Extensibility_

Burp Extender lets you extend the functionality of Burp Suite in numerous ways. This page contains technical details to help you develop Burp extensions. For help on loading extensions into Burp and using the Extender tool, please see the Burp Extender Help.

Extensions can be written in Java, Python or Ruby.

Burp Extender Help

Extensibility API

The extensibility API is extremely rich and powerful, and lets extensions carry out numerous useful tasks. You can:

  • Process and modify HTTP requests and responses for all Burp tools.
  • Access key runtime data, such as the Proxy history, target site map, and Scanner issues.
  • Initiate actions like scanning and spidering.
  • Implement custom scan checks and register scan issues.
  • Customize the placement of attack insertion points within scanned requests.
  • Provide custom Intruder payloads and payload processors.
  • Query and update the Suite-wide target scope.
  • Query and update the session handling cookie jar.
  • Implement custom session handling actions.
  • Add custom tabs and context menu items to Burp's user interface.
  • Use Burp's native HTTP message editor within your own user interface.
  • Customize Burp's HTTP message editor to handle data formats that Burp does not natively support.
  • Analyze HTTP requests and responses to obtain headers, parameters, cookies, etc.
  • Build, modify and issue HTTP requests and retrieve responses.
  • Read and modify Burp's configuration settings.
  • Save and restore Burp's state.

New to Extender?

'Writing your first Burp Suite extension' includes sample stub code that you can use to base your extension on.

Read More

BApp Store

Numerous extensions written by Burp users are available to install from the BApp Store.

Read More

API Documentation

View the full technical details for the latest Burp API, within the online Javadoc.

To view or save a copy of the interface code files for your version of Burp, go to Extender / APIs.

Note: Prior to v1.5.01, Burp exposed a much more restricted legacy API.

Sample extensions to get you started

Below are some examples of simple extensions, including examples using Java, Python and Ruby. You can also view the source code for all BApp Store extensions on our GitHub page.

Name Description Get File
Hello world This is a very simple extension that prints some output to various locations within Burp. Download
Event listeners This extension registers listeners for various runtime events, and prints a message when each event occurs. Download
Traffic redirector This extension redirects all outbound requests from one host to another. Download
Custom logger This extension adds a new tab to Burp's user interface, and displays a log of HTTP traffic for all Burp tools, in the style of Burp's Proxy history. Download
Custom editor tab This extension adds a new tab to Burp's HTTP message editor, in order to handle an unsupported data serialization format. Download
Custom scan insertion points This extension provides custom attack insertion points for active scanning, allowing Burp's scanning engine to work with an unsupported data serialization format. Download
Custom scanner checks This extension implements custom checks to extend the capabilities of Burp's active and passive scanning engines. Download
Intruder payloads This extension provides custom Intruder payloads and payload processing. Download

Burp Community

For more help and examples of Burp extensions, you can refer to the Burp Extensions community discussions in the Support Center.

Take a look

Note: Because of the way in which Jython and JRuby dynamically generate Java classes, you may encounter memory problems if you load several different Python or Ruby extensions, or if you unload and reload an extension multiple times. If this happens, you will see an error like:

java.lang.OutOfMemoryError: PermGen space

You can avoid this problem by configuring Java to allocate more PermGen storage, by adding a -XX:MaxPermSize option to the command line when starting Burp. For example:

java -XX:MaxPermSize=1G -jar burp.jar