Burp Extensions (and your own custom extensions) will now be supported by Burp Suite Enterprise Edition, brand new for the 2021.8 release. If you've had much experience with Burp Suite Professional, it's likely that you're already familiar with our BApp Store. If you've only ever used Burp Suite Enterprise Edition though, you might not have come across it yet.
The PortSwigger BApp Store works much like any online app store - it contains multiple applications which act as an add-on or extension to the tool or software you already have. In the case of the BApp Store, the files are software extensions that are designed to work seamlessly with the various editions of Burp Suite to extend their capabilties.
BApp extensions are mostly written by the Burp Suite user community, with some contributed by James Kettle and the fantastic team at PortSwigger Research - the whole BApp Store library is curated by PortSwigger's team of developers. Each extension has its own unique functionality - they're usually designed to do things like improve a workflow, accelerate a process, provide additional data, or add custom scan checks. Not all BApp extensions are compatible with Burp Suite Enterprise Edition, and the ones that are will usually enhance scanning functionality in some way.
To add a BApp extension to Burp Suite Enterprise Edition, you will need to visit the BApp Store and download the file for the extension you wish to install. Due to the fact that many organizations choose to air-gap their deployment of Burp Suite Enterprise Edition, we have chosen not to integrate the BApp Store into the software in this initial release.
Once you have downloaded the file for the BApp extension you wish to install, follow the installation instructions within Burp Suite Enterprise Edition to upload the extension. Please note that you will need to assign your chosen extension to a site from the site tree. Once you've assigned extensions to a site, all future scans of that site will make use of the extension unless you remove it from the site.
We've made sure that permissions for installing and using BApp extensions are carefully controlled, to allow you to keep your systems as secure as possible when adding extensibility to Burp Suite Enterprise Edition. You can assign permission for extension usability with the built-in role-based access control (RBAC) feature. As with any role-based access permissions, this can be modified at any time.
To access this new functionality, you will need to be running the latest versions of both Burp Suite Enterprise Edition and Burp Scanner. These can both be updated from the main dashboard of your Burp Suite Enterprise Edition interface.
General themes for Burp Suite Enterprise Edition extensions tend to include:
Additionally, Burp Suite Enterprise Edition's new extension functionality will also enable you to create your own custom extensions. Whether you want to integrate with a specific type of environment, deep-dive into an especially nuanced area of one of your sites, or pinpoint an issue that is unique to your setup, you can now build your own extension to cover it.
Especially suited to those enterprises working toward DevSecOps, custom extensions will support uniquely tailored scan checks. Such scan checks can be useful where an application has specific requirements - including:
This enables customers to use Burp Suite Enterprise Edition to achieve compliance with your own enterprise security standards.
Custom extensions for Burp Suite Enterprise Edition are currently only supported if they are written in Java, so please bear this in mind when writing your extension's functionality. We've got a guide for writing Burp extensions, which includes language-specific instructions, as well as a selection of sample extensions to get you started.
You can customize every aspect of your own extension, including adding remediation advice specific to both your issue and your unique setup. This will enable targeted feedback to be given to developers, and should help to improve code security overall.
In this initial feature release, 11 BApp extensions will be available for integration with Burp Suite Enterprise Edition. We've also applied role-based access control, so you can control which users in your team are able to use this functionality.
The following Java-based BApps are available for Burp Suite Enterprise Edition:
Want to try out the latest addition to Burp Suite Enterprise Edition? Update your installation to the latest version today, or take out a fully-featured trial.