Burp Extender
Burp Extender lets you extend the functionality of Burp Suite in
numerous ways. This page contains
technical details to help you develop Burp extensions. For help on
loading extensions into Burp and using the Extender tool, please see the
Burp Extender help.
Extensions can be written in Java, Python or Ruby.
Use the links below to access full technical details of the APIs for
extending Burp:
Note: Prior to v1.5.01, Burp exposed a much more restricted
legacy API.
The extensibility API is extremely rich and powerful, and lets
extensions carry out numerous useful tasks. You can:
- Process and modify HTTP requests and responses for all Burp
tools.
- Access key runtime data, such as the Proxy
history, target site map, and Scanner issues.
- Initiate actions like scanning and
spidering.
- Implement custom scan checks and register
scan issues.
- Customize the placement of attack insertion
points within scanned requests.
- Provide custom Intruder payloads and payload
processors.
- Query and update the Suite-wide target scope.
- Query and update the session handling cookie jar.
- Implement custom session handling actions.
- Add custom tabs and context menu items to Burp's user interface.
- Use Burp's native HTTP message editor within your own user
interface.
- Customize Burp's HTTP message editor to handle data formats that
Burp does not natively support.
- Analyze HTTP requests and responses to obtain headers,
parameters, cookies, etc.
- Build, modify and issue HTTP requests and retrieve responses.
- Read and modify Burp's configuration
settings.
- Save and restore Burp's state.
For help on getting started, you can refer to
Writing your first Burp Suite extension, which includes some sample
stub code that you can use to base your extension on.
Below are some examples of simple extensions, including examples
using Java, Python and Ruby:
- Hello world - This is a very simple extension that
prints some output to various locations within Burp.
Details Download [Java, Python, Ruby]
- Event listeners - This extension registers
listeners for various runtime events, and prints a message when each
event occurs.
Details Download [Java, Python, Ruby]
- Traffic redirector - This extension redirects
all outbound requests from one host to another.
Details Download [Java, Python, Ruby]
- Custom logger - This extension adds a new tab
to Burp's user interface, and displays a log of HTTP traffic for all
Burp tools, in the style of Burp's Proxy history.
Details Download [Java, Python, Ruby]
- Custom editor tab - This extension adds a new
tab to Burp's HTTP message editor, in order to handle an unsupported
data serialization format.
Details
Download [Java, Python]
- Custom scan insertion points - This extension
provides custom attack insertion points for active scanning,
allowing Burp's scanning engine to work with an unsupported data
serialization format.
Details
Download [Java,
Python]
- Custom scanner checks - This extension
implements custom checks to extend the capabilities of Burp's active
and passive scanning engines.
Details
Download [Java]
- Intruder payloads - This extension provides
custom Intruder payloads and payload processing.
Details
Download [Java]
For more help and examples of Burp extensions, you can refer to the
Burp
Extensions User Forum.
Note: Because of the way in which Jython and JRuby dynamically
generate Java classes, you may encounter memory problems if you load
several different Python or Ruby extensions, or if you unload and reload
an extension multiple times. If this happens, you will see an error like:
java.lang.OutOfMemoryError: PermGen space
You can avoid this problem by configuring Java to allocate more
PermGen storage, by adding a -XX:MaxPermSize
option to the command line when starting Burp. For example:
java -XX:MaxPermSize=1G -jar burp.jar
login