Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Tuesday, 15 April 2014

Burp Suite Free Edition v1.6 released

Burp Suite Free Edition v1.6 is now available to download.

This is a significant upgrade with a wealth of new features added since v1.5, including:
  • Support for WebSockets messages.
  • Support for PKCS#11 client SSL certificates contained in smart cards and physical tokens.
  • A new Extender tool, allowing dynamic loading and unloading of multiple extensions.
  • A new powerful extensibility API, enabling extensions to customize Burp's behavior in much more powerful ways.
  • Support for extensions written in Python and Ruby.
  • A new BApp Store feature, allowing quick and easy installation of extensions written by other Burp users.
  • An option to resolve DNS queries over a configured SOCKS proxy, allowing access to TOR hidden services.
  • Generation of CSRF PoC attacks using a new cross-domain XHR technique.
  • New options for SSL configuration, to help work around common problems.
  • Optional unpacking of compressed request bodies in the Proxy.
  • Support for .NET DeflateStream compression.
  • New and improved types of Intruder payloads.
  • New Proxy interception rules.
  • New Proxy match/replace rules.
  • Improved layout options in the Repeater UI.
  • An SSL pass-through feature, to prevent Burp from breaking the SSL tunnel for specified domains.
  • Support for the Firefox Plug-n-hack extension.
  • An option to copy a selected request as a curl command.
And the best thing about Burp upgrades? No one pays for them ...

The Free Edition is and always will be free, despite its huge capabilities.

Burp Suite Professional still costs only $299, and all licensed users can upgrade without any extra charge. We haven't changed the price for two-and-a-half years, despite two major updates and nearly forty minor updates. Even better? We've already said that we won't be hiking the price during 2014.

Have fun!

Tuesday, 4 March 2014

Introducing the BApp Store

Today's release of Burp includes a brand new feature: the BApp Store. This contains Burp extensions that have been written by users of Burp Suite, to extend its capabilities.

You can install BApps with one click from within Burp:

You can also download BApps from the BApp Store web site, for manual installation on Burp machines without an Internet connection:

All BApps are free! We may support paid-for BApps in future, but we have no current plans to do so.

We really hope that the new feature will help users find and use good quality Burp extensions that other users have shared. You can rate BApps that you have used, and see the aggregated ratings submitted by other users.

We also hope that the BApp Store will encourage more extension authors to create and share great Burp extensions. We'll be adding more BApps to the store in the near future. If you have written or are aware of a great Burp extension that you'd like included in the BApp Store, please submit your BApp to us.

Thursday, 6 February 2014

Burp Suite Pro shines in new survey

A new survey has just been published comparing the performance of 63 different web application security scanners. This is what it says overall about Burp Suite Pro:
"Burp is the undisputed winner of the overall versatility category, was the winner in the input vector support category, got one of the highest scores in detecting Backup/Hidden Files, and decent scores in many other categories. It also came out FIRST in the SQL Injection and Reflected XSS categories, and dramatically improved its RFI score."
There is a lot of technical detail in the survey results that we plan to work through, to understand exactly how Burp performed, and can be improved even further.

In the past few months, we've made numerous significant enhancements to Burp Scanner, adding support for nested insertion points, new payload encodings, new categories of vulnerability, and improved coverage of existing scan checks. But we're far from complacent: this year we will continue enhancing the Scanner engine to find even more edge-case vulnerabilities, and also the Spider tool to improve Burp's fully automated crawling capabilities.

As always, new features and enhancements to Burp Suite Pro are made available free to licensed users, and the cost of a Burp license will not be increasing during 2014.

Wednesday, 1 January 2014

Burp Suite Pro price held for 2014

It's been a while since we increased the price of Burp Suite Pro. In fact, it's cost $299 since November 2011.

Since that time, we've released 34 updates, and added over a hundred great new features, including:
  • Fully updated user interface
  • In-tool documentation
  • Support for JSON parsing and rendering
  • Various Scanner engine enhancements, including several new checks
  • Options to optimize the Scanner for speed and accuracy
  • Nested Scanner insertion points, to handle XML within JSON within a URL parameter, etc.
  • New extensibility API
  • Ability to load multiple extensions, and load/unload dynamically via the UI.
  • Support for extensions written in Python and Ruby
  • CSRF PoC generator
  • Importable / exportable SSL CA certificates
  • Workarounds for various Java SSL issues
  • Support for PKCS#11 smart card authentication
  • SSL passthrough function
  • sslstrip functionality
  • "Copy as curl command" feature
  • New Intruder payload types
  • Support for Firefox plug-n-hack
  • Numerous other small enhancements throughout the suite.
All updates are made available to licensed users without any additional charge.

Today, we pledge that we will not increase the USD price of Burp Suite Pro during 2014. Instead of hiking the price, we'll continue to add great new features. We have some fantastic ideas in the pipeline, and if all goes well we will be making one or two really big announcements in the course of 2014.

Happy new year!

Friday, 4 October 2013

Burp through the ages

Here is a brief tour of the major releases of Burp from over the years. I can't believe it's been over 10 years already!

Burp v1.0

  • Released June 2003
  • First incarnation of Intruder tool
  • Includes burp sound effects you can't turn off

Burp Proxy v1.0 

  • Released August 2003
  • Basic intercepting proxy
  • Text / hex views
  • History feature


  • Released August 2003
  • First incarnation of Repeater tool
  • So-called because it simply opens a socket and sends a request to it

Burp Proxy v1.1

  • Released January 2004
  • Tons more options!
  • Supports chained proxy, authentication, match-and-replace
  • Getting pretty sophisticated now

Burp Spider v1.0

  • Released March 2004
  • Application-aware spider
  • Can follow links and submit forms

Burp Repeater v1.1

  • Released July 2005
  • New name for the sock tool
  • Adds chained proxy and authentication options

Burp Suite v1.0

  • Released August 2005
  • All four Burp tools together
  • Items can be easily sent between tools to speed up testing
  • Supports passive spidering as you browse
  • Extensibility
  • A huge breakthrough!

Burp Suite v1.1

  • Released November 2007
  • New Sequencer, Decoder and Comparer tools
  • New analysis of HTTP messages

Burp Suite v1.2

  • Released December 2008
  • Burp Scanner arrives
  • New site map
  • Tons of cool new features: scope control, view filters, search, invisible proxying
  • The infamous Month of Burp Pr0n is published
  • This is the big leap forwards!

Burp Suite v1.3

  • Released January 2010
  • Improved rendering and analysis of HTTP messages
  • Content discovery
  • Target analysis
  • The crucial manual testing simulator

Burp Suite v1.4

  • Released June 2011
  • New logo (still home-made)
  • Session handling rules and macros
  • New ways to test access controls
  • Works properly on OS X now

Burp Suite v1.5

  • Released October 2012
  • Another new logo (a proper one this time)
  • New UI, with bells, whistles and capital letters.
  • In-tool documentation
  • Lots of cool new features

Tuesday, 10 September 2013

Burp support for Firefox Plug-n-Hack

The Firefox browser has recently added support for a new way of easily configuring the browser to work with intercepting proxy tools like Burp. To use this, you need to install a Firefox plugin called Plug-n-Hack:

The plugin is currently beta and also requires the latest beta version of Firefox, but when it is stabilized it will be available on the Firefox Marketplace.

If you have installed the Plug-n-Hack plugin, configuring a clean installation of Firefox to work with Burp is pretty straightforward. First, in your browser, enter the URL to connect directly to your Burp Proxy listener (by default

On the Burp welcome page, follow the Plug-n-Hack link:

Click on the "Configure your browser" button, and accept the warning displayed by the plugin:

If everything worked, you will see a "Configuration succeeded" message:

The configuration will have carried out two tasks. Firstly, it will configure your browser to use Burp as its proxy server, via a proxy auto-configuration file created by Burp:

Secondly, it will install Burp's SSL CA certificate as a trusted root in your browser, to eliminate SSL warnings when intercepting traffic to SSL web sites:

Hopefully the new Plug-n-Hack support might make life a bit easier next time you are setting up Burp on a new machine.

Monday, 9 September 2013

SSL pass through in Burp

The latest version of Burp has a new feature: SSL pass through. You can use this feature to specify destination web servers for which Burp Proxy will directly pass through SSL connections:

This feature can be useful in cases where it is not straightforward to eliminate SSL errors on the client - for example, in mobile applications that perform SSL certificate pinning. Of course, if you pass through SSL connections, then Burp will not break the SSL tunnel, and no details about requests or responses made via these connections will be available in the Proxy intercept view or history. Nonetheless, using SSL pass through can sometimes enable you to perform some limited testing. If the application uses multiple domains, or uses a mix of HTTP and HTTPS connections, then passing through SSL connections to specific problematic servers still enables you to work on other traffic using Burp in the normal way.

As an example, suppose you encounter a domain where you are not able to get your client device to negotiate SSL correctly. This should be obvious enough in the client, and Burp will also alert you:

To work around this problem, you can add the problematic server to Burp's SSL pass through list:

Requests to this server will now pass straight through Burp, and your client can connect in the normal way.

The option to automatically add entries to the SSL pass through list on client SSL negotiation failure can be useful if you aren't sure exactly which domains the application is using, and don't want to have to manually populate the list. If you enable this option, then if your client fails to negotiate SSL connections with any other servers, these will be automatically added to the list, and Burp will alert you:

It is not recommended to generally enable the automatic addition of pass through servers automatically, because if your client happens to encounter a one-off problem that causes it to fail an negotiation, then no further SSL connections to that host will be intercepted, until you remove the server from the pass through list.

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Copyright 2014 PortSwigger Ltd. All rights reserved.