Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Monday, January 16, 2017


This release adds various enhancements and fixes:
  • There is a new command-line option to launch Burp with a specified user configuration file:


    This can be used to set any user-level option, including Burp extensions to load. It is useful when running Burp on headless systems where there is no UI for configuring user-level options. By creating a suitable user-level config file, it is possible to launch Burp on a headless system with specific Burp extensions or any other user-level setting.
  • Some recent changes to Tomcat cause it to reject a wider range of raw characters in the URL query string, going beyond the standard practice of browsers and other web servers. Burp Scanner and Intruder now apply URL-encoding to the relevant characters by default, ensuring that their payloads are accepted by Tomcat and reach the application code.
  • A bug that was recently introduced that prevented license activation in headless mode has been fixed.
  • The Content Discovery function now correctly handles applications that have wildcard behavior for file extensions (e.g. those that return a specific response for regardless of the file extension). This eliminates the only known false positives reported by the new Content Discovery engine.
  • There are some new options in the Proxy for stripping request headers that offer to support encodings that may cause problems with intercepted traffic in Burp. These options are on by default.
  • Logging options have moved from the user level to the project level, and are now included in project-level configuration files and project files. This means that you can enable logging on a per-project basis and have this setting remembered when reopening a project file.
  • Unicode characters in URLs are now properly handled in the "Paste URL as request" function.
  • Various other minor bugfixes and enhancements have been made.
MD5: 6a1d1e734e9191b4eb8476b1da691597
SHA256: e2d30656bf3f6b51d48c212853ef0f1ab85a62850d398bfb40e616173eb2b023

MD5: 2ef30460b9609ff1c8692453a4f4ed35
SHA256: 9aa48e63d66e701a17db10bd47f12c899efc68213f4d32d29472e8ddd857fa07

MD5: e71679acf722df8f54a66df7bda1c5a4
SHA256: eda1e4ff9db2235cb2a3d2c7637c79d00387a862c82f839f042f4ee4d62b949a

MD5: a8d30d750458339a58165eda96a83b96
SHA256: ae0f3dd56005e5f7ea4e9addf4be448fcf50f321fb07148d9140d83a54f8b4f4

MD5: 60c970dc6830d1ad4a6080b88012d94f
SHA256: 655241b5da121cc34c7b3962f2d654cd029efebdc46aa6d80ceda7a6151e2019
MD5: 47d11b07fe7b385dd1001b326efb5e79
SHA256: 2acb901751a81411a73edd8e15bbcc5b8c6167faae491d88a8dced56747043d1

MD5: 4aea2396b922299976884414a0931dac
SHA256: 3e9ef1b58e9fd6aecde614b61a9a61f0a86f03ac123d1d81e11c60a5dd61252c

MD5: 647c2992b7c6bc463776a13439af2765
SHA256: a281b6101c0fbec7e07c9165a2865978a6c380f4471ff53d9256cba028b08c7d

MD5: af74d8e21dacb022f8ae76a65456c7e6
SHA256: 9187bcefbef1ea7a5ac6bbc9c76db8d0a53a8922c1251401775a8f6faf323c5d

MD5: b3962e75638ec65dcc17e4c6d4305989
SHA256: a7bb5f4a1af3ab27350d54c8567becd4c4ff96a79f0efb2bb951e67e7dae6f52