A powerful proxy/history lets you modify all HTTP(S) communications passing through your browser.
All target data is aggregated and stored in a target site map - with filtering and annotation functions.
Find hidden target functionality with an advanced automatic discovery function for "invisible" content.
Generate and confirm clickjacking attacks for potentially vulnerable web pages, with specialist tooling.
WebSockets messages get their own specific history - allowing you to view and modify them.
Proxy even secure HTTPS traffic. Installing your unique CA certificate removes associated browser security warnings.
Make use of a dedicated client to incorporate Burp Suite's out-of-band (OAST) capabilities during manual testing.
Modify and reissue individual HTTP and WebSocket messages, and analyze the response - within a single window.
Determine the size of your target application. Auto-enumeration of static and dynamic URLs, and URL parameters.
Easily test the quality of randomness in data items intended to be unpredictable (e.g. tokens).
Deploy custom sequences of HTTP requests containing multiple payload sets. Radically reduce time spent on many tasks.
Capture automated results in customized tables, then filter and annotate to find interesting entries/improve subsequent attacks.
Easily generate CSRF proof-of-concept attacks. Select any suitable request to generate exploit HTML.
See reflected/stored inputs even when a bug is not confirmed. Facilitates testing for issues like XSS.
The option to passively scan every request you make, or to perform active scans on specific URLs.
Settings to automatically modify responses. Match and replace rules for both responses and requests.
High signal: low noise. Scan with pioneering, friction-free, out-of-band-application security testing (OAST).
Cutting-edge scan logic from PortSwigger Research combines with coverage of over 100 generic bugs.
Get fine-grained control, with a user-driven scanning methodology. Or, run "point-and-click" scans.
Custom descriptions and step-by-step remediation advice for every bug, from PortSwigger Research.
Customize what you audit, and how. Skip specific checks, fine-tune insertion points, and much more.
Crawl more complex targets. Burp Suite's crawler identifies locations based on content - not just URL.
Source identification and vulnerability reporting simplified, with optional code instrumentation.
Browser-driven scanning is already striding toward better coverage of tricky targets like AJAX-heavy single page apps.
Show follow-up, analysis, reference, discovery, and remediation in a feature-rich HTTP editor.
Access predefined configurations for common tasks, or save and reuse custom configurations.
Auto-save all working projects to disk, and add configurations to pre-saved projects.
See source, discovery, contents, and remediation, for every bug, with aggregated application data.
Customize with HTML/XML formats. Report all evidence identified, including issue details.
Decode or encode data, with multiple built-in operations (e.g. Hex, Octal, Base64).
Extender API ensures universal adaptability. Code custom extensions to make Burp work for you.
For in-depth vulnerability detail, ordered and arranged in an easily accessible table, make use of Logger++.
When testing for authorization vulnerabilities, save time and perform repeat requests with Autorize.
Configured in Python, with a custom HTTP stack, Turbo Intruder can unleash thousands of requests per second.
Expand your Java-specific vulnerability catalogue and hunt the most niche bugs, with J2EEScan.
Find research-grade bugs, and bridge human intuition and automation, with Backslash Powered Scanner.
The BApp Store customizes and extends capabilities. Over 250 extensions, written and tested by Burp users.
Adapt Burp Scanner's attacks by uploading and testing multiple file-type payloads, with Upload Scanner.
Integrate with the Retire.js repository to check for known bugs using software composition analysis (SCA).
Run AuthMatrix with Autorize to define your access-level vulnerability authorization check.
Quickly find unkeyed inputs with Param Miner - can guess up to 65,000 parameter names per second.