Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Support Center Training

Burp Suite Training

Are you looking for training in how to use Burp? Would you like to take your understanding of Burp Suite to the next level?

  • Why not consider one of the courses offered by our training partners ? These courses provide hands-on training on how to use Burp Suite to find real-world vulnerabilities. Dates of forthcoming public training courses are provided below. Alternatively, you can contact any of our training partners directly to discuss options for tailored on-site training.
  • If training courses aren’t for you, why not consider a self-study option?

Burp Suite Training Partners

Burp Suite training is available for both novice and advanced Burp Suite users through our specialist training partners across the globe.

Mastering Burp Suite Pro - 100% Hands-on

Agarri
Europe
English, French
http://www.agarri.fr/en/trainings.html
nicolas.gregoire@agarri.fr
+33 (0)6 40 37 41 91
3 days
This three-day training allows users to get the most out of Burp, optimizing time spent. Work will be faster, more effective and more efficient. Attendees will also learn to measure the quality of their attacks, a crucial skill in real-life engagements. Finally, alternative strategies and techniques will be demonstrated, giving a wider view of available functionalities. The training is based on 40+ micro-challenges replicating real-life scenarios: complex brute-force, data extraction, custom formats, thin clients, ACL, cryptography, anti-CSRF tokens, aggressive disconnection, ... and more!
The following roles are expected: Web application penetration testers, QA people and advanced developers. Whatever your role, this training will provide beneficial automation skills whether novice or expert: Novice: A 30-minute pre-sesssion warm-up will set you up for the core training. Expert: Been using Burp Suite for years? Never fear! Numerous optional challenges will develop your fu.

Burp Suite Workshop

Alcorn Group
Asia Pacific
English
http://alcorngroup.com/services/
info@alcorngroup.com
+61 7 3821 2895
Half day, full day and two day workshops are available
This training provides you with both a theoretical and practical understanding of how to use the very popular hacking tool Burp Suite Professional. Mastering this professional ethical hacker tool of choice will give you a capability to easily find vulnerabilities in your web applications. Burp Suite has possibly been the most consistently high quality tool for assessing web applications for over a decade and the methodologies in this course are a must for any serious web application assessment.
Suitable for new entrants in web application security, also intermediate and advanced web application security specialists.

Developing Burp Suite Extensions - From manual testing to security automation

Doyensec LLC
Worldwide
English
https://www.doyensec.com/
info@doyensec.com
+1 (628) 333 9093
1 day
In this hands-on class, attendees will learn how to design and develop Burp Suite extensions for a variety of tasks. In eight hours, we work on several plugins to improve manual security testing efforts as well as to create fully automated security tools. This workshop is based on real-life use cases where the extension capabilities of the tool can be unleashed to improve efficiency and effectiveness of security auditing. As an attendee, you will bring home a full bag of tricks that will take your web security skills to the next level.
Suitable for both web application security specialists and developers. Attendees are expected to have rudimental understanding of Burp Suite as well as basic object-oriented programming experience (Burp Extensions will be developed in Java).

Web Application Hacking with Burp Suite

Maven Security Consulting Inc.
US
English
https://www.mavensecurity.com/burpsuite_training/
burpsuite@mavensecurity.com
+1-877-MAVEN-HQ (1-877-628-3647)
1, 2 and 3 day workshops are available
This workshop, through hands-on demos and labs, will introduce the student to the techniques needed to remotely detect and validate the presence of common vulnerabilities in web-based applications using Burp Suite, the industries' most popular toolkit. Testing will be conducted from the perspective of the end user (as opposed to a source code audit). Security testing helps to fulfill industry best practices and validate implementation. Remote security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g. during development), or when source code is not available for review.
People who are auditing web application security, developing web applications, or managing the development of web applications.

The Web Application Hacker's Handbook (CREST approved course)

MDSec
Worldwide
English
https://www.mdsec.co.uk/
contact@mdsec.co.uk
+44 (0)1625 263 503
2 or 3 days
This 2 or 3 day course is a practical counterpart to the well-known Web Application Hacker's Handbook, and is developed and taught by the authors, with strong focus on practical attacks and methods. After a short introduction to the subject the course then delves into common insecurities. The Web Application Hacker's Handbook course is CREST approved and is useful preparation for: CREST Certified Infrastructure Tester (CCT INF) and CREST Certified Web Applications Tester (CCT APP).
Those who wish to build on their skills in web application security, including those wishing to learn how to get the most out of Burp. Also suitable for new entrants to the web application security industry, including those working in Quality Assurance or internal testing functions. This course has frequently been recommended by candidates who have taken both the CREST CCT Infrastructure and CCT Web Applications exams.

Tactical Burp Suite & Advanced Tactical Burp Suite

Secure Ideas LLC
Virtual (recorded webinar)
English
http://www.secureideastraining.com/courses/
info@secureideas.com
+1-866-404-7837
2 hours (pre-recorded webinar)
Tactical Burp Suite:Tips and Tricks to Using Our Favorite Web PenTesting Tool! Kevin Johnson and Jason Gillam will explore the various features of Burp Suite, focused on how we use the system during our penetration testing. This webinar will use hands-on examples to reinforce the topics and tricks that Jason and Kevin will be showing. Not only will we be doing the demos, but a target system will be made available to attendees so that they can do the examples along with Kevin and Jason. This webinar costs $25 dollars and runs for approximately two hours.
Everyone with an interest in using Burp Suite.

Web Application Security

Securitum
Europe
Polish, English
http://www.securitum.pl/oferta/szkolenia/web-application-security-training
securitum@securitum.pl
+48 12 361 33 37
3 days
This three-day hands-on training, gives participants a practical knowledge of web application security issues. Throughout the course the participants will analyse the security of a number of systems for vulnerabilities using Burp Suite Professional. Each vulnerability is preceded by a theoretical introduction, and for these vulnerabilities a method of protection against attacks. The training can be delivered in English onsite for a closed group.
Those who wish to build on their skills in web application security. Recommended (but not required) experience: 1. Basic knowledge of SQL 2. Basic knowledge of HTML/Javascript 3. Basic knowledge of HTTP communication 4. General IT background

Web Application Bootcamp - Journeyman Level

SensePost
UK, South Africa & USA
English
https://www.sensepost.com/learn/journeyman-application/
training@sensepost.com
+44 (0)202 7956 8826
2 days
We love owning the application layer and this course reflects that. We want to take students on a path of obtaining offensive security knowledge in the web application realm. The course focuses on the fundamentals rather than specific tools and introduces you to our hacking methodology refined over thousands of assessment conducted over the last 14 years. SQLi/XML/XPath/LDAP/RFI/DOM, this industry loves acronyms. From the start we cut through the acronym soup and start serving up plain and simple approaches to understand how applications are built and where vulnerabilities are introduced. This is hands on learning, not just listening.
This course is meant for those who are new to penetration testing, network administrators or indeed anyone who wants to understand more about offensive testing and get their hands dirty breaking into various networks and applications.

Practical Web Application Penetration Testing (PWAPT)

Tim "lanmaster53" Tomes
US
English
http://www.lanmaster53.com/training/
timothy.tomes@gmail.com
+1-864-756-1417
2-4 day workshop
This hands-on course provides customized training on the latest web application security tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology including Burp Suite Pro, and taught how these tools integrate with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end.
Application Security professionals with a general understanding of the OWASP Top 10.

Forthcoming public training

Mastering Burp Suite Pro - 100% Hands-on

Agarri
Date: April 10, 2017 - April 12, 2017
Amsterdam, Netherlands
English
http://conference.hitb.org/hitbsecconf2017ams/sessions/3-day-training-2-mastering-burp-suite-pro/

Developing Burp Suite Extensions - From manual testing to security automation

Doyensec LLC
Date: June 5, 2017
'Post-WarCon', Warsaw, Poland
English
info@doyensec.com

SECDEVOPS: INJECTING SECURITY INTO DEVOPS

SensePost
Date: July 22, 2017 - July 23, 2017
BlackHat, Mandalay Bay, Las Vegas, NV
English
https://www.blackhat.com/us-17/training/secdevops-injecting-security-into-devops.html

THE WEB APPLICATION HACKER'S HANDBOOK, LIVE EDITION

MDSec
Date: July 22, 2017 - July 23, 2017
BlackHat, Mandalay Bay, Las Vegas, NV
English
https://www.blackhat.com/us-17/training/the-web-application-hackers-handbook-live-edition.html

SECDEVOPS: INJECTING SECURITY INTO DEVOPS

SensePost
Date: July 24, 2017 - July 25, 2017
BlackHat, Mandalay Bay, Las Vegas, NV
English
https://www.blackhat.com/us-17/training/secdevops-injecting-security-into-devops.html

THE WEB APPLICATION HACKER'S HANDBOOK, LIVE EDITION

MDSec
Date: July 24, 2017 - July 25, 2017
BlackHat, Mandalay Bay, Las Vegas, NV
English
https://www.blackhat.com/us-17/training/the-web-application-hackers-handbook-live-edition.html

THE WEB APPLICATION HACKER'S HANDBOOK

MDSec
Date: September 12, 2017 - September 13, 2017
44Con, London
English
https://44con.com/44con-training/44con-london-2015-training/web-application-hackers-handbook/

Self-Study Resources

Do you want to train in your own time? Are you looking for resources to complement your training?

  • The best place to start is The Web Application Hacker’s Handbook , authored by Burp Suite creator Dafydd Stuttard. This book, now its second edition, remains the go-to text for all security testers. The book covers all areas of web application security testing and each chapter provides explanations of how to use Burp Suite to find vulnerabilities.
    Buy on Amazon:  US  Canada  UK
  • Online labs are available to complement your learning. The second edition of the Web Application Hacker’s Handbook references links to online labs throughout, allowing you to understand the background and theory behind each vulnerability, and then try it for yourself online.
  • Burp Suite Essentials, authored by Akash Mahajan. This book is written for those interested in learning how to test web application and the web part of mobile applications using Burp. It is specifically designed to meet the needs of those who have a basic experience in using Burp and are now aiming to become a professional Burp user.
    Buy on Amazon:  US  Canada  UK
  • The Burp Suite Testing Methodologies articles explain the methodologies for using Burp Suite to test for various kinds of web application vulnerabilities. The Burp Suite Support Center contains a large number of articles and community discussions to help you get the most out of using Burp.
  • There is a free online course from Aether Security Lab that provides an introduction to using all the Burp tools.
  • There is a Burp Suite online course, provided by training company Pluralsight: Web Application Penetration Testing with Burp Suite.
    Pluralsight is a subscription based, on-demand technology learning platform. For an individual subscriber, the price is $29 for a month.