To access extensions from the BApp Store in Burp, your device must be able to access portswigger.net
. You might not be able to access extensions because:
- You're offline.
- Your network requires an upstream proxy.
- An intercepting proxy is intercepting and resigning traffic with its own certificate. Burp doesn't trust self-signed certificates by default, so it blocks the connection.
If you're working offline in Burp, you can use a separate browser to download extensions from our website, then install them manually. For more information, see Installing extensions manually.
Step 1: Check your internet connection
Make sure your computer is connected to the internet. To verify this, open an external browser and try visiting https://portswigger.net
. If you can't access the site, check your network settings or contact your administrator.
Step 2: Configure an upstream proxy
Some networks require an upstream proxy for internet access. If your network requires one, configure Burp to use it:
In Burp, click Settings. The Settings dialog opens.
Go to Network > Connections.
Under Upstream proxy servers, click Add. The Add upstream proxy rule dialog opens.
Enter the details of the upstream proxy. For more information, see Connections settings - Upstream proxy servers.
Click OK.
The upstream proxy rule is added to the table.
Step 3: Identify and resolve an intercepting proxy
Some networks use intercepting proxies, such as ZScaler, to inspect and decrypt encrypted traffic. These proxies intercept HTTPS connections and re-sign certificates, which means Burp won't trust the connection.
To check if an intercepting proxy is impacting your connection:
In Burp's browser, go to
https://portswigger.net/bappstore
.In Burp, go to Settings > Network > TLS.
Under Server TLS certificates, find the entry for
portswigger.net
.-
Check the issuer of the certificate:
If the issuer is a well-known CA provider such as Amazon, it's unlikely that an intercepting proxy is interfering with the connection.
If the certificate is issued by an intercepting proxy (such as ZScaler), or your company's security system, then your traffic is being intercepted.
If you identify that your traffic is intercepted by an intercepting proxy, you'll need to set the proxy as a trusted entity. You have the following options:
Configure Burp to use your system's trusted certificate store (Windows only).
Manually import the intercepting proxy's certificate into Java's trust store.
Option 1: Allowlist Burp in the intercepting proxy
If your security software allows exceptions, add portswigger.net
to the allowlist. You may need to ask a network administrator to do this.
Option 2: Configure Burp to use your system's trusted certificate store
If your system already trusts the intercepting proxy's certificate, you can configure Burp to use your system's certificate store instead of its default Java trust store.
This option is quick and easy to set up, but is only available for Windows systems.
To use your system's certificate store:
Create a
user.vmoptions
file. This enables you to specify custom Java options for Burp. For instructions, see Creating a user.vmoptions file.Add the following to the
user.vmoptions
file:-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
Restart Burp, then check if you can access the BApp store.
Option 3: Import the intercepting proxy's certificate into Java's trust store
If you're using MacOS or Linux, or can't configure Burp to use the system's certificate store, you can manually add the intercepting proxy's certificate to Java's trust store.
Find the file path of the intercepting proxy's certificate. If you're unsure, check your system settings or ask a network administrator.
In Burp, go to Help > Diagnostics. The Burp Suite diagnostics dialog opens.
Locate the
java.home
property and make a note of the path to Burp's Java installation.Open a terminal and use the following command to navigate to the Java bin folder. Make sure to replace
JAVA_FOLDER
with the Java installation path you noted earlier.- MacOS and Linux:
cd "JAVA_FOLDER/bin"
- Windows:
cd "JAVA_FOLDER\bin"
- MacOS and Linux:
Import the certificate using the following command. Make sure to replace
JAVA_FOLDER
with the Java installation path you noted earlier, andCERTIFICATE_FILE_PATH
with the path to the intercepting proxy's certificate.- MacOS and Linux:
keytool -import -trustcacerts -keystore "JAVA_FOLDER/lib/security/cacerts" -storepass changeit -alias MyCert -file CERTIFICATE_FILE_PATH
- Windows:
keytool -import -trustcacerts -keystore "JAVA_FOLDER\lib\security\cacerts" -storepass changeit -alias MyCert -file CERTIFICATE_FILE_PATH
- MacOS and Linux:
Verify that the certificate was added successfully using the following command. Make sure to replace
JAVA_FOLDER
with the Java installation path.- MacOS and Linux:
keytool -list -keystore "JAVA_FOLDER/lib/security/cacerts" -storepass changeit | grep MyCert
- Windows:
keytool -list -keystore "JAVA_FOLDER\lib\security\cacerts" -storepass changeit | findstr MyCert
- MacOS and Linux:
Restart Burp, then check if you can access the BApp store.