Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Tuesday, February 28, 2017


This release adds a new option to prevent project data being accumulated for out-of-scope items that pass through Burp Proxy.

It is common for users to configure their system-wide proxy settings to send all traffic through Burp, with the result that a large quantity of irrelevant requests and responses go through Burp Proxy, generated by OS components, other software, or unrelated browsing by the user. With the new feature, you can prevent out-of-scope items being added to the Proxy history or Target site map, or being automatically sent to other Burp tools (such as for live scanning).

The new option can be turned on at Proxy / Options / Miscellaneous:
When you first add an item to scope, Burp will ask if you want to enable this option, to prevent the Proxy from sending out-of-scope items to the history or other Burp tools:

If you check "always take the same action in future", then Burp will remember your choice and apply it automatically on future executions of Burp, when you first add an item to scope. You can control the use of this setting, and whether the dialog is shown, at User options / Misc / Proxy history logging:

A large number of minor bugfixes and other enhancements have also been made.
MD5: aa8969a7b564bf5713afb7ee6be7584d
SHA256: 891545d49099d8d2b636ad8f72ac54b2c615328fe55381f95f6de9a8296bc634

MD5: 4c76a10ea231eabf30950cc731a4bc7a
SHA256: edbd7ecd2bc80a72010c74780252c9d9c3be1ec8f9ee863924f115c47020a28a

MD5: 95ba0c1cb3b0de11a0bbc391bdb565bf
SHA256: 4dbb88e1bf69bc2ea02cf8d34198a7ca96b626a0dda87db71c6f83a738a1ff49

MD5: 19706e3b0919d5a9a9f33076900176fd
SHA256: ab35ad872adfdf390a7a71b1f855acf88be16d7df677f2ad1473342e8cfbf68c

MD5: d9fd8166a7f1eb6b4ed9ee5603705876
SHA256: 1fd91819c892ad9ead96004145af835406f24697e8ae24e977572aa1af52e2b4
MD5: 1a2b9127d2e97f140352e26514b450eb
SHA256: 3077a3416d312867c71b3eb43ac975b254bf457d1beea50a0be18653355f2af6

MD5: 721aab10d94b60983d0007d6312d4c8c
SHA256: 45101ad919943ea7d54325e0f399b195f19efb06d53424f16a08f454da8f43e0

MD5: 2c584dad187b623a96def1ddd697904b
SHA256: fa37d8e84cb7d8933929f59486ef785530091fee6f99fa0c38107efd0ac6275e

MD5: 3bff1e18963f8be977fbc18fdd2a2c7c
SHA256: 8a85245912d3b74de1a9daa61feb74c46950d88672453c5b24f899d9f6c39964

MD5: 8ddaf43ba0673bb926e83e5b46999553
SHA256: e04d9a4d7f59e47629183ae87c2d77617c9c083e7f3df947c160e954396bca0b

Wednesday, February 1, 2017


This release adds various new features and addresses some issues.

There is a new Scanner check for suspicious input transformation. This issue arises when an application receives user input, transforms it in some way, and then performs further processing on the result. Burp reports reflected and stored input that has been transformed in the following ways:
  • Overlong UTF-8 sequences are decoded.
  • Invalid UTF-8 sequences containing illegal continuation bytes are decoded.
  • Superfluous (or "double") URL-encoded sequences are decoded.
  • HTML-encoded sequences are decoded.
  • Backslash escape sequences are unescaped.
  • Unexpected transformations resulting from submitting any of the above payloads.
Performing these input transformations does not constitute a vulnerability in its own right, but might lead to problems in conjunction with other application behaviors. An attacker might be able to bypass input filters by suitably encoding their payloads, if the input is decoded after the input filters have been applied. Or an attacker might be able to interfere with other data that is concatenated onto their input, by finishing their input with the start of a multi-character encoding or escape sequence, the transformation of which will consume the start of the following data.

Various enhancements have been made to Burp Infiltrator, in response to feedback from real-world usage:
  • A bug affecting the patcher when running on Java 6 or earlier has been fixed.
  • A bug that caused the manifest files of some nested JAR files to be lost has been fixed.
  • A bug that left invalid signatures in place after the relevant bytecode was modified has been fixed
Burp Scanner's issues are now mapped to CWE vulnerabilities.

There is a new command-line option to prevent Burp from pausing the Spider and Scanner when reopening existing projects. To prevent this, add the following argument to the command to launch Burp:


Various other enhancements and bugfixes have been made.
MD5: b9371185454563e5ca279ab80d5fdd28
SHA256: aae6d011211313f9408de431c7ac3fe230d6d0d61c038add3778b453ad33e9b8

MD5: bb3592dd77027d583be6081988e48522
SHA256: 77740b44eebba7dce56cc866380a7cf94fca4536c22d14edb183d2f7f7a3177c

MD5: a572b5b026290335f8b5d2dac0766dbd
SHA256: 2bd6c8f09ad657716e95191ac4841297f268ca5ce279dd164b0d67ccd375683d

MD5: fc1bb251a9ec7685160cff3fcd5119e3
SHA256: 4b54fbe77bf8e89508316731f621ba03a25dd224fa7f3855e7a6db8dd653a5df

MD5: 8b40a5bdf55848329ca9f9eb9b3e7154
SHA256: c8c4c8cb3156d523e3f5630b0c1500df05eb4a0297bdcd23fb00e0853467bf7e
MD5: 408d063f42f51ea027bb6a5014ae58e6
SHA256: f18ad7d5873ca4fa29af04e8cd9ce967792377366b74edc5943014440f2cc815

MD5: 83d6022c7b739c346b14897ac491e8a0
SHA256: ea41d8afeb1f621ccfa15d56d4bb8a0a72d5fab3dabe4164696527ae692df4db

MD5: 1af427b18de46c38410b46fb5a3f8080
SHA256: 603ca7adb8561a73c6ce49c463c8e8bee36c9ae88422f53b9af5fe5136f80aec

MD5: 36567e3a4b010d981d477be97c924753
SHA256: ecc64b14e64225bd54429a283cc184f5febea93d1eac531cda302d2defcb48f5

MD5: b9c142ffff80cce82c54e3ed3ce17814
SHA256: 96fc23d40efbe386217ce71c33a68a31fa589f13443a25c2bb5842c55d6fca0f