Burp Suite, the leading toolkit for web application security testing

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways. This page contains technical details to help you develop Burp extensions. For help on loading extensions into Burp and using the Extender tool, please see the Burp Extender help.

Extensions can be written in Java, Python or Ruby.

Use the information below to access full technical details of the APIs for extending Burp:

  • View the online Javadoc for the latest Burp API.
  • To view or save a copy of the interface code files for your version of Burp, go to Extender / APIs.

Numerous extensions written by Burp users are available to install from the BApp Store.

The extensibility API is extremely rich and powerful, and lets extensions carry out numerous useful tasks. You can:

  • Process and modify HTTP requests and responses for all Burp tools.
  • Access key runtime data, such as the Proxy history, target site map, and Scanner issues.
  • Initiate actions like scanning and spidering.
  • Implement custom scan checks and register scan issues.
  • Customize the placement of attack insertion points within scanned requests.
  • Provide custom Intruder payloads and payload processors.
  • Query and update the Suite-wide target scope.
  • Query and update the session handling cookie jar.
  • Implement custom session handling actions.
  • Add custom tabs and context menu items to Burp's user interface.
  • Use Burp's native HTTP message editor within your own user interface.
  • Customize Burp's HTTP message editor to handle data formats that Burp does not natively support.
  • Analyze HTTP requests and responses to obtain headers, parameters, cookies, etc.
  • Build, modify and issue HTTP requests and retrieve responses.
  • Read and modify Burp's configuration settings.
  • Save and restore Burp's state.

For help on getting started, you can refer to Writing your first Burp Suite extension, which includes some sample stub code that you can use to base your extension on.

Below are some examples of simple extensions, including examples using Java, Python and Ruby:

For more help and examples of Burp extensions, you can refer to the Burp Extensions community discussions in the Support Center.

Note: Because of the way in which Jython and JRuby dynamically generate Java classes, you may encounter memory problems if you load several different Python or Ruby extensions, or if you unload and reload an extension multiple times. If this happens, you will see an error like:

java.lang.OutOfMemoryError: PermGen space

You can avoid this problem by configuring Java to allocate more PermGen storage, by adding a -XX:MaxPermSize option to the command line when starting Burp. For example:

java -XX:MaxPermSize=1G -jar burp.jar


Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Monday, January 16, 2017


This release adds various enhancements and fixes:

  • There is a new command-line option to launch Burp with a specified user configuration file.
  • A bug that was recently introduced that prevented license activation in headless mode has been fixed.
  • The Content Discovery function now correctly handles applications that have wildcard behavior for file extensions (e.g. those that return a specific response for admin.xxx regardless of the file extension). This eliminates the only known false positives reported by the new Content Discovery engine.

See all release notes ›

Copyright © 2016 PortSwigger Ltd. All rights reserved.