BApp Store

The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities.

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Submit a BApp

If you have written, or are aware of, an extension that you would like to be included in the BApp Store, please submit your BApp to us .

Update a BApp

The process for updating a BApp is as follows:

  1. The author creates a pull request against PortSwigger's fork of their repository.
  2. The author emails support@portswigger.net to tell us that they've opened a pull request.
  3. We review the changes and merge them into the PortSwigger fork.
  4. We test the extension for loading errors.
  5. We publish the updated version to the BApp Store.

BApp Extensions

Sort by
Name Rating Popularity Last updated

Generate and replace for every request valid token for WS Security

Professional Community
Estimated system impact
Overall impact: Medium
10 February 2022

Grab OAuth2 access tokens and add them to requests as a custom header.

Professional Community
Estimated system impact
Overall impact: Empty
17 June 2022

Posts discovered Scanner issues to an external web service.

Professional
Estimated system impact
Overall impact: Empty
07 September 2015

Adds Ruby scripting capabilities to Burp.

Professional
Estimated system impact
Overall impact: Low
14 February 2017

Send Scanner issues to Dradis collaboration and reporting framework.

Professional
Estimated system impact
Overall impact: Low
17 February 2017

Quickly select context menu entries using a search dialog

Professional Community
Estimated system impact
Overall impact: Low
23 March 2020

TODO

Professional Community
Estimated system impact
Overall impact: Low
11 January 2018

Integrates with GAT Digital

Professional
Estimated system impact
Overall impact: Low
21 January 2021

Performs checks for cross-domain scripting against the DOM, subresource integrity checks, and evaluates JavaScript resources against threat intelligence data.

Professional
Estimated system impact
Overall impact: Empty
10 September 2019

Lets Burp users store Burp data and collaborate via git.

Professional Community
Estimated system impact
Overall impact: Low
17 June 2015

Displays information about IBM WebSphere Portlet state.

Professional Community
Estimated system impact
Overall impact: Low
17 February 2015

Parses Content-Transfer-Encoding

Professional
Estimated system impact
Overall impact: Low
25 August 2020

Stores requests/responses in an ElasticSearch index.

Professional Community
Estimated system impact
Overall impact: Empty
04 October 2018

Generate payload processors on the fly - without having to create individual extensions.

Professional Community
Estimated system impact
Overall impact: Low
31 January 2022

Improves efficiency by automatically marking similar requests as 'out-of-scope'.

Professional Community
Estimated system impact
Overall impact: Low
20 June 2018

Automatically renders Repeater responses in Firefox.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Enables collaborative usage of Burp using XMPP/Jabber.

Professional Community
Estimated system impact
Overall impact: Low
23 January 2017

Allows conversion of MessagePack messages to/from JSON format.

Professional Community
Estimated system impact
Overall impact: Empty
20 April 2017

Integrates logging with a custom application testing checklist.

Professional Community
Estimated system impact
Overall impact: Empty
10 June 2022

Lets you share requests with just two clicks and a paste

Professional Community
Estimated system impact
Overall impact: Low
11 February 2021

Generates comments for selected requests based on regular expressions.

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

Integrates Yara scanner into Burp Suite.

Professional Community
Estimated system impact
Overall impact: Low
25 January 2017

Generates payload lists based on a set of characters that are sanitized.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

A Burp Suite extension to handle HTTP Digest Authentication, which is no more supported by Burp Suite since version 2020.7.

Professional Community
Estimated system impact
Overall impact: Low
12 January 2022

Provides an interface to the ThreadFix vulnerability management platform.

Professional
Estimated system impact
Overall impact: Low
25 January 2017

Sends Burp Scanner issues directly to a remote Lair project.

Professional
Estimated system impact
Overall impact: Low
25 January 2017

Reports issues discovered by Burp to an ElasticSearch database.

Professional
Estimated system impact
Overall impact: Low
10 May 2017

Peach API Security integration, perform tests and view results from Burp.

Professional Community
Estimated system impact
Overall impact: Low
04 September 2019

Raw bytes manipulation utility, able to apply well known and less well known transformations.

Professional Community
Estimated system impact
Overall impact: Low
12 July 2019

Adds a new tab to log all requests and responses.

Professional Community
Estimated system impact
Overall impact: Medium
01 July 2014

Adds a new HTTP message editor tab to display X-ChromeLogger-Data in decoded form.

Professional Community
Estimated system impact
Overall impact: Low
15 December 2021

Performs hash length extension attacks on weak signature mechanisms.

Professional Community
Estimated system impact
Overall impact: Low
25 January 2017

Allows viewing and editing of JVM system properties.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Automatically forward, intercept and drop requests based on rules.

Professional Community
Estimated system impact
Overall impact: Low
21 February 2022

This extension integrates Burp Intruder with Hashcat Maskprocessor.

Professional Community
Estimated system impact
Overall impact: Empty
16 October 2020

Push notifications to Slack channel or to custom server based on BurpSuite response conditions.

Professional Community
Estimated system impact
Overall impact: High
27 November 2020

Adds Google Translate to Burp's context menu.

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

Allows replay of requests in multiple sessions, to identify authorization vulnerabilities

Professional Community
Estimated system impact
Overall impact: Low
03 October 2017

Burp Suite extension to track vulnerability assessment progress.

Professional Community
Estimated system impact
Overall impact: Low
04 March 2020

This extension finds active UPnP services/devices and extracts the related SOAP requests (IPv4 and IPv6 are supported), it then analyzes them using various Burp tools

Professional Community
Estimated system impact
Overall impact: Low
06 December 2021

YesWeBurp is an extension for BurpSuite allowing you to access all your https

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

Automatically modify parameters by using encoding/decoding, encrypting/decrypting or hashing algorithms set in configuration tabs.

Professional Community
Estimated system impact
Overall impact: High
14 December 2021

Hides and automatically handles anti-CSRF token defenses.

Professional Community
Estimated system impact
Overall impact: Low
10 November 2015

An open source python framework for auditing WAFs and Filters.

Professional Community
Estimated system impact
Overall impact: Low
21 February 2022

Import wstalker CSV file or ZAP export file into Burp Sitemap.

Professional Community
Estimated system impact
Overall impact: Low
29 June 2020

Provides a popup menu to edit Unix timestamps in Burp message editors

Professional Community
Estimated system impact
Overall impact: Low
18 March 2021

Helps developers replicate findings discovered in pen tests.

Professional Community
Estimated system impact
Overall impact: Low
28 April 2020

Filters out OPTIONS requests from populating Burp's Proxy history.

Professional Community
Estimated system impact
Overall impact: Low
08 January 2020

Aids with documentation of OWASP Testing Guide V4 tests.

Professional Community
Estimated system impact
Overall impact: Low
25 January 2017

Lets you include the current epoch time in Intruder payloads.

Professional Community
Estimated system impact
Overall impact: Low
24 January 2017

Allows Burp to test applications that use Fast Infoset XML encoding

Professional Community
Estimated system impact
Overall impact: Low
02 October 2017

Highlight the Proxy history to differentiate requests made by different browsers

Professional Community
Estimated system impact
Overall impact: Low
14 December 2018

Parses Nmap output files and adds common web ports to Burp's target scope.

Professional Community
Estimated system impact
Overall impact: Low
09 January 2017

Generates Intruder payloads using the Radamsa test case generator.

Professional Community
Estimated system impact
Overall impact: Empty
02 July 2014

Automatically configures Burp upstream proxies to match desktop proxy settings.

Professional Community
Estimated system impact
Overall impact: Low
24 October 2018

Inject offline source maps for easier JavaScript debugging.

Professional Community
Estimated system impact
Overall impact: Low
20 May 2022

Auto-extract values from HTTP responses based on a Regular Expression.

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

Uploads scan reports directly to CodeDx, a software vulnerability correlation and management system.

Professional
Estimated system impact
Overall impact: Low
06 June 2018

Uses a list of payloads to pattern match on HTTP responses highlighting interesting and potentially vulnerable areas.

Professional Community
Estimated system impact
Overall impact: Low
21 January 2021

Places a random value into a specified location within requests.

Professional Community
Estimated system impact
Overall impact: Low
21 December 2018

Allows you to assess 5G core network functions by parsing OpenAPI 3.0, and generate requests for intrusion testing purposes.

Professional Community
Estimated system impact
Overall impact: Low
23 September 2021

Burp Suite extension to copy requests as Go

Professional Community
Estimated system impact
Overall impact: Low
22 December 2021

A Burp Suite Extension to monitor and keep track of tested endpoints.

Professional Community
Estimated system impact
Overall impact: Low
07 October 2019

Easily integrate external tools into Burp

Professional Community
Estimated system impact
Overall impact: Low
27 November 2020

Trigger actions and reshape HTTP request and response traffic using configurable rules

Professional Community
Estimated system impact
Overall impact: Low
19 April 2022

Provides a match and replace function as a Session Handling Rule.

Professional Community
Estimated system impact
Overall impact: Low
24 August 2017

Enables the generation of shareable links to specific requests which other Burp Suite users can import.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Detects script includes from over 14000+ known cryptojacking domains.

Professional
Estimated system impact
Overall impact: Low
24 October 2018

Integrates Crawljax, Selenium and JUnit into Burp.

Professional Community
Estimated system impact
Overall impact: Low
23 March 2015

Integrates Burp with the Faraday Integrated Penetration-Test Environment.

Professional Community
Estimated system impact
Overall impact: Low
26 July 2021

Allows Burp Scanner to be automated, using Spider or an existing Site Map.

Professional Community
Estimated system impact
Overall impact: Low
09 July 2018

Fetches the responses of unrequested items in the site map.

Professional Community
Estimated system impact
Overall impact: Low
22 January 2015

Used to perform timing attacks over an unreliable network such as the internet.

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

Add a customizable "Send to..." menu to the context menu

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

Speeds up manual testing of web applications by performing custom deserialization.

Professional Community
Estimated system impact
Overall impact: Low
21 February 2022

Flexible and dynamic extraction, correlation, and structured presentation of information as well as on-the-fly modification of outgoing or incoming HTTP requests using Python scripts.

Professional Community
Estimated system impact
Overall impact: Low
20 April 2022

Allows request/response modification using a GUI analogous to CyberChef

Professional Community
Estimated system impact
Overall impact: Low
10 July 2020

Lets you edit Office Open XML files directly in Burp; useful for exploiting XXE

Professional Community
Estimated system impact
Overall impact: Low
05 January 2018

Lets you run Google Hacking queries and add results to Burp's site map.

Professional Community
Estimated system impact
Overall impact: High
01 July 2014

Imports and passively scans Pcap files.

Professional
Estimated system impact
Overall impact: Low
04 April 2017

Minimize requests by removing ad cookies, cachebusters, etc.

Professional Community
Estimated system impact
Overall impact: Low
13 January 2021

Helps penetration testers quickly identify and exploit the PKCS#7 and PKCS#1 v1.5 padding oracle vulnerability.

Professional Community
Estimated system impact
Overall impact: Low
23 March 2022

Provides a similar but extended version of the Burp Suite macro feature.

Professional Community
Estimated system impact
Overall impact: Low
27 June 2017

Checks if a particular URL responds differently to various User-Agent headers.

Professional
Estimated system impact
Overall impact: Low
22 January 2015

Generates and fuzzes custom AMF messages.

Professional Community
Estimated system impact
Overall impact: Low
01 February 2017

Checks for the presence of known session tracking sites

Professional
Estimated system impact
Overall impact: Low
05 January 2018

Analyze web applications that use JCryption

Professional Community
Estimated system impact
Overall impact: Low
14 July 2017

Adds a tab to Burp's main UI for decoding/encoding SAML messages.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Fetches JavaScript cookies into the Burp cookie jar; useful to handle WAFs.

Professional Community
Estimated system impact
Overall impact: Low
16 January 2018

Parse Nessus output to detect web servers and add to Site Map

Professional Community
Estimated system impact
Overall impact: Low
02 April 2019

Provides mock responses that can be configured, based on real ones.

Professional Community
Estimated system impact
Overall impact: Low
11 July 2019

Log every request made by Burp to an SQLite database

Professional Community
Estimated system impact
Overall impact: Empty
22 September 2021

Integrates Burp with HP WebInspect.

Professional
Estimated system impact
Overall impact: Low
10 August 2016

Provides a way to easily push Burp scanner findings to the Qualys Web Application Scanning (WAS) module.

Professional
Estimated system impact
Overall impact: Low
10 February 2022

Lets you view log files generated by Burp in a graphical enviroment.

Professional Community
Estimated system impact
Overall impact: Low
28 January 2022

Augments Intruder to probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.

Professional Community
Estimated system impact
Overall impact: Low
27 February 2020

This extension allows you to automatically Drop requests that match a certain regex.

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

Generate Google Authenticator OTPs in session handling rules.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Increment a token in each request. Useful for parameters like username that must be unique.

Professional Community
Estimated system impact
Overall impact: Low
27 November 2020

Adds a custom Scanner check to identify Flex applications vulnerable to CVE-2011-2461 (APSB11-25).

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Decodes and beautifies protobuf responses.

Professional Community
Estimated system impact
Overall impact: Low
04 August 2021

Detect a Remote Code or Command Execution (RCE) vulnerability in some implementations of F5 Networks’ popular BigIP load balancer

Professional
Estimated system impact
Overall impact: Empty
08 August 2019

Provides a command-line interface to drive spidering and scanning.

Professional
Estimated system impact
Overall impact: Low
23 January 2017

Find exotic responses by grouping response bodies

Professional Community
Estimated system impact
Overall impact: Low
12 January 2022

Lets you take notes and manage external documents from within Burp.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Checks whether file uploads are vulnerable to path traversal

Professional
Estimated system impact
Overall impact: Low
03 August 2017

Copies the selected requests as Node.JS request code.

Professional Community
Estimated system impact
Overall impact: Low
20 April 2021

Extracts key data from the Site Map and allows export to CSV.

Professional Community
Estimated system impact
Overall impact: Low
29 January 2020

Detects reverse proxy servers.

Professional Community
Estimated system impact
Overall impact: Low
13 February 2017

Adds support for performing Kerberos authentication.

Professional Community
Estimated system impact
Overall impact: Low
30 August 2017

Generates custom Intruder payloads based on the site map.

Professional Community
Estimated system impact
Overall impact: Low
24 January 2017

Evenly distributes scanner load across targets.

Professional
Estimated system impact
Overall impact: Empty
25 August 2020

Allows use of file contents and filenames as Intruder payloads.

Professional Community
Estimated system impact
Overall impact: Low
02 September 2015

Enables you to view, decode, and modify SAML requests and responses.

Professional Community
Estimated system impact
Overall impact: High
06 February 2017

Provides an easy way to save and revisit requests

Professional Community
Estimated system impact
Overall impact: Low
21 May 2020

Automatically takes care of anti-CSRF tokens by fetching them from the referer and replacing them in requests.

Professional Community
Estimated system impact
Overall impact: Low
28 February 2020

Manages tokens and updates request parameters with current values.

Professional Community
Estimated system impact
Overall impact: Low
09 June 2022

Adds a tab to Burp's message editor for decoding/encoding SAML messages.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Allows Burp to view and modify binary SOAP objects.

Professional Community
Estimated system impact
Overall impact: Low
15 June 2017

A Multi-Stage Repeater Replacement For Burp Suite

Professional Community
Estimated system impact
Overall impact: Low
16 July 2020

Create custom issues in Burp Scanner results, using predefined issue templates.

Professional
Estimated system impact
Overall impact: Low
25 February 2022

Identifies previously submitted inputs appearing in hashed form.

Professional
Estimated system impact
Overall impact: Low
28 August 2015

Copy methods in the context menu of selected messages and requests/responses.

Professional Community
Estimated system impact
Overall impact: Low
23 July 2021

Import results from directory brute forcing tools including GoBuster and DirSearch

Professional Community
Estimated system impact
Overall impact: Low
13 June 2019

Assists with using Collaborator during manual testing.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Allows Burp Suite scans to be pushed to the Nucleus platform

Professional
Estimated system impact
Overall impact: Low
23 February 2021

Redirect requests to a new target, to cope with moved apps.

Professional Community
Estimated system impact
Overall impact: Low
04 April 2018

Parses JSWS responses and generates JSON requests for all supported methods.

Professional Community
Estimated system impact
Overall impact: Low
15 February 2017

Looks for files, directories and file extensions based on current requests received by Burp Suite.

Professional Community
Estimated system impact
Overall impact: Low
22 January 2018

This extension generates scripts to reissue selected requests.

Professional Community
Estimated system impact
Overall impact: Low
16 December 2021

Adds a number of UI and functional features to Burp Suite.

Professional Community
Estimated system impact
Overall impact: Low
20 June 2022

Detects potential denial of service attacks in image retrieval functions.

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Allows execution of custom Python scripts to be used with HTTP request and responses plus handling Macro messages.

Professional Community
Estimated system impact
Overall impact: Low
20 May 2022

Copies the selected request(s) as PowerShell invocation(s).

Professional Community
Estimated system impact
Overall impact: Low
25 November 2021

Scrapes all unique words and numbers for use with password cracking

Professional Community
Estimated system impact
Overall impact: Low
20 April 2017

Passively scans jpeg / png / tiff for embedded GPS, IPTC, and camera-proprietary location & privacy exposures.

Professional
Estimated system impact
Overall impact: Low
26 February 2020

Signs requests with AWS Signature Version 4

Professional Community
Estimated system impact
Overall impact: Low
08 June 2022

Detects same origin method execution vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Low
26 January 2017

Automatically highlights different HTTP requests based on headers content

Professional Community
Estimated system impact
Overall impact: Low
23 July 2018

Extracts metadata from image files.

Professional Community
Estimated system impact
Overall impact: Low
14 December 2021

Automatically identifies insertion points for GWT (Google Web Toolkit) requests.

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Identify areas in your application that are vulnerable to Reverse Tabnabbing.

Professional
Estimated system impact
Overall impact: Low
06 December 2019

Enumerates application endpoints via a local source code repository.

Professional Community
Estimated system impact
Overall impact: Low
17 July 2018

Use different themes with Burp Suite.

Professional Community
Estimated system impact
Overall impact: Low
08 March 2021

Generates multiple scan reports by host with just a few clicks.

Professional
Estimated system impact
Overall impact: Low
04 February 2022

Provides an additional passive Scanner check for metadata in PDF files.

Professional
Estimated system impact
Overall impact: Low
20 April 2017

Checks for reflected file downloads.

Professional Community
Estimated system impact
Overall impact: Low
24 January 2017

Apply jq queries to JSON content from the HTTP message viewer.

Professional Community
Estimated system impact
Overall impact: Low
11 January 2021

A collection of burpsuite encryption plug-ins, support AES/RSA/DES/ExecJs(execute JS encryption code in burpsuite).

Professional Community
Estimated system impact
Overall impact: Low
25 November 2021

Java Fingerprinting using Stack Traces.

Professional
Estimated system impact
Overall impact: Low
04 February 2022

Identifies missing Subresource Integrity attributes

Professional
Estimated system impact
Overall impact: Low
12 July 2019

Send raw HTTP requests to BugPoC.com

Professional Community
Estimated system impact
Overall impact: Low
22 June 2020

A customizable payload generator suitable for detecting a variety of file path vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Medium
28 June 2018

Identifies authentication privilege escalation vulnerabilities.

Professional
Estimated system impact
Overall impact: Low
24 January 2017

Exfiltrate blind remote code execution output over DNS via Burp Collaborator

Professional
Estimated system impact
Overall impact: Low
21 February 2022

View and modify compressed HTTP messages without changing the content-encoding.

Professional Community
Estimated system impact
Overall impact: Medium
19 June 2018

Automatically generates fake source IP address headers to evade WAF filters.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Determines server session timeout intervals.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Passively reports various SameSite flags

Professional
Estimated system impact
Overall impact: Low
12 June 2020

Calculates CVSS v2 and v3 scores of vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Low
30 March 2017

A Burp extension that discovers sensitive information inside HTTP messages.

Professional
Estimated system impact
Overall impact: Low
12 November 2021

Used for signing AWS requests with SigV4.

Professional Community
Estimated system impact
Overall impact: Low
16 February 2022

Passively reports UUID/GUIDs observed within HTTP requests.

Professional Community
Estimated system impact
Overall impact: Low
23 February 2017

Decode NTLM SSP headers and extract domain/host information

Professional Community
Estimated system impact
Overall impact: Low
25 March 2021

This extension is for those times when Burp just says 'Nope, i'm not gonna deal with this.'. It adds a configurable DNS server and a Non-HTTP MiTM Intercepting proxy to Burp.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Test Amazon S3, Google Storage and Azure Storage for common misconfiguration issues.

Professional
Estimated system impact
Overall impact: Medium
25 February 2022

A very simple, straightforward extension to export sub domains from Burp using a context menu option.

Professional Community
Estimated system impact
Overall impact: Low
02 December 2019

Enumerating associated domains & services via the Subject Alt Names section of SSL certificates.

Professional Community Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Checks whether a server is vulnerable to the Heartbleed bug.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Allows users to manually create custom issues within the Burp Scanner results.

Professional
Estimated system impact
Overall impact: Low
23 May 2017

Do an active scan of just the insertion point defined by a selection in the UI.

Professional Community
Estimated system impact
Overall impact: Low
24 May 2017

Highlighter and Extractor (HaE) is used to highlight HTTP requests and extract information from HTTP response messages.

Professional Community
Estimated system impact
Overall impact: Low
20 April 2022

Integrate with the Postman tool by generating a collection file.

Professional Community
Estimated system impact
Overall impact: Low
19 June 2019

Scans a target server for WSDL files.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Designed to help you find PHP Object Injection vulnerabilities on popular PHP Frameworks.

Professional Community
Estimated system impact
Overall impact: High
20 November 2019

Extract tokens from responses and use these in future requests

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

Makes an OPTIONS request and determines if other HTTP methods than the original request are available.

Professional Community
Estimated system impact
Overall impact: Low
06 May 2021

Processes and recognizes single sign-on protocols.

Professional Community
Estimated system impact
Overall impact: Medium
24 June 2019

Decrypt AES traffic on the fly

Professional Community
Estimated system impact
Overall impact: Low
13 May 2021

A bridge between Burp Suite and Frida to help test Android applications.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Provides a simple way to automatically modify any part of an HTTP message.

Professional Community
Estimated system impact
Overall impact: Low
21 February 2022

Allows viewing of PDF files directly within Burp.

Professional Community
Estimated system impact
Overall impact: Medium
02 September 2015

Scans for the HTTPoxy vulnerability.

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Allows encryption and decryption of AES payloads in Burp Intruder and Scanner.

Professional
Estimated system impact
Overall impact: Low
04 February 2022

A Burp Suite Extension that detects Cypher code injection

Professional Enterprise
Estimated system impact
Overall impact: Low
26 August 2021

Extends and adds custom Payload Generators/Processors in Burp Suite's Intruder.

Professional Community
Estimated system impact
Overall impact: Low
03 September 2020

Captures response times for requests made by all Burp tools.

Professional Community
Estimated system impact
Overall impact: Low
08 November 2017

Enumerates all the shortnames in an IIS webserver by exploiting the IIS Tilde Enumeration vulnerability

Professional
Estimated system impact
Overall impact: Low
02 February 2022

Generates Java serialized payloads to execute OS commands.

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

Performs Java deserialization attacks using the ysoserial payload generator tool.

Professional Community
Estimated system impact
Overall impact: Low
30 January 2017

Generate a sitemap using Wayback Machine.

Professional Community
Estimated system impact
Overall impact: Low
18 June 2018

Helps automated scanning accessing/refreshing tokens, replacing tokens in XML and JSON body,replacing tokens in cookies.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Passively checks for differing content in JavaScript files and aids in finding user/session data.

Professional
Estimated system impact
Overall impact: Low
17 December 2018

Passively scans for CSP headers that contain known bypasses or other potential weaknesses.

Professional
Estimated system impact
Overall impact: Low
24 January 2017

Discover broken links

Professional
Estimated system impact
Overall impact: Low
23 July 2019

OpenAPI parser fully compliant with OpenAPI 2.0/3.0 Specifications (OAS). Supports both JSON and YAML formats.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

View and extract data from JSON responses.

Professional Community
Estimated system impact
Overall impact: Low
08 September 2020

Reads metadata from various file types (JPEG, PNG, PDF, DOC, and much more) using ExifTool.

Professional Community
Estimated system impact
Overall impact: Low
20 May 2022

Performs custom scanning for vulnerabilities in web applications.

Professional
Estimated system impact
Overall impact: Low
10 April 2017

Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities.

Professional
Estimated system impact
Overall impact: Low
11 February 2021

Passively scan for potentially vulnerable parameters.

Professional Community
Estimated system impact
Overall impact: Low
29 July 2020

Checks application requests and responses for indicators of vulnerability or targets for attack

Professional Community
Estimated system impact
Overall impact: Low
11 February 2021

Improves efficiency of manual parameter analysis for web penetration tests.

Professional Community
Estimated system impact
Overall impact: Low
14 January 2019

Performs additional checks for CSRF vulnerabilities in a semi-automated manner.

Professional Community
Estimated system impact
Overall impact: Low
14 December 2018

Integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow for the modern-day penetration tester!

Professional
Estimated system impact
Overall impact: Low
10 February 2022

Reports security issues in HTTP headers.

Professional
Estimated system impact
Overall impact: Low
24 November 2014

Uses AWS API Gateway to change your IP on every request.

Professional Community
Estimated system impact
Overall impact: Low
21 February 2022

Improved Collaborator client in its own tab

Professional
Estimated system impact
Overall impact: Low
07 October 2021

Use static analysis to identify web app endpoints by parsing routes and identying parameters.

Professional Community
Estimated system impact
Overall impact: Low
16 December 2021

Displays CSP headers for responses, and passively reports CSP weaknesses.

Professional Community
Estimated system impact
Overall impact: Low
11 February 2022

Helps you perform DNS exfiltration with Sqlmap with zero configuration needed.

Professional
Estimated system impact
Overall impact: Low
24 March 2021

Provides some automatic security checks, which could be useful when testing applications implementing OAUTHv2 and OpenID standards.

Professional Enterprise
Estimated system impact
Overall impact: Medium
23 May 2022

Custom passive scan checks for asset discovery.

Professional
Estimated system impact
Overall impact: Low
12 September 2019

Find known vulnerabilities in WordPress plugins and themes using WPScan database.

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

Scans for usage of risky HTML5 features.

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Decrypts/decodes various types of cookies.

Professional
Estimated system impact
Overall impact: Low
12 July 2019

Provides a sync function for CSRF token parameters.

Professional Community
Estimated system impact
Overall impact: Low
14 February 2017

A replacement for Burp decoder with tabs, an improved hex editor, and extensibiity.

Professional Community
Estimated system impact
Overall impact: Medium
19 February 2021

Edit, sign, verify, encrypt and decrypt JSON Web Tokens (JWTs).

Professional Community
Estimated system impact
Overall impact: Low
29 March 2022

Additional Scanner checks for AWS security issues.

Professional
Estimated system impact
Overall impact: Medium
18 January 2018

Detect web cache misconfigurations with Burp.

Professional
Estimated system impact
Overall impact: Low
23 November 2017

Detects NGINX alias traversal due to misconfiguration.

Professional
Estimated system impact
Overall impact: Low
03 December 2021

Displays JSON messages in decoded form.

Professional Community
Estimated system impact
Overall impact: Low
24 January 2017

Customizable payload generator to detect and exploit command injection flaws during blind testing.

Professional Community
Estimated system impact
Overall impact: Medium
27 June 2018

Provides a simple way to test authorization in web applications and web services.

Professional Community
Estimated system impact
Overall impact: Low
15 October 2021

This Burp Extension helps you to find authorization bugs by repeating Proxy requests with self defined headers and tokens.

Professional Community
Estimated system impact
Overall impact: Low
27 April 2022

Provides a SAML message editor and a certificate management tool to help with testing SAML infrastructures.

Professional Community
Estimated system impact
Overall impact: Low
08 June 2022

Finds PHP object injection vulnerabilities.

Professional Enterprise
Estimated system impact
Overall impact: Low
26 August 2021

InQL - A Burp Extension for GraphQL Security Testing

Professional Community
Estimated system impact
Overall impact: Low
12 August 2021

Add or update custom HTTP headers from session handling rules. Useful for JWT.

Professional Community
Estimated system impact
Overall impact: Low
08 July 2020

Displays the contents of, and allows the user to edit, V1.1 and V2.0 ASP view state data.

Professional Community
Estimated system impact
Overall impact: Low
10 March 2021

Test websites for CORS misconfigurations.

Professional
Estimated system impact
Overall impact: Low
08 June 2022

Automatically repeat requests, with replacement rules and response diffing.

Professional Community
Estimated system impact
Overall impact: Low
10 February 2022

A scanner to detect NoSQL Injection vulnerabilities.

Professional
Estimated system impact
Overall impact: Medium
01 February 2021

Passively detects web application firewalls from HTTP responses.

Professional Enterprise
Estimated system impact
Overall impact: Low
25 August 2021

Converts data using a tag-based configuration to apply various encoding and escaping operations.

Professional Community
Estimated system impact
Overall impact: Low
07 September 2021

A burp suite extension to easily insert payloads into requests.

Professional Community
Estimated system impact
Overall impact: Low
15 April 2021

Helps test for authorization vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Low
01 July 2014

Extend the Burp active and passive scanner by creating custom scan checks with an intuitive graphical interface.

Professional
Estimated system impact
Overall impact: Low
04 February 2022

Helps detect and exploit deserialization vulnerabilities in Java and .Net

Professional
Estimated system impact
Overall impact: Medium
02 April 2020

Scan for common vulnerabilities in popular CMS.

Professional
Estimated system impact
Overall impact: Low
03 October 2017

Tries to find interesting stuff inside static files; mainly JavaScript and JSON files.

Professional
Estimated system impact
Overall impact: Low
26 April 2022

Test endpoints implementing GraphQL

Professional
Estimated system impact
Overall impact: Low
12 August 2019

A Burp Suite extension which augments your proxy traffic by injecting log4shell payloads into headers.

Professional
Estimated system impact
Overall impact: Low
16 December 2021

Scan for SSL vulnerabilities using techniques from testssl.sh and a2sv.

Professional Community
Estimated system impact
Overall impact: Low
25 February 2022

Copies selected request(s) as Python-Requests invocations.

Professional Community
Estimated system impact
Overall impact: Low
18 June 2019

Initiates SQLMap scans directly from within Burp.

Professional Community
Estimated system impact
Overall impact: Low
04 March 2021

Passively reports server software version numbers.

Professional
Estimated system impact
Overall impact: Low
22 April 2021

Passively detects detailed server error messages.

Professional
Estimated system impact
Overall impact: Medium
22 April 2021

Provides request history view for all Burp tools.

Professional Community
Estimated system impact
Overall impact: High
10 February 2022

Parses WSDL files and generates SOAP requests to the enumerated endpoints.

Professional Community
Estimated system impact
Overall impact: Low
01 November 2016

Test file uploads with payloads embedded in meta data for various file formats.

Professional
Estimated system impact
Overall impact: Low
21 February 2022

Augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator.

Professional
Estimated system impact
Overall impact: Low
21 May 2018

A Burp Suite extension made to automate the process of bypassing 403 pages. Heavily based on Orange Tsai's talk 'Breaking Parser Logic

Professional
Estimated system impact
Overall impact: Low
26 January 2022

Monitors traffic and looks for parameter values that are reflected in the response.

Professional
Estimated system impact
Overall impact: Low
10 November 2014

Adds various capabilities including SQL Mapper, User Generator and Prettier JS.

Professional Community
Estimated system impact
Overall impact: Low
20 July 2017

Sends responses to a locally-running XSS-Detector server.

Professional
Estimated system impact
Overall impact: High
10 February 2022

Adds headers useful for bypassing some WAF devices.

Professional Community
Estimated system impact
Overall impact: Low
29 March 2017

Masks verbose parameter details in .NET requests.

Professional Community
Estimated system impact
Overall impact: Low
23 January 2017

Burp Extension for passively scanning JavaScript files for endpoint links.

Professional
Estimated system impact
Overall impact: Low
05 September 2019

Performs active and passive scans to detect Java deserialization vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Low
04 February 2022

Provides some additional passive Scanner checks.

Professional
Estimated system impact
Overall impact: Low
21 December 2018

JOSEPH - JavaScript Object Signing and Encryption Pentesting Helper

Professional Community
Estimated system impact
Overall impact: Medium
04 February 2022

Finds unknown classes of injection vulnerabilities.

Professional Enterprise
Estimated system impact
Overall impact: Low
18 October 2021

Converts JSON To XML, XML to JSON, body parameters to JSON, and body parameters to XML.

Professional Community
Estimated system impact
Overall impact: Low
23 January 2017

Passively scans for CSRF vulnerabilities.

Professional
Estimated system impact
Overall impact: Low
04 February 2022

Software vulnerability scanner based on Vulners.com audit API

Professional
Estimated system impact
Overall impact: Low
09 April 2019

Adds scan checks focused on Java environments and technologies.

Professional Enterprise
Estimated system impact
Overall impact: High
25 August 2021

Integrates with the Retire.js repository to find vulnerable JavaScript libraries.

Professional
Estimated system impact
Overall impact: Low
14 December 2021

Automatically detects authorization enforcement.

Professional Community
Estimated system impact
Overall impact: Low
01 October 2021

Enumerates hidden Log4Shell-affected hosts.

Professional Enterprise
Estimated system impact
Overall impact: Low
22 December 2021

Enables Burp to decode and manipulate JSON web tokens.

Professional Community
Estimated system impact
Overall impact: Low
14 June 2022

Logs requests and responses for all Burp tools in a sortable table.

Professional Community
Estimated system impact
Overall impact: High
03 February 2022

Helps you launch HTTP Request Smuggling attacks, supports scanning for Request Smuggling vulnerabilities and also aids exploitation by handling cumbersome offset-tweaking for you

Professional Community
Estimated system impact
Overall impact: Medium
24 May 2022

This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.

Professional Community
Estimated system impact
Overall impact: Medium
24 May 2022

Send large numbers of HTTP requests and analyze the results

Professional Community
Estimated system impact
Overall impact: Low
09 November 2021

Extends Burp's active and passive scanning capabilities.

Professional
Estimated system impact
Overall impact: Medium
25 March 2021