Burp Extender lets you extend the functionality of Burp Suite in numerous ways. This page contains technical details to help you develop Burp extensions. For help on loading extensions into Burp and using the Extender tool, please see the Burp Extender Help.
Extensions can be written in Java, Python or Ruby.
The extensibility API is extremely rich and powerful, and lets extensions carry out numerous useful tasks. You can:
'Writing your first Burp Suite extension' includes sample stub code that you can use to base your extension on.
Numerous extensions written by Burp users are available to install from the BApp Store.
View the full technical details for the latest Burp API, within the online Javadoc.
To view or save a copy of the interface code files for your version of Burp, go to Extender / APIs.
Note: Prior to v1.5.01, Burp exposed a much more restricted legacy API.
Below are some examples of simple extensions, including examples using Java, Python and Ruby. You can also view the source code for all BApp Store extensions on our GitHub page.
Name | Description | Get File | |
---|---|---|---|
Hello world | Java Python Ruby | This is a very simple extension that prints some output to various locations within Burp. | Download |
Event listeners | Java Python Ruby | This extension registers listeners for various runtime events, and prints a message when each event occurs. | Download |
Traffic redirector | Java Python Ruby | This extension redirects all outbound requests from one host to another. | Download |
Custom logger | Java Python Ruby | This extension adds a new tab to Burp's user interface, and displays a log of HTTP traffic for all Burp tools, in the style of Burp's Proxy history. | Download |
Custom editor tab | Java Python Ruby | This extension adds a new tab to Burp's HTTP message editor, in order to handle an unsupported data serialization format. | Download |
Custom scan insertion points | Java Python Ruby | This extension provides custom attack insertion points for active scanning, allowing Burp's scanning engine to work with an unsupported data serialization format. | Download |
Custom scanner checks | Java Python Ruby | This extension implements custom checks to extend the capabilities of Burp's active and passive scanning engines. | Download |
Custom session tokens | Java Python Ruby | This extension demonstrates working with custom session tokens that Burp normally doesn't understand. | Download |
Intruder payloads | Java Python Ruby | This extension provides custom Intruder payloads and payload processing. | Download |
For more help and examples of Burp extensions, you can refer to the Burp Extensions community discussions in the Support Center.
Note: Because of the way in which Jython and JRuby dynamically generate Java classes, you may encounter memory problems if you load several different Python or Ruby extensions, or if you unload and reload an extension multiple times. If this happens, you will see an error like:
java.lang.OutOfMemoryError: PermGen space
You can avoid this problem by configuring Java to allocate more PermGen storage, by adding a -XX:MaxPermSize option to the command line when starting Burp. For example:
java -XX:MaxPermSize=1G -jar burp.jar