Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Thursday, 29 May 2014

PortSwigger is sponsoring BSides Manchester

PortSwigger Web Security is proud to be a gold sponsor of BSides Manchester. This free security conference is right on our doorstep in the North West of England, so we're very happy to be supporting it.

As the team behind Burp Suite grows, we're always on the look out for great people with a strong web security background. If you're at the event, come and find us and we can talk about how you could help us make Burp even better.

We also have a number of conference tickets to give away to Burp users. If you haven't managed to obtain a ticket to the event, and you (or your employer) are a licensed user of Burp Suite Pro, please email us at office@portswigger.net to claim your ticket - first come first served!

Tuesday, 15 April 2014

Burp Suite Free Edition v1.6 released

Burp Suite Free Edition v1.6 is now available to download.

This is a significant upgrade with a wealth of new features added since v1.5, including:
  • Support for WebSockets messages.
  • Support for PKCS#11 client SSL certificates contained in smart cards and physical tokens.
  • A new Extender tool, allowing dynamic loading and unloading of multiple extensions.
  • A new powerful extensibility API, enabling extensions to customize Burp's behavior in much more powerful ways.
  • Support for extensions written in Python and Ruby.
  • A new BApp Store feature, allowing quick and easy installation of extensions written by other Burp users.
  • An option to resolve DNS queries over a configured SOCKS proxy, allowing access to TOR hidden services.
  • Generation of CSRF PoC attacks using a new cross-domain XHR technique.
  • New options for SSL configuration, to help work around common problems.
  • Optional unpacking of compressed request bodies in the Proxy.
  • Support for .NET DeflateStream compression.
  • New and improved types of Intruder payloads.
  • New Proxy interception rules.
  • New Proxy match/replace rules.
  • Improved layout options in the Repeater UI.
  • An SSL pass-through feature, to prevent Burp from breaking the SSL tunnel for specified domains.
  • Support for the Firefox Plug-n-hack extension.
  • An option to copy a selected request as a curl command.
And the best thing about Burp upgrades? No one pays for them ...

The Free Edition is and always will be free, despite its huge capabilities.

Burp Suite Professional still costs only $299, and all licensed users can upgrade without any extra charge. We haven't changed the price for two-and-a-half years, despite two major updates and nearly forty minor updates. Even better? We've already said that we won't be hiking the price during 2014.

Have fun!

Tuesday, 4 March 2014

Introducing the BApp Store

Today's release of Burp includes a brand new feature: the BApp Store. This contains Burp extensions that have been written by users of Burp Suite, to extend its capabilities.

You can install BApps with one click from within Burp:

You can also download BApps from the BApp Store web site, for manual installation on Burp machines without an Internet connection:

All BApps are free! We may support paid-for BApps in future, but we have no current plans to do so.

We really hope that the new feature will help users find and use good quality Burp extensions that other users have shared. You can rate BApps that you have used, and see the aggregated ratings submitted by other users.

We also hope that the BApp Store will encourage more extension authors to create and share great Burp extensions. We'll be adding more BApps to the store in the near future. If you have written or are aware of a great Burp extension that you'd like included in the BApp Store, please submit your BApp to us.

Thursday, 6 February 2014

Burp Suite Pro shines in new survey

A new survey has just been published comparing the performance of 63 different web application security scanners. This is what it says overall about Burp Suite Pro:
"Burp is the undisputed winner of the overall versatility category, was the winner in the input vector support category, got one of the highest scores in detecting Backup/Hidden Files, and decent scores in many other categories. It also came out FIRST in the SQL Injection and Reflected XSS categories, and dramatically improved its RFI score."
There is a lot of technical detail in the survey results that we plan to work through, to understand exactly how Burp performed, and can be improved even further.

In the past few months, we've made numerous significant enhancements to Burp Scanner, adding support for nested insertion points, new payload encodings, new categories of vulnerability, and improved coverage of existing scan checks. But we're far from complacent: this year we will continue enhancing the Scanner engine to find even more edge-case vulnerabilities, and also the Spider tool to improve Burp's fully automated crawling capabilities.

As always, new features and enhancements to Burp Suite Pro are made available free to licensed users, and the cost of a Burp license will not be increasing during 2014.

Wednesday, 1 January 2014

Burp Suite Pro price held for 2014

It's been a while since we increased the price of Burp Suite Pro. In fact, it's cost $299 since November 2011.

Since that time, we've released 34 updates, and added over a hundred great new features, including:
  • Fully updated user interface
  • In-tool documentation
  • Support for JSON parsing and rendering
  • Various Scanner engine enhancements, including several new checks
  • Options to optimize the Scanner for speed and accuracy
  • Nested Scanner insertion points, to handle XML within JSON within a URL parameter, etc.
  • New extensibility API
  • Ability to load multiple extensions, and load/unload dynamically via the UI.
  • Support for extensions written in Python and Ruby
  • CSRF PoC generator
  • Importable / exportable SSL CA certificates
  • Workarounds for various Java SSL issues
  • Support for PKCS#11 smart card authentication
  • SSL passthrough function
  • sslstrip functionality
  • "Copy as curl command" feature
  • New Intruder payload types
  • Support for Firefox plug-n-hack
  • Numerous other small enhancements throughout the suite.
All updates are made available to licensed users without any additional charge.

Today, we pledge that we will not increase the USD price of Burp Suite Pro during 2014. Instead of hiking the price, we'll continue to add great new features. We have some fantastic ideas in the pipeline, and if all goes well we will be making one or two really big announcements in the course of 2014.

Happy new year!

Friday, 4 October 2013

Burp through the ages

Here is a brief tour of the major releases of Burp from over the years. I can't believe it's been over 10 years already!

Burp v1.0

  • Released June 2003
  • First incarnation of Intruder tool
  • Includes burp sound effects you can't turn off

Burp Proxy v1.0 

  • Released August 2003
  • Basic intercepting proxy
  • Text / hex views
  • History feature


  • Released August 2003
  • First incarnation of Repeater tool
  • So-called because it simply opens a socket and sends a request to it

Burp Proxy v1.1

  • Released January 2004
  • Tons more options!
  • Supports chained proxy, authentication, match-and-replace
  • Getting pretty sophisticated now

Burp Spider v1.0

  • Released March 2004
  • Application-aware spider
  • Can follow links and submit forms

Burp Repeater v1.1

  • Released July 2005
  • New name for the sock tool
  • Adds chained proxy and authentication options

Burp Suite v1.0

  • Released August 2005
  • All four Burp tools together
  • Items can be easily sent between tools to speed up testing
  • Supports passive spidering as you browse
  • Extensibility
  • A huge breakthrough!

Burp Suite v1.1

  • Released November 2007
  • New Sequencer, Decoder and Comparer tools
  • New analysis of HTTP messages

Burp Suite v1.2

  • Released December 2008
  • Burp Scanner arrives
  • New site map
  • Tons of cool new features: scope control, view filters, search, invisible proxying
  • The infamous Month of Burp Pr0n is published
  • This is the big leap forwards!

Burp Suite v1.3

  • Released January 2010
  • Improved rendering and analysis of HTTP messages
  • Content discovery
  • Target analysis
  • The crucial manual testing simulator

Burp Suite v1.4

  • Released June 2011
  • New logo (still home-made)
  • Session handling rules and macros
  • New ways to test access controls
  • Works properly on OS X now

Burp Suite v1.5

  • Released October 2012
  • Another new logo (a proper one this time)
  • New UI, with bells, whistles and capital letters.
  • In-tool documentation
  • Lots of cool new features

Tuesday, 10 September 2013

Burp support for Firefox Plug-n-Hack

The Firefox browser has recently added support for a new way of easily configuring the browser to work with intercepting proxy tools like Burp. To use this, you need to install a Firefox plugin called Plug-n-Hack:

The plugin is currently beta and also requires the latest beta version of Firefox, but when it is stabilized it will be available on the Firefox Marketplace.

If you have installed the Plug-n-Hack plugin, configuring a clean installation of Firefox to work with Burp is pretty straightforward. First, in your browser, enter the URL to connect directly to your Burp Proxy listener (by default

On the Burp welcome page, follow the Plug-n-Hack link:

Click on the "Configure your browser" button, and accept the warning displayed by the plugin:

If everything worked, you will see a "Configuration succeeded" message:

The configuration will have carried out two tasks. Firstly, it will configure your browser to use Burp as its proxy server, via a proxy auto-configuration file created by Burp:

Secondly, it will install Burp's SSL CA certificate as a trusted root in your browser, to eliminate SSL warnings when intercepting traffic to SSL web sites:

Hopefully the new Plug-n-Hack support might make life a bit easier next time you are setting up Burp on a new machine.

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Copyright 2014 PortSwigger Ltd. All rights reserved.