Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more

Enterprise EditionProfessionalCommunity Edition

Burp Suite documentation - contents

  • Last updated: May 13, 2024

  • Read time: 31 Minutes

Documentation
Desktop editions
     Getting started
          System requirements
               CPU cores / memory
               Free disk space
               Operating system and architecture
                    Embedded browser
          Download and install
          Intercepting HTTP traffic with Burp Proxy
               Intercepting a request
          Modifying requests in Burp Proxy
               Step 1: Access the vulnerable website in Burp's browser
               Step 2: Log in to your shopping account
               Step 3: Find something to buy
               Step 4: Study the add to cart function
               Step 5: Modify the request
               Step 6: Exploit the vulnerability
          Setting the target scope
          Reissuing requests with Burp Repeater
               Sending a request to Burp Repeater
               Testing different input with Burp Repeater
          Running your first scan
               Scanning a website
          Generating a report
          What next?
               Continue your Burp Suite journey
          Activate license
               Manual activation
          Mac installer
     Extensions
          Creating
               Useful resources for extension developers
               Handling kettled HTTP/2 requests in extensions
               BApp Store acceptance criteria
               Submitting extensions to the BApp Store
                    Step 1 - Check the acceptance criteria
                    Step 2 - Submit your extension
                    Step 3 - We review your extension
                    Updating your BApp
               Extender API examples (Legacy)
          Viewing requests sent by Burp extensions using Logger
               Step 1: Send requests using an extension
               Step 2: Go to the Logger tab
               Step 3: Filter the log
               Step 4: View individual requests
               Summary
          Installing extensions
               Installing extensions from the BApp Store
                    Requirements
                    Installing Jython or JRuby
               Installing an extension from a file
          Managing extensions
          Monitoring system impact
               Cumulative impact of extensions
          Bambdas
               Creating Bambdas
               Saving Bambdas
               Loading Bambdas
               Troubleshooting Bambdas
                    Compilation errors
                    Runtime errors
               Submitting Bambdas to the community
                    Before you submit
                    Submitting Your Bambda
                    Review and merge
     Testing workflow
          Tutorials
          Setting a test scope
               Adding URLs to the scope
               Excluding URLs from the scope
          Mapping the website
               Mapping the visible surface
                    Before you start
                    Steps
               Discovering hidden content
                    Automated discovery
                         Before you start
                         Steps
                    Enumerating subdomains
                         Steps
          Analyzing the attack surface
               Scoping the effort to audit a website
                    Before you start
                    Steps
               Identifying high-risk functionality
                    Before you start
                    Steps
               Identifying supported HTTP methods
                    Before you start
                    Enumerating supported methods for a single endpoint
                    Enumerating supported methods for multiple endpoints
               Checking for hidden inputs
                    Before you start
                    Steps
               Evaluating inputs
                    Before you start
                    Steps
                         Manually evaluating individual inputs
                         Scanning inputs
                         Fuzzing inputs
               Analyzing opaque data
                    Decoding data
                         Investigate opaque data with the Inspector
                         Investigate opaque data with Burp Decoder
                    Identifying which parts of a token impact the response
                         Steps
          Testing authentication mechanisms
               Enumerating usernames
                    Steps
               Guessing usernames for known users
                    Steps
               Brute-forcing passwords
                    Before you start
                    Running a dictionary attack
                    Running an exhaustive brute-force attack
               Credential stuffing
                    Before you start
                    Steps
               Brute-forcing logins
                    Before you start
                    Steps
          Testing session management mechanisms
               Analyzing session token generation
                    Before you start
                    Steps
               Determining the session timeout
                    Steps
               Generating a CSRF proof-of-concept
                    Steps
               Working with JWTs
                    Before you start
                    Viewing JWTs
                    Editing JWTs
                    Adding a JWT signing key
               Maintaining an authenticated session
                    Identifying an invalid login expression
                    Configuring a session handling rule
                    Checking the session handling rule
          Testing access controls
               Testing for privilege escalation
                    Before you start
                    Testing a specific endpoint
                    Testing across the entire site
               Testing horizontal access controls
                    Before you start
                    Testing a specific endpoint
                    Testing across the entire site
               Testing for IDORs
                    Steps
               Testing for parameter-based access control
                    Before you start
                    Steps
               Using match and replace rules
                    Step 1: Open the lab
                    Step 2: Attempt to access the admin panel
                    Step 3: Add a custom match and replace rule
                    Step 4: Try to access the admin panel again
                    Summary and next steps
          Testing input validation
               Bypassing client-side controls
                    Steps
               SQL injection
                    Testing for SQL injection vulnerabilities
                         Steps
                              Scanning for SQL injection vulnerabilities
                              Manually fuzzing for SQL injection vulnerabilities
               Cross-site scripting
                    Identifying reflected input
                         Steps
                              Scanning for reflected inputs
                              Identifying reflected input manually
                         Next steps
                    Testing for DOM XSS with DOM Invader
                         Before you start
                         Steps
                         Related pages
                    Testing for web message DOM XSS with DOM Invader
                         Before you start
                         Steps
                         Related pages
                    Testing for reflected XSS manually
                         Before you start
                         Steps
                         Related pages
                    Testing for stored XSS
                         Steps
                    Bypassing XSS filters
                         Before you start
                         Steps
                    Testing for blind XSS
                         Steps
                         Related pages
               Testing for prototype pollution with DOM Invader
                    Before you start
                    Steps
               OS command injection
                    Testing for command injection vulnerabilities
                         Steps
                              Scanning for command injection vulnerabilities
                              Manually testing for command injection vulnerabilities
                    Testing for asynchronous OS command injection vulnerabilities
                         Steps
                    Exploiting OS command injection vulnerabilities to exfiltrate data
                         Before you start
                         Steps
               XXE injection
                    Testing for XXE injection vulnerabilities
                         Steps
                              Scanning for XXE vulnerabilities
                              Manually testing for XXE vulnerabilities
                    Testing for blind XXE injection vulnerabilities
                         Steps
                              Scanning for blind XXE injection vulnerabilities
                              Manually testing for blind XXE injection vulnerabilities
               Testing for directory traversal vulnerabilities
                    Steps
                         Scanning for directory traversal vulnerabilities
                         Fuzzing for directory traversal vulnerabilities
          Testing for clickjacking
               Steps
          Testing for SSRF vulnerabilities
               Testing for SSRF
                    Steps
               Testing for blind SSRF
                    Steps
          Testing for WebSocket vulnerabilities
               Manipulating WebSocket messages
                    Steps
               Manipulating WebSocket handshakes
                    Steps
          Working with GraphQL in Burp Suite
               Viewing and modifying GraphQL requests
               Accessing GraphQL API schemas using introspection
          Complementing manual testing with Burp Scanner
               Scanning specific requests
               Scanning user-defined insertion points
                    Scanning a single insertion point
                    Scanning multiple insertion points
               Scanning non-standard data structures
               Store HTTP traffic for review
     Tools
          Dashboard
               Task list
               Launching new tasks
               Pausing and resuming running tasks
               Disabling traffic capturing for live tasks
               Bottom dock
          Burp's browser
               Manual testing with Burp's browser
               Scanning websites with Burp's browser
               Health check for Burp's browser
          Burp Proxy
               Proxy intercept
                    Controls
                    Adding annotations
                    Message display
                    Protocol
               HTTP history
                    Changing the HTTP history layout
                    Viewing a request
                    Adding a custom column
                    Filter settings
                         Settings mode
                         Bambda mode
                         Adding annotations
                    Bambdas
                         Example Bambda
                         Converting HTTP history filter settings to Bambdas
               WebSockets history
                    Changing the WebSockets history layout
                    Viewing a request
                    Adding a custom column
                    Filter settings
                         Settings mode
                         Bambda mode
                         Adding annotations
                    Bambdas
                         Example Bambda
                         Converting filter settings to Bambdas
               Managing CA certificates
                    Exporting and importing the CA certificate
                    Creating a custom CA certificate
               Invisible proxying
          Repeater
               Working with HTTP messages
                    HTTP Repeater tab
                         Adding notes for HTTP Repeater tabs
               Sending grouped HTTP requests
                    Sending requests in sequence
                         Sending over a single connection
                         Sending over separate connections
                         Send in sequence prerequisites
                    Sending requests in parallel
                         Send in parallel prerequisites
               Working with WebSocket messages
                    WebSocket Repeater tab
               Managing tabs
                    Tab groups
               Managing tab groups
                    Creating a new tab group
                    Editing existing groups
                    Closing tab groups
               Configuring tab-specific settings
          Intruder
               Getting started
                    Tutorial
                         Step 1: Access the lab
                         Step 2: Try to log in
                         Step 3: Set the payload position
                         Step 4: Select an attack type
                         Step 5: Add the payloads
                         Step 6: Start the attack
                         Step 7: Look for any irregular responses
                         Step 8: Study the response
                         What next?
                    Learn more about Burp Intruder
               Configure attack
                    Positions
                         Payload positions field
                              Target field
                         Configuring payload positions
                    Attack types
                         Sniper
                         Battering ram
                         Pitchfork
                         Cluster bomb
                    Payload types
                         Payload settings
                         Simple list
                         Runtime file
                         Custom iterator
                         Character substitution
                         Case modification
                         Recursive grep
                         Illegal Unicode
                         Character blocks
                         Numbers
                         Dates
                         Brute forcer
                         Null payloads
                         Character frobber
                         Bit flipper
                         Username generator
                         ECB block shuffler
                         Extension-generated
                         Copy other payload
                         Collaborator payloads
                    Payload lists
                         Using predefined payload lists
                         Placeholders
                         Processing placeholders
                    Processing
                         Configuring processing rules
                         Types of processing rules
                         Configuring payload encoding
                    Resource pools
                         Creating resource pools
                         Resource pool settings
                         Moving tasks between resource pools
                    Settings
                         Save attack
                         Request headers
                         Error handling
                         Attack results
                         Grep - match
                         Grep - extract
                         Grep - payloads
                         Redirections
                         HTTP/1 connection reuse
                         HTTP version
                    Managing tabs
               Results
                    Editing attacks
                         Controlling an attack
                         Configuring an attack
                    Saving results
                         Closing attacks
                    Viewing results
                         Viewing a request
                    Analyzing results
                         Sorting results
                         Copying results
                         Filtering results
                         Adding annotations
                    Workflow
                         Scan
                         Send to...
                         Show response in browser
                         Request in browser
                         Generate CSRF PoC
                         Add to site map
                         Request item again
                         Define extract grep from response
                         Copy as curl command
                         Add comment
                         Highlight
                         Copy links
                         Save item
               Uses
                    Enumerating identifiers
                         Step 1: Find a request
                         Step 2: Set a payload position
                         Step 3: Set a payload type
                         Step 4: Analyze the results
                         Use cases
                    Fuzzing
                         Step 1: Set the payload positions
                         Step 2: Set the payload type
                         Step 3: Set the match grep
                         Step 4: Analyze the results
                    Harvesting data
                         Step 1: Find a request
                         Step 2: Set a payload position
                         Step 3: Set a payload type
                         Step 4: Set an extract grep
                         Step 5: Analyze the results
                         Use cases
          Target
               Site map
                    Accessing the site map
                    Tree view
                         Tree view icons
                    Contents pane
                    Requests and responses
                    Issues pane
                         Editing the Issues pane
                    Getting started
                         Tutorial
                              Step 1: Access the lab
                              Step 2: Go to the site map
                              Step 3: Update the site map
                              Step 4: Filter the displayed information
                              Step 5: Set the target scope using the site map
                    Workflow tools
                         Add to scope / Remove from scope
                         Send to
                         Scan
                         Show response in browser
                         Request in browser
                         Engagement tools
                         Compare site maps
                         Add notes / Highlight
                         Expand / collapse branch / requested items
                         Delete items
                         Copy URLs
                         Copy as curl command
                         Copy links
                         Save items
                         Show new site map window
                    Filtering the site map
                         Site map annotations
                    Comparing site maps
                         Site map sources
                         Request matching
                         Response comparison
                    Comparison results
                         Viewing comparison results
                         Interpreting comparison results
                    Site map layout
                         Contents and issues layout
                         Request and response layout
                         Adding a new site map window
               Scope
                    URL-matching rules
                         Normal scope control
                         Advanced scope control
               Crawl paths
                    Accessing the Crawl paths tab
                    Viewing crawl paths
                         Example crawl path
                    Viewing HTTP requests
                    Viewing issues
                    Viewing outlinks
               Issue definitions
               Manual Application mapping
               Reviewing unrequested items
               Analyzing the attack surface
          Inspector
               Configuring the Inspector layout
               Request attributes
               Viewing HTTP message data in the Inspector
                    Automatic decoding
               HTTP/2 headers and pseudo-headers
               Selecting a substring
               Getting started with the Inspector
                    Tutorial
                         Step 1: Access the lab
                         Step 2: Log in to a user account
                         Step 3: Use the Inspector to examine the request
                         Step 4: Use the Inspector to edit the cookie
                         Step 5: Using the selection widget
                    Learn more about the Inspector
               Modifying requests
                    Adding new items to a request
                    Removing items from a request
                    Reordering items in a request
                    Editing the name or value of an item
                    Injecting newlines
                    Injecting other non-printing characters
                    Copying items from the Inspector
          Message editor
               Message analysis toolbar
                    Raw tab
                    Pretty tab
                    Hex tab
                    Render tab
                    GraphQL tab
                    Additional tabs
                    Extension-specific tabs
                    Actions menu
               Other ways of using the message editor
               HTTP/2 messages in the message editor
               Context-specific actions
               Text editor
                    Syntax analysis
                    Pretty printing
                    Uninteresting headers
                    Line-wrapping
                    Non-printing characters
                    Text editor hotkeys
                    Quick search
          Collaborator
               Generating payloads
               Viewing results
               Getting started
                    Step 1: Access the lab
                    Step 2: Browse the target site
                    Step 3: Send an interesting request to Repeater
                    Step 4: Inject a Collaborator payload into the request
                    Step 5: Poll for interactions
                    Summary
                    What next?
          Logger
               Getting started with Logger
                    Step 1: Access the lab
                    Step 2: View requests on the Logger tab
                    Step 3: Audit a request with Burp Scanner
                    Step 4: Examine the requests made by Burp Scanner
                    Step 5: Filter the log
                    Step 6: Disable and clear the Logger history
                    Learn more about Logger
               Working with Logger entries
                    Viewing log entries
                    Adding a custom column
                         Example Bambda
                    Viewing requests and responses
                    Filtering Logger entries
                         Capture filter
                         View filter
                    Annotating log entries
                    Logger workflow tools
               Logger capture filter
                    Settings mode
                         Capture limit
                         Capture by request type
                         Capture by MIME type
                         Capture by status code
                         Capture by tool
                         Capture by search term
                         Session handling
                         Limit request/response size
                    Bambda mode
                         Converting filter settings to Bambdas
               Logger view filter
                    Settings mode
                         Filter by request type
                         Filter by MIME type
                         Filter by status code
                         Filter by tool
                         Filter by search term
                         Filter by file extension
                         Filter by annotation
                    Bambda mode
                         Example Bambda
                         Converting filter settings to Bambdas
               Task Logger
          Sequencer
               Getting started
               Token sample
                    Configuring a live capture of tokens
                         Selecting a token location
                    Manually loading tokens
                    Live capture
               Results
                    Summary
                         Overall result
                         Effective entropy
                         Reliability
                         Sample
                    Analysis result tabs
                         Individual tests
                         Character set
                         Bit conversion
                    Analysis settings tab
                    Tests
                         How the tests work
                         Character-level tests
                              Character count analysis
                              Character transition analysis
                         Bit-level analysis
                              FIPS test results
                              FIPS monobit test
                              FIPS poker test
                              FIPS runs test
                              FIPS long runs test
                              Spectral tests
                              Correlation test
                              Compression test
          DOM Invader
               Key features
               Enabling DOM Invader
               Testing for DOM XSS
                    Injecting a canary
                         Injecting a canary into multiple sources
                    Identifying controllable sinks
                    Determining the XSS context
                    Studying the client-side code
               Testing for DOM XSS using web messages
                    Enabling web message interception
                    Identifying interesting web messages
                    Automated web message analysis
                    Message details
                         Origin accessed
                         Data accessed
                         Source accessed
                    Replaying web messages
                    Generating a proof of concept
               Testing for client-side prototype pollution
                    Enabling prototype pollution
                    Detecting sources for prototype pollution
                    Manually confirming sources for prototype pollution
                    Scanning for prototype pollution gadgets
                    Generating a proof-of-concept exploit
               Testing for DOM clobbering
                    Enabling DOM clobbering
               Settings
                    Main
                         Enable DOM Invader
                         Postmessage interception
                         Customizing sources and sinks
                    Attack types
                         Prototype pollution
                         DOM clobbering
                    Web message settings
                         Postmessage origin spoofing
                         Canary injection into intercepted messages
                         Filter messages with duplicate values
                         Generate automated messages
                         Detect cross-domain leaks
                    Prototype pollution settings
                         Scan for gadgets
                         Auto-scale amount of properties per frame
                         Scan nested properties
                         Query string injection
                         Hash injection
                         JSON injection
                         Verify onload
                         Remove CSP header
                         Remove X-Frame-Options header
                         Scan each technique in separate frame
                         Disabling prototype pollution techniques
                    Misc
                         Message filtering by stack trace
                         Auto-fire events
                         Redirection prevention
                         Add breakpoint before redirect
                         Inject canary into all sources
                         Configuring callbacks
                         Remove Permissions-Policy header
                    Canary
                         Copying the canary
                         Changing the canary
          Clickbandit
               Setting up Burp Clickbandit
               Running an attack
               Reviewing an attack
          Comparer
               Carrying out comparisons
               Controls
               Results
          Decoder
               Carrying out transformations
               Operations
          Engagement tools
               Target analyzer
               Content discovery
                    Control tab
                    Config tab
                         Target
                         Filenames
                         File extensions
                         Discovery engine
                    Site map tab
               Generate CSRF PoC
                    CSRF PoC options
               Manual testing simulator
          Infiltrator
               How Burp Infiltrator works
               Installing Burp Infiltrator
                    Non-interactive installation
               Configuration options
          Organizer
               Sending messages to Organizer
               Organizer table
               Viewing HTTP messages
               Annotating items
               Filtering items
          Search
               Text search
               Find comments and scripts
               Find references
     Automated scanning
          Scanning web applications
               Running a full crawl and audit
                    Step 1: Configure scan details
                    Step 2: Select a scan configuration
                    Step 3: Configure application logins (optional)
                    Step 4: Select a resource pool (optional)
               Scanning specific HTTP messages
                    Configuring the scan
               Launching scans
          Setting the scan scope in Burp Suite Professional
               Scan type
               URLs to scan
                    Fragment handling
               Protocol settings
               Advanced scan parameters
               Items to scan
          Configuring scans
               Using a configuration from the library
               Creating a new configuration
               Importing a configuration
               Combining custom scan configurations in Burp Suite Professional
          Configuring application logins
               Adding usernames and passwords
                    Adding login credentials
                    Editing existing login credentials
                    Login functions
               Adding recorded login sequences in Burp Suite Professional
                    Adding login sequences
                    Editing existing recorded logins
               Managing application logins using the configuration library
          Managing resource pools for scans
               Creating new resource pools
               Reassigning resource pools
          Scanning APIs
               Step 1: Upload API definition
               Step 2: Review and configure the API details
                    Viewing and configuring authentication
               Step 3: Select a scan configuration
               Step 4: Select a resource pool
               Configuring authentication
                    Viewing authentication details
                    Managing authentication details
                         Adding credentials for detected authentication methods
                         Adding new authentication methods
                    How Burp Scanner applies authentication credentials
                         Conflicting authentication methods
          Adding custom scan checks
               Managing BChecks
               Testing BChecks
               Troubleshooting BChecks
               Managing BChecks for a specific scan
               Creating BChecks
                    Exporting BChecks
               Testing BChecks
                    Running a BCheck test
                    Managing BCheck test cases
                    Configuring test scans
          Live tasks
               Types of live task
               Live task scope
               Scan configuration and resource pools
               Creating live tasks
               Task execution settings
                    Task auto-start
                    Resource pools
          Viewing scan and live task results
               Summary
               Audit items
                    Audit phase indicators
                    Insertion points
                         Tree view
                              Nested insertion points
                         Insertion points information
                              Insertion point statuses
               Issues
                    Analyzing issue activity
                    Managing issues
               Event log
               Audit log
                    Viewing audit activity
                    Analyzing audit log activity
                    Managing audit log items
               Live crawl view
          Reporting scan results
               Report settings
                    Report format
                    Issue details
                    HTTP messages
                    Selecting issue types
                    Report details
     Project files
          Opening an existing project file
               Pause Automated Tasks
               Trust this project file
          Creating project files
               Opening a project file
          Managing project files
               Saving a copy of a project
                    Saving the Burp Collaborator identifier
               Importing project files
               Recovering data from corrupted project files
     Settings
          User and project settings
          Finding settings
          Managing settings
          Settings pages
          Key settings
               Target scope
               Platform-level authentication
               Session handling rules and macros
               Schedule tasks
               HTTP message appearance
          Tools
               Proxy
                    Proxy listeners
                         Binding
                         Request handling
                         Certificate
                         TLS Protocols
                         HTTP
                    Request and response interception rules
                         Adding an interception rule
                         Modifying intercepted messages
                    WebSocket interception rules
                    Response modification rules
                    Match and replace rules
                         Adding a match and replace rule
                         Matching multi-line regions
                         Using regex groups in back-references and replacement strings
                    TLS pass through
                         Adding TLS passthrough targets
                         Applying TLS passthrough to out-of-scope items
                    Proxy history logging
                    Default Proxy interception state
                    Miscellaneous
               Repeater
                    Connections
                    Message modification
                    Redirects
                         Follow redirects
                         Process cookies in redirects
                         Use selected protocol for cross-domain redirects
                    Default tab group
                    Tab view
               Sequencer
                    Live capture
                    Token handling
                    Token analysis
               Intruder
                    Automatic payload placement
                    New tab configuration
                    Behavior when closing result windows
                    Payload list location
               Burp's browser
                    Browser data
                    Browser running
          Project
               Collaborator
               Scope
                    Target scope
                    Out-of-scope request handling
               Tasks
                    Resource pools
                    New task auto-start
                    Schedule tasks
               Automatic backup
               Logging
          Sessions
               Session handling overview
               Session handling rules
                    Session handling tracer
               Cookie jar
               Macros
               Session handling rule editor
                    Rule description
                    Rule actions
                         Use cookies from the session handling cookie jar
                         Set a specific cookie or parameter value
                         Check session is valid
                         Make requests to validate session
                         Inspect responses to determine session validity
                         Define behavior dependent on session validity
                    Run a macro to obtain a new valid session
                         Prompt for in-browser session recovery
                         Run a post-request macro
                         Invoke a Burp extension
                         Set a specific header value
                    Tools scope
                    URL scope
                    Parameter scope
               Macros
                    Record macro
                    Configure item
                         Parameter handling
                         Custom parameter locations in response
                    Re-analyze macro
                    Test macro
          Network
               Connections
                    Platform authentication
                    Timeouts
                    Upstream proxy servers
                    Hostname resolution overrides
                    SOCKS proxy
               TLS
                    TLS negotiation
                    Client TLS certificates
                    Server TLS certificates
                    Java TLS settings
               HTTP
                    Allowed redirect types
                    Streaming responses
                    Status 100 response handling
                    HTTP/1
                    HTTP/2
          UI
               Inspector and message editor
                    Inspector widgets
                    Default Inspector panel layout
                    Message editor request and response views
                    HTTP message display
                    Character sets
                    HTML rendering
                    HTTP message search
                    Uninteresting headers
               Hotkeys
               Display
                    Appearance
                    Learn tab display
                    Scaling
          Suite
               REST API
                    Enabling the REST API
                    Service URL
                    API key
               Updates
               Becoming an early adopter
               Performance feedback
                    Logging exceptions to a local directory
               Temporary files location
               Startup behavior
                    Automated tasks on startup
                    Untrusted project files
                    Maximum Java memory usage
               Shutdown behavior
                    Shutdown confirmation
          Extensions
               Startup behavior
               Java environment
               Python environment
               Ruby environment
          Configuration library
               Adding a custom configuration
               Configuration files
          Response extraction rules
     Customizing Burp's layout
          Customizing Burp's top-level tabs
               Arranging top-level tabs
               Hiding top-level tabs
               Restoring the default top-level tab layout
          Customizing Burp's tables
               Advanced table customization
     Mobile testing
          Configuring a mobile device
          Configuring an iOS device to work with Burp Suite Professional
               Step 1: Configure the Burp Proxy listener
               Step 2: Configure your device to use the proxy
               Step 3: Install a CA certificate on your iOS device
               Step 4: Test the configuration
          Configuring an Android device to work with Burp Suite Professional
               Step 1: Configure the Burp Proxy listener
               Step 2: Configure your device to use the proxy
               Step 3: Install a CA certificate on your Android device
               Step 4: Test the configuration
          Troubleshooting for mobile devices
               I can't access HTTPS URLs on iOS even after installing Burp's CA certificate
     HTTP/2
          Background concepts
          Default protocol
          Keeping track of which protocol you're using
          Changing the protocol for a request
          Kettled requests
               What can cause a request to become kettled?
               Unkettling a request
               Kettled requests and extensions
          HTTP/2 settings
               Changing the default protocol
               Repeater options for HTTP/2
          Enforce protocol choice on cross-domain redirections
          Enable HTTP/2 connection reuse
          Strip Connection header over HTTP/2
          Allow HTTP/2 ALPN override
               Disabling HTTP/2 for proxy listeners
          Upcoming enhancements for HTTP/2 in Burp
               Increased support for kettled requests
          HTTP/2 basics for Burp users
               Binary protocol
               Frames
               Message length
               Header capitalization
               Pseudo-headers
          Normalization
               What normalization is performed?
                    Why can't I move the Host header?
               Sending requests without any normalization
          Performing HTTP/2-exclusive attacks
               Injecting newlines into headers
     Troubleshooting
          Troubleshooting
          Troubleshooting performance issues
               Optimize memory usage
                    Disabling extensions
                    Allocating less memory to Burp
                    Using a disk-based project
               Check the minimum system requirements
               Identify potential bottlenecks: CPU, memory, and network
               Optimize CPU usage
                    Disabling pretty printing
                    Disabling JavaScript analysis
                    Configuring your scans for performance
                    Narrowing the scope of your scans
                    Scanning a single protocol
               Optimize network usage
                    Reducing concurrent scans
                    Configuring resource pools
          Launch from the command line
               Checking your Java version
               Launching the Burp Suite JAR
               Command line arguments
          Setting Java options
               Creating a user.vmoptions file
               Specifying options
     External browser configuration
          Check proxy listener is active
          Configuring Chrome to work with Burp Suite - Windows
          Configuring Chrome to work with Burp Suite - MacOS
          Firefox
          Safari
          Check your browser configuration
          Installing Burp's CA certificate
               Installing Burp's CA certificate on a mobile device
               Why do I need to install Burp's CA certificate?
               In-browser interface
               Chrome
                    Removing Burp's CA certificate from Firefox
               Chrome
               Installing Burp's CA certificate in Chrome - Windows
                    Removing the CA certificate from Windows
               Installing Burp's CA certificate in Chrome - Linux
                    Removing the Burp Suite CA certificate
               Installing Burp's CA certificate in Chrome - MacOS
                    Removing the Burp Suite CA certificate
               Chrome
                    Removing Burp's CA certificate from Safari
               Troubleshooting
                    Check that Burp is running
                    Check your proxy listener is active
                    Try a different port
                    What next?
Burp Suite Enterprise Edition
     Setting up Burp Suite Enterprise Edition
          Setting up a Cloud instance
               Step 1: Assign your primary administrator
               Step 2: Launch your instance as the primary administrator
          Setting up a self-hosted instance
               Planning to deploy Burp Suite Enterprise Edition
                    Decide on your subscription
                    Choose a deployment method
                    Choose your preferred architecture
                    Plan your database setup
                    Review the system requirements
                    Plan your network and firewall setup
                    Prepare your organization
               Which deployment method is right for me?
               Burp Suite Enterprise Edition system requirements
                    Concurrent scans
               Setup guide: Standard instance
                    Unattended installation
                    Architecture overview (Standard)
                         Enterprise server
                         Web server
                         Database
                         Services
                         Scans and scanning machines
                    Single vs. multi-machine architecture
                         Single machine architecture
                         Multi-machine architecture
                         Requirements
                         Network and firewall settings
                    Configuring your network and firewall settings (Standard)
                         Configuring a single-machine architecture
                         Configuring a multi-system architecture
                    System requirements for standard instances
                         General requirements
                         Supported operating systems
                         Single-machine architecture
                              Machine hardware requirements
                         Multi-machine architecture
                    System requirements for your external database (Standard)
                         Database size requirements
                         Supported database versions
                    Setting up the external database (Standard)
                         Database setup scripts
                              PostgreSQL
                              Oracle
                              MariaDB / MySQL
                              Microsoft SQL Server
                         Authentication mode
                         Additional configuration for Microsoft SQL Server
                         Database connection URL format
                         Troubleshooting for MySQL databases
                              Multiple primary keys defined
                         Distributing the public key manually
                    Prerequisites for a standard installation
                         Port
                         TLS certificate
                         Installation location
                         System user
                         Scanning machine requirements
                         Database setup script
                    Installing Burp Suite Enterprise Edition (Standard)
                         Before installation
                         Step 1: Download the installer
                         Step 2: Extract and run the installer
                         Step 3: Choose an install location
                         Step 4: Select the components to install
                         Step 5: Specify a logs directory
                         Step 6: Specify a data directory
                         Step 7: Select a user to run processes
                         Step 8: Select database options
                         Step 9: Specify a web server port
                         Step 10: Specify a database backups directory
                         After installation
                    Configuring Burp Suite Enterprise Edition (Standard)
                         Uploading a TLS certificate
                         Configuring database details
                         Configuring admin user details
                    Activating your license (Standard)
                    Configuring your web server (Standard)
                         Enabling TLS
                    Deploying additional scanning machines
                         Setting up a new scanning machine
                         Authorizing a new scanning machine
               Setup guide: Kubernetes instance
                    Kubernetes architecture overview
                         Enterprise server
                         Web server
                         Database
                         Scans and scanning resources
                    Kubernetes scanning resources overview
                         How does scanning work on Kubernetes?
                         Configuring scanning resources
                    Support scope for Kubernetes instances
                         PortSwigger Kubernetes support scope
                              Not supported
                         Kubernetes customer responsibilities
                    Configuring your environment network and firewall settings (Kubernetes)
                         Configuring your instance
                    System requirements for a Kubernetes instance
                         Container system requirements
                              Minimum requirements for general container limits
                              Minimum requirements for a web server container
                              Minimum requirements for an Enterprise server container
                              Minimum requirements for a scan container
                    System requirements for the external database (Kubernetes)
                         Supported database versions
                         Database hardware requirements
                    Setting up your external database (Kubernetes)
                         Database setup scripts
                              PostgreSQL
                              Oracle
                              MariaDB / MySQL
                              Microsoft SQL Server
                         Authentication mode
                         Additional configuration for Microsoft SQL Server
                         Database connection URL format
                         Troubleshooting for MySQL databases
                              Multiple primary keys defined
                         Distributing the public key manually
                    Deploying Burp Suite Enterprise Edition to Kubernetes
                    Setting up a suitable Kubernetes cluster
                         Using the reference template
                    Installing the application (Kubernetes)
                         Downloading the Helm chart
                         Providing custom values for the Helm chart
                              Note for Oracle users
                         Adding a TLS certificate
                         Configuring the database details
                         Using the Helm chart
                         Installing using a pre-existing values file
                    Creating the admin user (Kubernetes)
                    Activating your license (Kubernetes)
                    Configuring your web server (Kubernetes)
                         Enabling TLS
               Setup guide: CI-driven scans with no dashboard
                    Running a basic CI-driven scan with no dashboard
                         Before you start
                         System requirements
                         Running a scan
                         Scan results
                         Remediation advice
                         Evidence
                         Configuring CI-driven scans
                         CI-driven scan integration examples
                    Configuring CI-driven scans with no dashboard
                         Creating a configuration file for a CI-driven scan with no dashboard
                              Mandatory settings
                              Proxy settings
                              Defining the scope
                              Authentication
                                   Login credentials
                                   Recorded logins
                              Selecting a built-in scan configuration
                              Configuring connection settings
                              Specifying report format
                              Ignoring specific vulnerabilities
                              Setting the threshold
                         Adding a configuration file to a CI-driven scan with no dashboard
                    Example integrations for CI-driven scans with no dashboard
                         Integrating a CI-driven scan with no dashboard with Jenkins
                              Before you start
                              Jenkins server requirements
                              Configuring the Jenkins pipeline
                              Setting the configuration of your scan
                              Creating the Jenkinsfile
                              Viewing scan results in Jenkins
                              Remediation advice
                              Evidence
                         Integrating a CI-driven scan with no dashboard with TeamCity
                              Before you start
                              TeamCity agent requirements
                              Creating the settings file
                              Setting the configuration of your scan
                              Configuring the TeamCity pipeline
                              Viewing scan results in TeamCity
                              Remediation advice
                              Evidence
                         Integrating a CI-driven scan with no dashboard with GitHub Actions
          Trial setup guide
               Install with the default options
                    Activating your license
               Run your first scan
               Analyze your scan's results
          Next steps after setup
               Import sites in bulk
               Schedule scans
               Set up your email server
               Add more users
               Set up integrations
               Learn more about working with sites
               Learn more about working with scans
               Learn more about analyzing scan results
     Burp Suite Enterprise Edition user guide
          Getting started with Burp Suite Enterprise Edition
               Step 1: Set up your users
               Step 2: Add the sites you want to scan
               Step 3: Set up a scan configuration
               Step 4: Schedule your scans
               Step 5: View scan results
          What else can I do with Burp Suite Enterprise Edition?
          Managing users and permissions
               Role-based access control
                    Vertical segregation of permissions
                    Horizontal segregation of permissions
               Adding local users
                    Creating an API user
               Enabling single sign-on for Burp Suite Enterprise Edition
                    Configuring user groups and permissions for SSO
                         Creating groups for SAML
                    Configuring LDAP single sign-on for Burp Suite Enterprise Edition
                    Configuring SAML single sign-on for Burp Suite Enterprise Edition
                         Configuring SAML SSO with ADFS
                              Before you start
                              Step 1: Add Burp Suite Enterprise Edition to your trusted applications
                              Step 2: Obtain key details from ADFS
                              Step 3: Enter the key details in Burp Suite Enterprise Edition
                              Step 4: Configure how groups are managed
                                   Create a central claim issuance policy
                              Create claim rules for each group individually
                         Configuring SAML SSO with Entra ID
                              Before you start
                              Step 1: Add Burp Suite Enterprise Edition to your trusted applications
                              Step 2: Import key details from Entra ID
                              Step 3: Configure group membership
                         Configuring SAML SSO with Okta
                              Before you start
                              Step 1: Add Burp Suite Enterprise Edition to your trusted applications
                              Step 2: Obtain key details from Okta
                              Step 3: Enter the key details in Burp Suite Enterprise Edition
                              Step 4: Configure Okta Group Attribute Statements
                         Configuring single logout
                    Configuring SCIM
                         Integrating SCIM using Okta
                              Prerequisites
                              Get your SCIM URL and API token
                              Upload a TLS certificate
                              Configure the connection in Okta
                                   Enable SCIM provisioning
                                   Enter the connection details
                                   Configure the provisioning to app settings
                              Push your Okta users and groups to Burp Suite Enterprise Edition
                         Integrating SCIM using OneLogin
                              Prerequisites
                              Get your SCIM URL and API token
                              Upload a TLS certificate
                              Configure the connection in OneLogin
                                   Enter the connection details
                                   Configure the parameters
                              Enable SCIM provisioning
                              Push your OneLogin users to Burp Suite Enterprise Edition
                                   Troubleshooting provisioning issues in OneLogin
                         Managing SCIM users and groups in Burp Suite Enterprise Edition
                              Assigning permissions to SCIM users
                              Assigning permissions to SCIM groups
                              Removing a SCIM user
               Managing users
                    Viewing users
                    Creating a new user
                    Editing users
                    Suspending a user temporarily
                    Deleting a user
               Managing groups
                    Creating a new group
                    Editing a group
                    Restricting access to sites
                    Deleting a group
               Managing roles
                    Creating a new role
                    Modifying roles
                    Deleting roles
               Restricting access to sites
               Resetting your admin password
                    Resetting your admin password on a Cloud instance
                    Resetting your admin password on a self-hosted standard instance
                         Windows
                         Linux
                    Resetting your admin password on a self-hosted Kubernetes instance
          Working with sites
               Sites section contents
               Adding new sites
                    Optional settings for your new site
                         Detailed scope configuration
                         Protocol settings
                         Scan settings
               Configuring network and firewall settings for a site
                    Cloud instances
                    Self-hosted instances
               Importing sites in bulk
                    Preparing the import CSV file
                    Uploading the CSV file
               Setting the site scope
               Configuring site settings
                    Defining the scan configuration for a site
                         Using preset scan modes
                         Using custom scan configurations
                              Assign a custom scan configuration to a site
                              Create a custom scan configuration
                              Exporting scan configurations
                              Importing scan configurations
                         Defining the scan configuration for a folder
                              How scan configurations are combined
                              How preset scan modes are combined
                    Configuring authentication
                         Configuring site login details
                         Configuring platform authentication details
                         Adding recorded login sequences
                              Adding recorded login sequences to Burp Suite Enterprise Edition
                              Reviewing a recorded login sequence
                         Configuring platform authentication
                         Adding usernames and passwords to a site
                    Configuring upstream proxy servers
                    Adding headers and cookies
                    Scanning with extensions in Burp Suite Enterprise Edition
                         Applying extensions to sites
                              Applying extensions to an existing site
                              Removing extensions from sites
                         Applying extensions to folders
                    Setting up scan notifications
                         Setting up email notifications
                              Setting up email notifications when creating a new site
                              Setting up email notifications for existing sites
                         Setting up Slack notifications
                              Setting up Slack notifications when creating a new site
                              Setting up Slack notifications for existing sites
               Performing a pre-scan check
               Editing existing sites
               Managing the site tree
                    Creating folders and subfolders
                    Adding individual sites to a folder
                    Moving sites and folders in bulk
                    Deleting sites and folders
          Working with scans
               Creating scans
                    Create a new scan
                    CI-driven scans
               Managing scheduled scans
                    Viewing scheduled scans
                    Editing scheduled scans
                    Deleting scheduled scans
                    Editing schedule scan configurations
               Performing bulk actions with scans
               Viewing scan details
               Monitoring scan progress
                    Reviewing scan errors
               Configuring default false positive settings
               Configuring site and scan data settings
               Downloading logs and debug packs
                    Downloading the event log
                    Downloading the scan debug pack
                    Downloading the verbose debug pack
          Working with scan results
               Tracking issues over time
                    Viewing the dashboard for a site
                    Viewing the dashboard for a folder
                    Viewing the severity trend
               Viewing issue details
                    View details for a specific issue
               Handling false positives
                    Mark an issue as a false positive
               Raising tickets
                    Raising GitLab issues from within Burp Suite Enterprise Edition
                         Raising GitLab issues for multiple issues
                    Raising Jira tickets from within Burp Suite Enterprise Edition
                         Unlink Jira tickets
                         Raising Jira tickets for multiple issues
                    Raising Trello cards from within Burp Suite Enterprise Edition
                         Raising Trello cards for multiple issues
                    Raising tickets for multiple issues
                         Linking multiple issues to an existing ticket
                         Managing linked tickets
               Downloading reports
                    Download a standard report
                    Download a compliance report
                    Send scan summary reports automatically
                    Export issue data
          Managing scanning resources
               Managing scanning pools
               Using self-hosted scanning machines with a Cloud instance
                    System requirements for self-hosted scanning machines
                         General requirements
                         Supported operating systems
                    Network and firewall settings for self-hosted scanning machines
                    Setting up a self-hosted scanning machine for a Cloud instance
                         Prerequisites
                         Downloading the installer
                         Running the installer
                         Scanning your sites with self-hosted scanning machines
                    Managing self-hosted scanning machines with a Cloud instance
                         Updating self-hosted scanning machines
                         Deleting a self-hosted scanning machine
                         Managing authentication tokens
                    Scanning pools for Cloud instances of Burp Suite Enterprise Edition
                         Features of scanning pools
                         Creating a new scanning pool
                         Reassigning a scanning machine to a different pool
                         Reassigning a site to a different pool
               Managing scanning resources for a self-hosted instance
                    Standard instances
                    Kubernetes instances
                    Deploying additional scanning machines
                         Setting up a new scanning machine
                         Authorizing a new scanning machine
                    Managing Kubernetes scanning resources
                         Setting concurrent scan limits
                         Disabling scanning
                         Amending your license
                         Viewing active scans
                    Scanning pools for self-hosted instances of Burp Suite Enterprise Edition
                         Features of scanning pools
                         Creating a new scanning pool
                         Reassigning a scanning machine to a different pool
                         Reassigning a site to a different pool
               Assigning scan limits
                    Additional scans
          Post-installation configuration
               Managing certificates for outbound connections
               Configuring your SMTP server
                    Using an HTTP proxy server to connect to the SMTP server
                    Connecting to an external email service
                    Connecting to an internal email service
                    Verifying your SMTP server connection
               Configuring an HTTP proxy server
               Allowlisting an application for CORS
               Configuring database backups
               Migrating to an external database
                    Preparing for the migration
                         Prerequisite steps for Oracle databases
                         Prerequisite steps for PostgreSQL databases
                    Migrating your data
                         Running the database transfer command manually
                    Restarting the Burp Suite Enterprise Edition services
          Integrating with CI/CD platforms
               CI-driven scans
               CI/CD plugins (legacy)
               Integrating CI-driven scans
                    What are CI-driven scans?
                    Configuring your scan
                    Viewing your scan results
                    Getting started with CI-driven scans
                         Before you start
                         System requirements
                         Running a scan
                         Setting the public key certificate
                         Scan results
                         Remediation advice
                         Evidence
                         Configuring CI-driven scans
                         CI-driven scan integration examples
                    System requirements for CI-driven scans
                         Network and firewall configuration
                    Creating a configuration file for a CI-driven scan
                         Mandatory settings
                         Proxy settings
                         Defining the scope
                         Public key certificate
                         Authentication
                              Login credentials
                              Recorded logins
                         Scan configuration
                              Selecting a built-in scan configuration
                              Selecting a custom scan configuration
                         Configuring connection settings
                         Viewing scan results in the dashboard
                         Specifying report format
                         Ignoring specific vulnerabilities
                         Setting the threshold
                    Adding a configuration file to a CI-driven scan
                    Example integrations for CI-driven scans
                         Integrating a CI-driven scan with Jenkins
                              Before you start
                              Jenkins server requirements
                              Configuring the Jenkins pipeline
                              Setting the configuration of your scan
                              Creating the Jenkinsfile
                              Viewing scan results in Jenkins
                              Remediation advice
                              Evidence
                         Integrating a CI-driven scan with TeamCity
                              Before you start
                              TeamCity agent requirements
                              Creating the settings file
                              Setting the configuration of your scan
                              Configuring the TeamCity pipeline
                              Viewing scan results in TeamCity
                              Remediation advice
                              Evidence
                         Integrating a CI-driven scan with GitHub Actions
               Using plugins for CI/CD platform integration
                    Overview of CI/CD platform integration
                         Integration types
                         Detailed instructions
                    Integration types for CI/CD platforms
                         Site-driven scan
                         Burp scan
                    Creating an API user for the CI/CD integration
                         Create a role and group for CI/CD users
                         Create the CI/CD API user
                    Integrating Burp Suite Enterprise Edition with Jenkins
                         Create an API user
                         Download and install the plugin
                         Configure the integration
                         Configuring a site-driven scan in Jenkins
                              Prerequisites
                              Whitelist your Jenkins URL
                              Create the site-driven scan build step in Jenkins
                              Test your integration
                         Configuring a Burp scan in Jenkins
                              Prerequisites
                              Create the Burp scan build step in Jenkins
                              Test your integration
                    Integrating Burp Suite Enterprise Edition with TeamCity
                         Create an API user
                         Download and install the plugin
                         Configure the integration
                         Configuring a site-driven scan in TeamCity
                              Prerequisites
                              Whitelist your TeamCity URL
                              Create the site-driven scan build step in TeamCity
                              Test your integration
                         Configuring a Burp scan in TeamCity
                              Prerequisites
                              Create the Burp scan build step in TeamCity
                              Test your integration
                    Integrating with other CI/CD platforms
                         Configuring a site-driven scan using the generic CI/CD driver
                              Prerequisites
                              Add the build steps to your pipeline
                              Test your integration
                         Configuring a Burp scan using the generic CI/CD driver
                              Prerequisites
                              Add the build steps to your pipeline
                              Test your integration
                         Parameter reference for the generic CI/CD driver
                    Optional settings for the CI/CD integration
                         Configuring optional settings using the platform plugins
                         Configuring optional settings using the generic CI/CD driver
                         Overriding the default scan configurations from your CI/CD system
                         Ignoring issues
          Integrating Burp Suite Enterprise Edition with issue tracking platforms
               Integrating Burp Suite Enterprise Edition with GitLab
                    Prerequisites
                    (Recommended) Create a new GitLab user for the integration
                    Generate a GitLab impersonation token
                    Connect Burp Suite Enterprise Edition to GitLab
                         Enable GitLab issues to be raised manually
                         Enable GitLab issues to be raised automatically
                    Raising GitLab issues from within Burp Suite Enterprise Edition
               Integrating Burp Suite Enterprise Edition with Jira
                    Supported versions of Jira
                    (Recommended) Create a new Jira user for the integration
                    Generate a Jira API token (Jira Cloud only)
                    Connect Burp Suite Enterprise Edition to Jira
                         Enable manual Jira ticket creation
                         Enable automatic Jira ticket creation
                    Manually creating Jira tickets
               Integrating Burp Suite Enterprise Edition with Trello
                    Prerequisite
                    (Recommended) Create a new Trello user for the integration
                    Connect Burp Suite Enterprise Edition to Trello
                         Enable manual Trello card creation
                         Enable automatic Trello card creation
                    Raising Trello cards from within Burp Suite Enterprise Edition
          Integrating Burp Suite Enterprise Edition with Slack
               Prerequisites
               Create a Slack app
               Add the app to your Slack channels
               Connect your Slack app to Burp Suite Enterprise Edition
               Manage which Slack channels are available
          Managing services
               Managing Burp Suite Enterprise Edition services for standard instances
                    List running services
                    Stop running services
                    Start services
               Restarting services for Kubernetes instances
          Managing updates
               Configuring automatic updates
               Manually checking for updates
               Manually installing updates
               Downtime during updates
               Updating a Cloud instance
               Updating Burp Suite Enterprise Edition on Kubernetes
                    Preparing to update
                    Running the update command
          Extensions in Burp Suite Enterprise Edition
               Extension library
               Adding extensions to Burp Suite Enterprise Edition
                    Prerequisite permissions for adding extensions
                    Adding BApps to Burp Suite Enterprise Edition
                    Adding custom extensions to Burp Suite Enterprise Edition
                    Adding BChecks to Burp Suite Enterprise Edition
               Managing extensions in Burp Suite Enterprise Edition
                    Viewing extension details
                    Updating an extension
                    Deleting an extension
          Troubleshooting in Burp Suite Enterprise Edition
               Troubleshooting Cloud instances
                    Event log
                    Help center
                    Support logs
               Troubleshooting a self-hosted instance
                    Troubleshooting a Kubernetes instance
                         Help center
                         Support pack
                         Event log
                         Scan debug pack
                         Enabling verbose logging
                         Downloading logs manually
                    Troubleshooting a standard instance
                         Help center
                              Support pack
                              Diagnostics
                              Debug
                              Documentation
                         Event log
                         Scan debug pack
                         Enabling verbose logging
                         Downloading logs manually
          Enterprise Edition - Reference
               Technical infrastructure
               Troubleshooting in Burp Suite Enterprise Edition
               API reference
               User interface
               Home page
                    Dashboard
                    Issues
               Sites page
                    Site filters
                    Site actions
               Scans page
                    Scans
                    Scheduled scans
                         Schedule scan configurations
               Scan details
                    Failed scans
               Custom scan configuration settings
                    Connections
                         Platform authentication
                         Upstream proxy servers