Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Friday, November 18, 2016


This release updates the Burp Collaborator server to capture SMTP interactions, and adds two new related checks to Burp Scanner.

There is a new scan check for SMTP external service interaction. This reports an informational issue that identifies application functions that can be used to generate an email to an arbitrary address. This will typically (though not always) be intended application behavior, but it represents interesting attack surface for manual review:

There is a new scan check for SMTP header injection. This reports cases where it is possible to inject email headers, with the result that an email generated by the application is copied to an arbitrary email address:

For all SMTP-related issues, Burp Collaborator captures the full SMTP conversation that took place, and this is reported within the scan issue. This provides evidence for the issue itself, and also may contain interesting information about the technologies and infrastructure being used:

Note that users who have deployed a private Burp Collaborator server will need to upgrade their deployment to use the latest version, to gain the benefit of the new SMTP capabilities.
MD5: 163b26f266bbe93c8a7221e443e0f2a5
SHA256: 538d434c90e345227a104e23e06d1610945b36079899ab7f8d555e14b9480211

MD5: 0b9f924a7db0f2d128d3c86b27e29e79
SHA256: 2c456dc9d1ed8e1770536ecd2f52232a2d2642c37c744216382c236d21f63548

MD5: 5e5d7ee45ec4b453e7d1f9e08b813337
SHA256: 844e2732f137a6fff82983fd06af7a54f6bfbbc595b93be71b70208097c5643f

MD5: 2f2c9ab2089911b95b115f54c2cc6594
SHA256: 62ac35945dd995a69797255758d40acc6013009ddea70f784f0f41cb5fe13878

MD5: e3ac458fe4a30762ebe1b1b4694301ac
SHA256: 8e46719bccbc6750cb53c1dfa9b8bb90824f2381b38bcd09eebdebe6494623dd