Burp Suite, the leading toolkit for web application security testing

BApp Store

The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities.

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

     Masks verbose parameter details in .NET requests.
     Extends Burp's active and passive scanning capabilities.
     Provides some additional passive Scanner checks.
     Helps test for authorization vulnerabilities.
     Automatically detects authorization enforcement.
     Generates and fuzzes custom AMF messages.
     Generates Intruder payloads using the Radamsa test case generator.
     Automatically renders Repeater responses in Firefox.
     Adds Ruby scripting capabilities to Burp.
     Integrates Crawljax, Selenium and JUnit into Burp.
     Adds headers useful for bypassing some WAF devices.
     Provides a command-line interface to drive spidering and scanning.
     Adds various capabilities including SQL Mapper, User Generator and Prettier JS.
     Helps detect and exploit some common crypto flaws.
     Passively scans for CSRF vulnerabilities.
     Hides and automatically handles anti-CSRF token defenses.
     Adds a new tab to log all requests and responses.
     Passively detects detailed server error messages.
     Integrates Burp with the Faraday Integrated Penetration-Test Environment.
     Lets you run Google Hacking queries and add results to Burp's site map.
     Automatically identifies insertion points for GWT (Google Web Toolkit) requests.
     Reports security issues in HTTP headers.
     Checks whether a server is vulnerable to the Heartbleed bug.
     Scans for usage of risky HTML5 features.
     Checks if a particular URL responds differently to various User-Agent headers.
     Passively scans images in responses for GPS location details.
     Extracts metadata from image files.
     Posts discovered Scanner issues to an external web service.
     Adds scan checks focused on Java environments and technologies.
     Decompresses and beautifies compressed resources, to facilitate testing.
     Displays JSON messages in decoded form.
     Sends Burp Scanner issues directly to a remote Lair project.
     Logs requests and responses for all Burp tools in a sortable table.
     Parses Nmap output files and adds common web ports to Burp's target scope.
     Lets you take notes and manage external documents from within Burp.
     Generates payload lists based on a set of characters that are sanitized.
     Imports and passively scans Pcap files.
     Decodes and beautifies protobuf responses.
     Allows execution of a custom Python script on each HTTP request and response.
     Automatically generates fake source IP address headers to evade WAF filters.
     Monitors traffic and looks for parameter values that are reflected in the response.
     This extension generates scripts to reissue selected requests.
     Places a random value into a specified location within requests.
     Integrates with the Retire.js repository to find vulnerable JavaScript libraries.
     Adds a tab to Burp's message editor for decoding/encoding SAML messages.
     Adds a tab to Burp's main UI for decoding/encoding SAML messages.
     Performs custom scanning for vulnerabilities in web applications.
     Identifies authentication privilege escalation vulnerabilities.
     Determines server session timeout intervals.
     Fetches the responses of unrequested items in the site map.
     Passively reports server software version numbers.
     Initiates SQLMap scans directly from within Burp.
     Provides an interface to the ThreadFix vulnerability management platform.
     Integrates Burp with HP WebInspect.
     Displays information about IBM WebSphere Portlet state.
     Extends Intruder to aid in testing Web Application Firewalls.
     Scans a target server for WSDL files.
     Sends responses to a locally-running XSS-Detector server.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

If you have written, or are aware of, an extension that you would like to be included in the BApp Store, please submit your BApp to us.

Copyright © 2015 PortSwigger Ltd. All rights reserved.