Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Thursday, August 31, 2017


This release adds various minor enhancements:
  • There is a new hotkey for adding an Intruder payload position marker. This is not mapped to any keystroke by default, but this can be done at User options / Misc / Hotkeys.
  • There is a new option on startup to disable extensions. This can help resolve situations where a misbehaving extension causes problems during startup.
  • Burp Collaborator server now responds to DNS lookups containing the subdomain "spoofed" with the IP address This is to prevent the Collaborator being wrongly incriminated when a server being scanned is vulnerable to client IP spoofing, as happened here.
  • The option to strip the "Accept-Encoding" header in incoming requests to the Proxy has been modified so that it normalizes the header to a default value rather than stripping it altogether. The previous behavior caused problems with some WAFs configured to drop requests without this header.
  • The default max heap size requested by the platform installer has been reduced from 75% to 50% of total physical memory, in order to prevent OS performance issues on some platforms. This can be modified after installation by editing the vmoptions file in the installation directory.
  • MacOS App Nap has been disabled as this can cause Burp's automated activity (like scanning) to be suspended when the Burp window is in the background.
Additionally, a number of bugs have been fixed:
  • A bug that caused temporary data saved by Burp extensions and the sessions tracer to actually get stored in project files.
  • A bug that caused the Spider not to honor the "Maximum parameterized requests per URL" setting.
  • A bug that caused some lightweight popups to have full window decoration on some Linux desktop managers.
  • A bug that incorrectly handled loading of IP addresses from file into the scope configuration UI.
  • A bug that prevented upstream SNI from working when proxying traffic through Burp from an Android emulator.
  • A bug that caused report generation to fail altogether when it encountered an incomplete issue due to project file corruption.
MD5: 99e7126d8fd9c56a78e8a3464612e3c7
SHA256: be1b9c4c6c4d25a3d11bbd3ffff845a9ed3b2a1e7740c72ab89a913283eaad86

MD5: f48beee2667ec767ba733026e23043ce
SHA256: eb215ee1a453634685d5ec302ccd9c07031869ca72c9f2cce10cc8dd6c9989a2

MD5: b55145e3a432e78210a27f8cb8228bc3
SHA256: c7850eabdbacee1fc2e40b93d4f25503cbfab4c3a636063bb0f18325bbff1654

MD5: 92ad1d2b3166450d26601180793e65bd
SHA256: c07203e145fc475c80edb3fdf534e9880cc223d3f7ba581452f832b5bd7325d5

MD5: 2c458b547ca73c8912390a606722ee95
SHA256: 217596f1d59e6e535227b7837fc2126e948fc6eefe1bf5b470fd90a7a3592bca
MD5: 7543adff4ae24f7e9a32742232eb4443
SHA256: d73d89f51fa61085788f095f7177d26b930066cf57422ab18657191354111f75

MD5: ec600536f24455f8ad8f20c3e600ffbb
SHA256: df5fdd580ba1bc777d0ffa9a79e66a5171fce879af04d74d54ce9b9c884b559e

MD5: f579b2b8692dde5d0ef6388d91a98d55
SHA256: 9f5fcc2d0a10e00ef67632f49a12499fcd1730d738c67b9c323e2a7f0c345ab9

MD5: 54cbe4b8ae891a125a661d8c26b17181
SHA256: 3131d6b62dc6f43f306442327d3b3cecd0ef75897fc553c9a1a66629ceef982e

MD5: 562fe599a8e3586f29c0e8cad2e41498
SHA256: ca3f2b2929d8eb048e1f9a0f9103105cd032edbbe94b110420d9ce1d6495f09f