The extensibility API is extremely rich and powerful, and lets extensions carry out numerous useful tasks. You can:
- Process and modify HTTP requests and responses for all Burp tools.
- Access key runtime data, such as the Proxy history, target site map, and Scanner issues.
- Initiate actions like scanning and spidering.
- Implement custom scan checks and register scan issues.
- Customize the placement of attack insertion points within scanned requests.
- Provide custom Intruder payloads and payload processors.
- Query and update the Suite-wide target scope.
- Query and update the session handling cookie jar.
- Implement custom session handling actions.
- Add custom tabs and context menu items to Burp's user interface.
- Use Burp's native HTTP message editor within your own user interface.
- Customize Burp's HTTP message editor to handle data formats that Burp does not natively support.
- Analyze HTTP requests and responses to obtain headers, parameters, cookies, etc.
- Build, modify and issue HTTP requests and retrieve responses.
- Read and modify Burp's configuration settings.
- Save and restore Burp's state.
View the full technical details for the latest Burp API, within the online Javadoc.
To view or save a copy of the interface code files for your version of Burp, go to Extender / APIs.
Note: Prior to v1.5.01, Burp exposed a much more restricted legacy API.
Sample extensions to get you started
Below are some examples of simple extensions, including examples using Java, Python and Ruby. You can also view the source code for all BApp Store extensions on our GitHub page.
|Hello world||Java Python Ruby||This is a very simple extension that prints some output to various locations within Burp.||Download|
|Event listeners||Java Python Ruby||This extension registers listeners for various runtime events, and prints a message when each event occurs.||Download|
|Traffic redirector||Java Python Ruby||This extension redirects all outbound requests from one host to another.||Download|
|Custom logger||Java Python Ruby||This extension adds a new tab to Burp's user interface, and displays a log of HTTP traffic for all Burp tools, in the style of Burp's Proxy history.||Download|
|Custom editor tab||Java Python Ruby||This extension adds a new tab to Burp's HTTP message editor, in order to handle an unsupported data serialization format.||Download|
|Custom scan insertion points||Java Python Ruby||This extension provides custom attack insertion points for active scanning, allowing Burp's scanning engine to work with an unsupported data serialization format.||Download|
|Custom scanner checks||Java Python Ruby||This extension implements custom checks to extend the capabilities of Burp's active and passive scanning engines.||Download|
|Custom session tokens||Java Python Ruby||This extension demonstrates working with custom session tokens that Burp normally doesn't understand.||Download|
|Intruder payloads||Java Python Ruby||This extension provides custom Intruder payloads and payload processing.||Download|
For more help and examples of Burp extensions, you can refer to the Burp Extensions community discussions in the Support Center.Take a look
Note: Because of the way in which Jython and JRuby dynamically generate Java classes, you may encounter memory problems if you load several different Python or Ruby extensions, or if you unload and reload an extension multiple times. If this happens, you will see an error like:
java.lang.OutOfMemoryError: PermGen space
You can avoid this problem by configuring Java to allocate more PermGen storage, by adding a -XX:MaxPermSize option to the command line when starting Burp. For example:
java -XX:MaxPermSize=1G -jar burp.jar