June 2020

Adds a tab to Burp's message editor for decoding/encoding SAML messages.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Adds a tab to Burp's main UI for decoding/encoding SAML messages.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Provides a SAML message editor and a certificate management tool to help with testing SAML infrastructures.

Professional Community
Estimated system impact
Overall impact: Low
22 October 2024

Enables you to view, decode, and modify SAML requests and responses.

Professional Community
Estimated system impact
Overall impact: High
06 February 2017

Enumerating associated domains & services via the Subject Alt Names section of SSL certificates.

Professional Community Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Do an active scan of just the insertion point defined by a selection in the UI.

Professional Community
Estimated system impact
Overall impact: Low
24 May 2017

A Burp Suite Extension to monitor and keep track of tested endpoints.

Professional Community
Estimated system impact
Overall impact: Low
07 October 2019

Use Semgrep inside Burp Suite

Professional
Estimated system impact
Overall impact: Low
20 July 2023

Burp Suite extension to scan for sensitive strings in HTTP messages.

Professional Community
Estimated system impact
Overall impact: Low
15 November 2024

Performs custom scanning for vulnerabilities in web applications.

Professional
Estimated system impact
Overall impact: Low
20 December 2022

This extension finds server side prototype pollution vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Low
13 March 2023

Identifies authentication privilege escalation vulnerabilities.

Professional
Estimated system impact
Overall impact: Low
24 January 2017

Provides additional control for handling sessions.

Professional Community
Estimated system impact
Overall impact: Low
14 September 2023

Determines server session timeout intervals.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Checks for the presence of known session tracking sites

Professional
Estimated system impact
Overall impact: Low
05 January 2018

Adds a number of UI and functional features to Burp Suite.

Professional Community
Estimated system impact
Overall impact: Low
22 February 2024

Simplify the process of fuzzing for Excel file uploads.

Professional Community
Estimated system impact
Overall impact: Empty
30 April 2024

Extension for editing, signing, verifying various signed web tokens.

Professional Community
Estimated system impact
Overall impact: Empty
10 May 2024

Improves efficiency by automatically marking similar requests as 'out-of-scope'.

Professional Community
Estimated system impact
Overall impact: Low
20 June 2018

Extracts key data from the Site Map and allows export to CSV.

Professional Community
Estimated system impact
Overall impact: Low
29 January 2020

Fetches the responses of unrequested items in the site map.

Professional Community
Estimated system impact
Overall impact: Low
22 January 2015

Add additional functionality for pentesting websocket based applications.

Professional Community
Estimated system impact
Overall impact: Empty
19 October 2023

Passively reports server software version numbers.

Professional
Estimated system impact
Overall impact: Low
22 April 2021

Software vulnerability scanner based on Vulners.com audit API

Professional
Estimated system impact
Overall impact: Low
09 April 2019

Inject offline source maps for easier JavaScript debugging.

Professional Community
Estimated system impact
Overall impact: Low
26 February 2024

Enumerates application endpoints via a local source code repository.

Professional Community
Estimated system impact
Overall impact: Low
17 July 2018

Extends and adds custom Payload Generators/Processors in Burp Suite's Intruder.

Professional Community
Estimated system impact
Overall impact: Low
03 September 2020

Initiates SQLMap scans directly from within Burp.

Professional Community
Estimated system impact
Overall impact: Low
06 June 2023

Helps you perform DNS exfiltration with Sqlmap with zero configuration needed.

Professional
Estimated system impact
Overall impact: Low
24 March 2021

Identifies missing Subresource Integrity attributes

Professional
Estimated system impact
Overall impact: Low
12 July 2019

Scan for SSL vulnerabilities using techniques from testssl.sh and a2sv.

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

A Multi-Stage Repeater Replacement For Burp Suite

Professional Community
Estimated system impact
Overall impact: Medium
07 September 2023

A very simple, straightforward extension to export sub domains from Burp using a context menu option.

Professional Community
Estimated system impact
Overall impact: Low
02 December 2019

Parse Swagger documents - view in a table and send to other tools.

Professional
Estimated system impact
Overall impact: Empty
14 June 2024

Improved Collaborator client in its own tab

Professional
Estimated system impact
Overall impact: Low
20 December 2022

Redirect requests to a new target, to cope with moved apps.

Professional Community
Estimated system impact
Overall impact: Low
04 April 2018

Provides an interface to the ThreadFix vulnerability management platform.

Professional
Estimated system impact
Overall impact: Low
25 January 2017

Used to perform timing attacks over an unreliable network such as the internet.

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

Provides a popup menu to edit Unix timestamps in Burp message editors

Professional Community
Estimated system impact
Overall impact: Low
18 March 2021

Extract tokens from responses and use these in future requests

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

Increment a token in each request. Useful for parameters like username that must be unique.

Professional Community
Estimated system impact
Overall impact: Low
27 November 2020

Manages tokens and updates request parameters with current values.

Professional Community
Estimated system impact
Overall impact: Low
09 June 2022

Flexible and dynamic extraction, correlation, and structured presentation of information as well as on-the-fly modification of outgoing or incoming HTTP requests using Python scripts.

Professional Community
Estimated system impact
Overall impact: Low
20 April 2022

Send large numbers of HTTP requests and analyze the results

Professional Community
Estimated system impact
Overall impact: Medium
07 August 2024

Compares HTTP response codes (200, 500, etc) when altering the

Professional
Estimated system impact
Overall impact: Low
11 September 2023

Test file uploads with payloads embedded in meta data for various file formats.

Professional
Estimated system impact
Overall impact: Low
21 February 2022

This extension finds active UPnP services/devices and extracts the related SOAP requests (IPv4 and IPv6 are supported), it then analyzes them using various Burp tools

Professional Community
Estimated system impact
Overall impact: Low
06 December 2021

Fuzz URLs for HTTP parser inconsistencies

Professional
Estimated system impact
Overall impact: Empty
09 January 2024

Passively reports UUID/GUIDs observed within HTTP requests.

Professional Community
Estimated system impact
Overall impact: Low
23 February 2017

Displays the contents of, and allows the user to edit, V1.1 and V2.0 ASP view state data.

Professional Community
Estimated system impact
Overall impact: Low
10 March 2021

The extension intercepts POST requests to in-scope destinations, and prepends the request body with a configurable amount of padding. It

Professional Community
Estimated system impact
Overall impact: Low
07 September 2023

Fetches JavaScript cookies into the Burp cookie jar; useful to handle WAFs.

Professional Community
Estimated system impact
Overall impact: Low
16 January 2018

Passively detects web application firewalls from HTTP responses.

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Generate a sitemap using Wayback Machine.

Professional Community
Estimated system impact
Overall impact: Low
18 June 2018

Allows Burp to view and modify binary SOAP objects.

Professional Community
Estimated system impact
Overall impact: Low
15 June 2017

Detect web cache misconfigurations with Burp.

Professional
Estimated system impact
Overall impact: Low
23 November 2017

Decodes WebAuthn CBOR format

Professional Community
Estimated system impact
Overall impact: Low
09 December 2022

Integrates Burp with HP WebInspect.

Professional
Estimated system impact
Overall impact: Low
10 August 2016

Fuzz WebSockets messages with custom Python code

Professional Community
Estimated system impact
Overall impact: Empty
30 October 2024

Displays information about IBM WebSphere Portlet state.

Professional Community
Estimated system impact
Overall impact: Low
17 February 2015

Scrapes all unique words and numbers for use with password cracking

Professional Community
Estimated system impact
Overall impact: Low
20 April 2017

Find known vulnerabilities in WordPress plugins and themes using WPScan database.

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

Generate and replace for every request valid token for WS Security

Professional Community
Estimated system impact
Overall impact: Medium
10 February 2022

Scans a target server for WSDL files.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Parses WSDL files and generates SOAP requests to the enumerated endpoints.

Professional Community
Estimated system impact
Overall impact: Low
01 November 2016

Adds a new HTTP message editor tab to display X-ChromeLogger-Data in decoded form.

Professional Community
Estimated system impact
Overall impact: Low
15 December 2021

Incorporates PortSwigger's cross-site scripting cheat sheet into Burp.

Professional Community
Estimated system impact
Overall impact: Low
17 October 2023

Sends responses to a locally-running XSS-Detector server.

Professional
Estimated system impact
Overall impact: High
10 February 2022

Integrates Yara scanner into Burp Suite.

Professional Community
Estimated system impact
Overall impact: Low
25 January 2017

YesWeBurp is an extension for BurpSuite allowing you to access all your https

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022