Support Center
Documentation
Contents
Enterprise
Professional
Community
Burp Suite documentation - contents
Documentation
Desktop editions
Getting started
Download and install
Intercepting HTTP traffic with Burp Proxy
Intercepting a request
Modifying requests in Burp Proxy
Step 1: Access the vulnerable website in Burp's browser
Step 2: Log in to your shopping account
Step 3: Find something to buy
Step 4: Study the add to cart function
Step 5: Modify the request
Step 6: Exploit the vulnerability
Setting the target scope
Reissuing requests with Burp Repeater
Sending a request to Burp Repeater
Testing different input with Burp Repeater
Running your first scan
Scanning a website
What next?
Continue your Burp Suite journey
Activate license
Manual activation
Generating a report
Mac installer
System requirements
CPU cores / memory
Free disk space
Operating system and architecture
Embedded browser
Running scans
Scanning web applications
Running a full crawl and audit
Step 1: Configure scan type
Step 2: Configure AI scan enhancements (optional)
Configuring AI credit behavior
Step 3: Configure scan details
Step 4: Select a scan configuration
Step 5: Configure application logins (optional)
Step 6: Select a resource pool (optional)
Scanning specific HTTP messages
Configuring an audit of specific HTTP messages
Scanning APIs
Step 1: Configure scan type
Step 2: Upload API definition
Step 3: Review and configure the API details
Viewing and configuring authentication
Step 4: Select a scan configuration
Step 5: Select a resource pool
Configuring authentication
Detected authentication methods
Adding authentication methods
Basic authentication
Bearer token
API key / Custom token
Fixed API key / Custom token authentication method
Dynamic API Key / Custom token authentication method
Editing authentication credentials / methods
How Burp applies authentication credentials
Conflicts between manually added methods
Conflicts between detected methods and manually added methods
Live tasks
Types of live task
Live task scope
Scan configuration and resource pools
Creating live tasks
Task execution settings
Task auto-start
Resource pools
Setting the scan scope in Burp Suite Professional
URLs to scan
Fragment handling
Protocol settings
Advanced scan parameters
Items to scan
Configuring scans
Setting up scan configurations
Saving scan configurations
Saving complete scan configurations
Saving crawl-only or audit-only configurations
Loading scan configurations
Importing scan configurations
How Burp applies scan configurations
Adding custom scan checks
Managing the custom scan checks table
Adding extension scan checks
Managing the extension scan checks table
Viewing scan and live task results
Summary
Issues
Analyzing issue activity
Managing issues
Audit items
Audit phase indicators
Insertion points
Tree view
Nested insertion points
Insertion points information
Insertion point statuses
Event log
Audit log
Viewing audit activity
Analyzing audit log activity
Managing audit log items
Live crawl view
Exploring issues with AI
How Explore Issue works
Running an explore task
Reviewing results
Task progress
Logger
Ending an explore task
Trust and transparency in Explore Issue
Reporting scan results
Manually creating issues for reports
To create an issue:
Adding multiple request and response pairs to an issue
To add request / response pairs to a manually created issue:
Report settings
Report format
Issue details
HTTP messages
Selecting issue types
Report details
Configuring application logins
Adding usernames and passwords
Adding login credentials
Editing existing login credentials
Testing login functions
Adding recorded login sequences in Burp Suite Professional
Generating recorded login sequences using AI
Adding an AI-powered recorded login
Privacy and security in AI-powered recorded logins
Adding manually recorded login sequences
Editing existing recorded logins
Managing application logins using the configuration library
Managing resource pools for scans
Creating new resource pools
Reassigning resource pools
Testing workflow
Tutorials
Setting a test scope
Adding URLs to the scope
Excluding URLs from the scope
Mapping the website
Mapping the visible surface
Before you start
Steps
Discovering hidden content
Automated discovery
Before you start
Steps
Discovering hostnames
Steps
Analyzing the attack surface
Scoping the effort to audit a website
Before you start
Steps
Identifying high-risk functionality
Before you start
Steps
Identifying supported HTTP methods
Before you start
Enumerating supported methods for a single endpoint
Enumerating supported methods for multiple endpoints
Checking for hidden inputs
Before you start
Steps
Evaluating inputs
Before you start
Steps
Manually evaluating individual inputs
Scanning inputs
Fuzzing inputs
Analyzing opaque data
Decoding data
Investigate opaque data with the Inspector
Investigate opaque data with Burp Decoder
Identifying which parts of a token impact the response
Steps
Testing authentication mechanisms
Enumerating usernames
Steps
Guessing usernames for known users
Steps
Brute-forcing passwords
Before you start
Running a dictionary attack
Running an exhaustive brute-force attack
Credential stuffing
Before you start
Steps
Brute-forcing logins
Before you start
Steps
Testing session management mechanisms
Analyzing session token generation
Before you start
Steps
Determining the session timeout
Steps
Generating a CSRF proof-of-concept
Steps
Working with JWTs
Before you start
Viewing JWTs
Editing JWTs
Adding a JWT signing key
Maintaining an authenticated session
Identifying an invalid login expression
Configuring a session handling rule
Checking the session handling rule
Testing access controls
Testing for IDORs
Steps
Testing for parameter-based access control
Before you start
Steps
Testing for privilege escalation
Before you start
Testing a specific endpoint
Testing across the entire site
Testing horizontal access controls
Before you start
Testing a specific endpoint
Testing across the entire site
Using match and replace rules
Step 1: Open the lab
Step 2: Attempt to access the admin panel
Step 3: Add a custom match and replace rule
Step 4: Try to access the admin panel again
Summary and next steps
Testing input validation
Bypassing client-side controls
Steps
SQL injection
Testing for SQL injection vulnerabilities
Steps
Scanning for SQL injection vulnerabilities
Manually fuzzing for SQL injection vulnerabilities
Cross-site scripting
Identifying reflected input
Steps
Scanning for reflected inputs
Identifying reflected input manually
Next steps
Testing for DOM XSS with DOM Invader
Before you start
Steps
Related pages
Testing for web message DOM XSS with DOM Invader
Before you start
Steps
Related pages
Testing for reflected XSS manually
Before you start
Steps
Related pages
Testing for stored XSS
Steps
Bypassing XSS filters
Before you start
Steps
Testing for blind XSS
Steps
Related pages
Testing for prototype pollution with DOM Invader
Before you start
Steps
OS command injection
Testing for command injection vulnerabilities
Steps
Scanning for command injection vulnerabilities
Manually testing for command injection vulnerabilities
Testing for asynchronous OS command injection vulnerabilities
Steps
Exploiting OS command injection vulnerabilities to exfiltrate data
Before you start
Steps
XXE injection
Testing for XXE injection vulnerabilities
Steps
Scanning for XXE vulnerabilities
Manually testing for XXE vulnerabilities
Testing for blind XXE injection vulnerabilities
Steps
Scanning for blind XXE injection vulnerabilities
Manually testing for blind XXE injection vulnerabilities
Testing for directory traversal vulnerabilities
Steps
Scanning for directory traversal vulnerabilities
Fuzzing for directory traversal vulnerabilities
Testing for clickjacking
Steps
Testing for SSRF vulnerabilities
Testing for SSRF
Steps
Testing for blind SSRF
Steps
Testing for WebSocket vulnerabilities
Manipulating WebSocket messages
Steps
Manipulating WebSocket handshakes
Steps
Working with GraphQL in Burp Suite
Viewing and modifying GraphQL requests
Accessing GraphQL API schemas using introspection
Complementing manual testing with Burp Scanner
Scanning specific requests
Scanning user-defined insertion points
Scanning a single insertion point
Scanning multiple insertion points
Scanning non-standard data structures
Store HTTP traffic for review
HTTP/2
Background concepts
Default protocol
Keeping track of which protocol you're using
Changing the protocol for a request
Kettled requests
What can cause a request to become kettled?
Unkettling a request
Kettled requests and extensions
HTTP/2 settings
Changing the default protocol
Repeater options for HTTP/2
Enforce protocol choice on cross-domain redirections
Enable HTTP/2 connection reuse
Strip Connection header over HTTP/2
Allow HTTP/2 ALPN override
Disabling HTTP/2 for proxy listeners
Upcoming enhancements for HTTP/2 in Burp
Increased support for kettled requests
Normalization
What normalization is performed?
Why can't I move the Host header?
Sending requests without any normalization
Performing HTTP/2-exclusive attacks
Injecting newlines into headers
HTTP/2 basics for Burp users
Binary protocol
Frames
Message length
Header capitalization
Pseudo-headers
External browser configuration
Check proxy listener is active
Configuring Chrome to work with Burp Suite - Windows
Configuring Chrome to work with Burp Suite - MacOS
Firefox
Safari
Check your browser configuration
Installing Burp's CA certificate
Installing Burp's CA certificate on a mobile device
Why do I need to install Burp's CA certificate?
In-browser interface
Chrome
Removing Burp's CA certificate from Firefox
Chrome
Installing Burp's CA certificate in Chrome - Windows
Removing the CA certificate from Windows
Installing Burp's CA certificate in Chrome - Linux
Removing the Burp Suite CA certificate
Installing Burp's CA certificate in Chrome - MacOS
Removing the Burp Suite CA certificate
Chrome
Removing Burp's CA certificate from Safari
Troubleshooting
Check that Burp is running
Check your proxy listener is active
Try a different port
What next?
Mobile testing
Configuring a mobile device
Troubleshooting for mobile devices
I can't access HTTPS URLs on iOS even after installing Burp's CA certificate
Configuring an iOS device to work with Burp Suite Professional
Step 1: Configure the Burp Proxy listener
Step 2: Configure your device to use the proxy
Step 3: Install a CA certificate on your iOS device
Step 4: Test the configuration
Configuring an Android device to work with Burp Suite Professional
Step 1: Configure a dedicated proxy listener in Burp
Step 2: Configure your device to proxy traffic through Burp
Step 3: Add Burp's CA certificate to your device's trust store
Step 4: Test the configuration
Extending Burp
Bambdas
Custom scan checks
Extensions
Bambdas
Feature specific instructions
Filtering tables
Adding custom columns
Adding custom scan checks
Adding custom actions
Adding match and replace rules
Managing scripts
Importing scripts
Creating scripts
Exporting scripts
Managing scripts
Importing Bambdas
Importing the full GitHub repository
Updating your scripts
How Burp overwrites scripts
Creating scripts
Creating scripts in the Bambda library
Creating scripts from specific Burp tools
Filtering tables
Adding custom columns
Adding custom scan checks
Adding custom actions
Adding match and replace rules
Troubleshooting
Compilation errors
Runtime errors
Debugging scripts
Submitting scripts to GitHub
Step 1: Add documentation to your script
Step 2: Format and refine your script
Step 3: Export your script from Burp
Step 4: Validate and submit your script
Writing custom actions
Worked example
Step 1: Get the response body
Step 2: Check the response body for the CSRF token
Step 3: Extract and process the token
Step 4: Log the result
Step 5: Handle the situation where no token is found
Writing guide
On this page
API access
Step 1: Accessing request and response data
Retrieving the full request or response
Extracting specific parts of the message
Extracting user-selected content
Extracting the HTTP service
Handling empty or missing content
Step 2: Processing data
Using AI to analyze messages
Modifying editor content
Replacing selected content in the editor
Step 3: Logging and using the data
Logging to output
Sending data to other Burp tools
Logging data to a file
Example use cases
Decoding data
Encoding data
Sending modified requests
Sending repeated requests to test for race condition vulnerabilities
Fetching external data
Running shell commands
Developing AI features
Sending prompts and handling responses
Setting the temperature
Handling exceptions
AI best practices
Mitigate prompt injection attacks
Optimize AI requests for efficiency and security
Use effective prompts
Use lower temperatures for better accuracy
Custom scan checks
Importing custom scan checks
Importing full GitHub repositories
Updating your custom scan checks
How Burp overwrites script-based checks
How Burp overwrites BCheck-based checks
Creating custom scan checks
Creating script-based checks
Creating BCheck-based checks
Managing custom scan checks
Importing custom scan checks
Creating custom scan checks
Exporting custom scan checks
Managing custom scan checks
Testing custom scan checks
Testing a custom check in the editor
Managing test cases
Running a test scan
Extensions
Installing extensions
BApp Store
Finding extensions
Evaluating extensions
Installing extensions
Manual install
Manually installing a custom extension
Manually installing a BApp Store extension
Troubleshooting
Installing extensions
Step 1: Check your internet connection
Step 2: Configure an upstream proxy
Step 3: Identify and resolve an intercepting proxy
Option 1: Allowlist Burp in the intercepting proxy
Option 2: Configure Burp to use your system's trusted certificate store
Option 3: Import the intercepting proxy's certificate into Java's trust store
You need to update Burp
You need to configure Jython or JRuby
You need to upgrade to Burp Suite Professional
Step 1: Update Burp
Step 2: Visit the extension's repository
Step 3: Use AI to review the extension's code
Step 4: Report an issue or suggest a fix to the extension's author
Option 2: Suggest a fix
Performance issues
Step 1: Disable unused extensions
Step 2: View the performance impact estimate for particular extensions
Step 3: Manually test extensions
Managing extensions
Viewing requests sent by Burp extensions using Logger
Step 1: Send requests using an extension
Step 2: Go to the Logger tab
Step 3: Filter the log
Step 4: View individual requests
Summary
Using AI extensions
Using AI credits
Checking AI credit use
Enabling AI for extensions
Creating
Exploring your idea
Choosing the right extensibility option
Choosing a language
Creating AI-powered extensions
Vibe coding extensions with AI
Handling kettled HTTP/2 requests in extensions
Custom editor best practice
BApp Store acceptance criteria
Extender API examples (Legacy)
Creating AI extensions
AI credits
Examples
Developing AI features in extensions
On this page
Checking AI availability
Configuring the extension to enable AI
Verifying AI availability
Sending prompts and handling responses
Single-shot prompts
Building multi-turn conversations
Handling exceptions
Setting the temperature
Best practices for writing AI extensions
Declare AI support and check availability
Mitigate prompt injection attacks
Optimize AI requests for efficiency and security
Use effective prompts
Use lower temperatures for better accuracy
Handle exceptions gracefully
Use an executor service where necessary to avoid blocking threads
Development environment setup
Using the starter project
Prerequisites
Step 1: Download the template
Step 2: Open the project
[Optional] Step 3: Rename the project
[Optional] Step 4: Confirm correct setup
[Optional] Step 5: Enable LLM support
Next steps
Understanding the starter project
Manual setup
Prerequisites
Step 1: Create a new project
Step 2: Add the Montoya API dependency
Gradle configuration
Maven configuration
Step 3: Create your extension class
Step 4: Confirm correct setup
[Optional] Step 5: Enable LLM support
Claude Code support
Other LLM support
Next steps
Writing first extension
Before you begin
Step 1: Implement the extension interface
Step 2: Set the extension name
Step 3: Add a context menu item
Step 4: Add a custom tab
Complete code
Next steps
Tutorials
Before you begin
Adding a settings panel
Step 1: Create a panel
Step 2: Define your settings
Step 3: Register the settings panel
Step 4: Access user-configured setting values
Step 5: Use the setting values
[Optional] Help users find your settings panel
Complete code
Loading in Burp
Step 1: Build the JAR file
Gradle build command
Maven build command
Step 2: Load the JAR file in Burp
Reloading your extension
Sharing your extension
Setting up remote debugging
Prerequisites
Step 1: Configure a remote debugging session
Step 2: Start Burp with remote debugging enabled
Step 3: Attach your debugger to Burp
Troubleshooting
Using a remote debugger
Prerequisites
Step 1: Set breakpoints
Setting conditional breakpoints
Setting logging breakpoints
Step 2: Trigger your extension in Burp
Troubleshooting
Step 3: Inspect stack frames and variables
Review the call stack
Inspect variable values
Step through the code
View errors in the terminal
Step 4: Modify your extension and repeat
Step 5: Finish the debug session
Sharing your extension
Submitting extensions to the BApp Store
Step 1 - Check the acceptance criteria
Step 2 - Submit your extension
Step 3 - We review your extension
Maintaining extensions on the BApp Store
Using AI to support extension maintenance
Project files
Opening an existing project file
Pause Automated Tasks
Trust this project file
Creating project files
Opening a project file
Managing project files
Saving a copy of a project
Saving the Burp Collaborator identifier
Importing project files
Recovering data from corrupted project files
Troubleshooting
Troubleshooting
Troubleshooting performance issues
Optimize memory usage
Disabling extensions
Allocating less memory to Burp
Using a disk-based project
Check the minimum system requirements
Identify potential bottlenecks: CPU, memory, and network
Optimize CPU usage
Disabling pretty printing
Disabling JavaScript analysis
Configuring your scans for performance
Narrowing the scope of your scans
Scanning a single protocol
Optimize network usage
Reducing concurrent scans
Configuring resource pools
Launch from the command line
Checking your Java version
Launching the Burp Suite JAR
Command line arguments
Setting Java options
Creating a user.vmoptions file
Specifying options
Customizing Burp's layout
Customizing Burp's top-level tabs
Arranging top-level tabs
Hiding top-level tabs
Restoring the default top-level tab layout
Customizing Burp's tables
Advanced table customization
Tools
Dashboard
Task list
Launching new tasks
Pausing and resuming running tasks
Disabling traffic capturing for live tasks
Bottom dock
Target
Site map
Accessing the site map
URL view
URL view icons
Contents pane
Requests and responses
Issues pane
Editing the Issues pane
Filtering the site map
Settings mode
Script mode
Site map annotations
Workflow tools
Add to scope / Remove from scope
Send to
Scan
Show response in browser
Record an issue
Request in browser
Engagement tools
Compare site maps
Add notes / Highlight
Expand / collapse branch / requested items
Delete items
Copy URLs
Copy as curl command
Copy links
Save items
Show new site map window
Site map layout
Contents and issues layout
Request and response layout
Adding a new site map window
Getting started
Tutorial
Step 1: Access the lab
Step 2: Go to the site map
Step 3: Update the site map
Step 4: Filter the displayed information
Step 5: Set the target scope using the site map
Filtering the site map with scripts
Keyboard shortcuts
Loading scripts from your library
Creating custom scripts
Converting filter settings to scripts
Creating your script
Example script
Comparing site maps
Site map sources
Request matching
Response comparison
Comparison results
Viewing comparison results
Interpreting comparison results
Scope
URL-matching rules
Normal scope control
Advanced scope control
Crawl paths
Accessing the Crawl paths view tab
Viewing crawl paths
Example crawl path
Viewing HTTP requests
Viewing issues
Viewing outlinks
Manual Application mapping
Reviewing unrequested items
Analyzing the attack surface
Issue definitions
Burp's browser
Manual testing with Burp's browser
Scanning websites with Burp's browser
Health check for Burp's browser
Burp Proxy
Proxy intercept
Getting started
Controls
Intercepted messages table
Adding annotations
Message display
Protocol
HTTP history
Changing the HTTP history layout
Viewing a request
Adding custom columns
Keyboard shortcuts
Loading scripts from your library
Creating custom scripts
Filter settings
Settings mode
Script mode
Adding annotations
Filtering with scripts
Keyboard shortcuts
Loading scripts from your library
Creating custom scripts
Converting filter settings to scripts
Creating your script
Example script
WebSockets history
Changing the WebSockets history layout
Viewing a request
Adding custom columns
Keyboard shortcuts
Loading scripts from your library
Creating custom scripts
Filter settings
Settings mode
Script mode
Adding annotations
Filtering with scripts
Keyboard shortcuts
Loading scripts from your library
Creating custom scripts
Converting filter settings to scripts
Creating your script
Example script
Match and replace
Adding match and replace rules
Creating rules
Settings mode
Using regex syntax
Matching multi-line regions
Using regex groups in back-references and replacement strings
Script mode
Creating rules with scripts
Keyboard shortcuts
Loading scripts from your library
Creating custom scripts
Testing rules
Managing CA certificates
Exporting and importing the CA certificate
Creating a custom CA certificate
Invisible proxying
Intruder
Getting started
Tutorial
Step 1: Access the lab
Step 2: Try to log in
Step 3: Set the payload position
Step 4: Select an attack type
Step 5: Add the payloads
Step 6: Start the attack
Step 7: Look for any irregular responses
Step 8: Study the response
What next?
Learn more about Burp Intruder
Configure attack
Positions
Attack types
Sniper attack
Battering ram attack
Pitchfork attack
Cluster bomb attack
Payload types
Payload configuration
Simple list
Runtime file
Custom iterator
Character substitution
Case modification
Recursive grep
Illegal Unicode
Character blocks
Numbers
Dates
Brute forcer
Null payloads
Character frobber
Bit flipper
Username generator
ECB block shuffler
Extension-generated
Copy other payload
Collaborator payloads
Payload lists
Using predefined payload lists
Placeholders
Processing placeholders
Processing
Configuring processing rules
Types of processing rules
Configuring payload encoding
Resource pools
Creating resource pools
Resource pool settings
Moving tasks between resource pools
Settings
Save attack
Request headers
Error handling
Attack results
Auto-pause attack
Grep - match
Grep - extract
Grep - payloads
Redirections
HTTP/1 connection reuse
HTTP version
Managing tabs
Results
Editing attacks
Saving results
Closing attacks
Viewing results
Viewing a request
Analyzing results
Filtering results
Capture filter
Capture filter settings
Managing the capture filter settings
View filter
View filter settings
Managing the view filter settings
Workflow
Add payload position
Clear payload positions
Scan
Send to...
Show response in browser
Record an issue
Request in browser
Generate CSRF PoC
Add to site map
Request item again
Define extract grep from response
Copy as curl command
Add comment
Highlight
Copy links
Save item
Uses
Enumerating identifiers
Step 1: Find a request
Step 2: Set a payload position
Step 3: Set a payload type
Step 4: Analyze the results
Use cases
Harvesting data
Step 1: Find a request
Step 2: Set a payload position
Step 3: Set a payload type
Step 4: Set an extract grep
Step 5: Analyze the results
Use cases
Fuzzing
Step 1: Set the payload positions
Step 2: Set the payload type
Step 3: Set the match grep
Step 4: Analyze the results
Repeater
Working with HTTP messages
HTTP Repeater tab
Adding notes for HTTP Repeater tabs
AI features in Repeater
Custom actions
Creating custom actions
Testing custom actions
How Burp selects test data
Loading custom actions
Running custom actions
Running AI-powered custom actions
Managing custom actions
Using Burp AI in Repeater
Running a Burp AI task from Repeater
Managing context
Adding highlighted areas
Adding notes
Removing items from the context
Reviewing AI task results
Task progress
Logger
Ending an AI task
Trust and transparency in Burp AI
Generating AI-powered explanations
Generating an AI-powered explanation
Managing explanations
Sending grouped HTTP requests
Sending requests in sequence
Sending over a single connection
Sending over separate connections
Send in sequence prerequisites
Sending requests in parallel
Send in parallel prerequisites
Working with WebSocket messages
WebSocket Repeater tab
Managing tabs
Tab groups
Managing tab groups
Creating a new tab group
Editing existing groups
Closing tab groups
Configuring tab-specific settings
Sequencer
Getting started
Token sample
Configuring a live capture of tokens
Selecting a token location
Manually loading tokens
Live capture
Results
Summary
Overall result
Effective entropy
Reliability
Sample
Analysis result tabs
Individual tests
Character set
Bit conversion
Analysis settings tab
Tests
How the tests work
Character-level tests
Character count analysis
Character transition analysis
Bit-level analysis
FIPS test results
FIPS monobit test
FIPS poker test
FIPS runs test
FIPS long runs test
Spectral tests
Correlation test
Compression test
Decoder
Carrying out transformations
Operations
Comparer
Carrying out comparisons
Controls
Results
Logger
Getting started with Logger
Step 1: Access the lab
Step 2: View requests on the Logger tab
Step 3: Audit a request with Burp Scanner
Step 4: Examine the requests made by Burp Scanner
Step 5: Filter the log
Step 6: Disable and clear the Logger history
Learn more about Logger
Working with Logger entries
Viewing log entries
Adding custom columns
Viewing requests and responses
Filtering log entries
Annotating log entries
Logger workflow tools
Filtering Logger
Capture filter
Settings mode
Capture limit
Capture by request type
Capture by MIME type
Capture by status code
Capture by tool
Capture by search term
Session handling
Limit request/response size
Script mode
Capture filter with scripts
Keyboard shortcuts
Loading scripts from your library
Creating custom scripts
Converting filter settings to scripts
Creating your script
Example script
View filter
Settings mode
Filter by request type
Filter by MIME type
Filter by status code
Filter by tool
Filter by search term
Filter by file extension
Filter by annotation
Script mode
View filter with scripts
Keyboard shortcuts
Loading scripts from your library
Creating custom scripts
Converting filter settings to scripts
Creating your script
Example script
Adding custom columns
Keyboard shortcuts
Loading scripts from your library
Creating custom scripts
Example script
Task Logger
Inspector
Configuring the Inspector layout
Request attributes
Viewing HTTP message data in the Inspector
Automatic decoding
HTTP/2 headers and pseudo-headers
Selecting a substring
Modifying requests
Adding new items to a request
Removing items from a request
Reordering items in a request
Editing the name or value of an item
Injecting newlines
Injecting other non-printing characters
Copying items from the Inspector
Getting started with the Inspector
Tutorial
Step 1: Access the lab
Step 2: Log in to a user account
Step 3: Use the Inspector to examine the request
Step 4: Use the Inspector to edit the cookie
Step 5: Using the selection widget
Learn more about the Inspector
Collaborator
Generating payloads
Viewing results
Exporting results
Getting started
Step 1: Access the lab
Step 2: Browse the target site
Step 3: Send an interesting request to Repeater
Step 4: Inject a Collaborator payload into the request
Step 5: Poll for interactions
Summary
What next?
DOM Invader
Key features
Testing for DOM XSS
Injecting a canary
Injecting a canary into multiple sources
Identifying controllable sinks
Determining the XSS context
Studying the client-side code
Testing for DOM XSS using web messages
Enabling web message interception
Identifying interesting web messages
Automated web message analysis
Message details
Origin accessed
Data accessed
Source accessed
Replaying web messages
Generating a proof of concept
Testing for client-side prototype pollution
Enabling prototype pollution
Detecting sources for prototype pollution
Manually confirming sources for prototype pollution
Scanning for prototype pollution gadgets
Generating a proof-of-concept exploit
Testing for DOM clobbering
Enabling DOM clobbering
Enabling DOM Invader
Settings
Main
Enable DOM Invader
Postmessage interception
Customizing sources and sinks
Attack types
Prototype pollution
DOM clobbering
Web message settings
Postmessage origin spoofing
Canary injection into intercepted messages
Filter messages with duplicate values
Generate automated messages
Detect cross-domain leaks
Prototype pollution settings
Scan for gadgets
Auto-scale amount of properties per frame
Scan nested properties
Query string injection
Hash injection
JSON injection
Verify onload
Remove CSP header
Remove X-Frame-Options header
Scan each technique in separate frame
Disabling prototype pollution techniques
Misc
Message filtering by stack trace
Auto-fire events
Redirection prevention
Add breakpoint before redirect
Inject canary into all sources
Configuring callbacks
Remove Permissions-Policy header
Canary
Copying the canary
Changing the canary
Clickbandit
Setting up Burp Clickbandit
Running an attack
Reviewing an attack
Message editor
Message analysis toolbar
Raw tab
Pretty tab
Hex tab
Render tab
GraphQL tab
Additional tabs
Extension-specific tabs
Actions menu
Other ways of using the message editor
HTTP/2 messages in the message editor
HTTP/0.9 responses in the message editor
Context-specific actions
Record an issue
Text editor
Syntax analysis
Pretty printing
Uninteresting headers
Line-wrapping
Non-printing characters
Text editor hotkeys
Quick search
Engagement tools
Content discovery
Control tab
Config tab
Target
Filenames
File extensions
Discovery engine
Site map tab
Target analyzer
Generate CSRF PoC
CSRF PoC options
Manual testing simulator
Search
Text search
Find comments and scripts
Find references
Infiltrator
How Burp Infiltrator works
Installing Burp Infiltrator
Non-interactive installation
Configuration options
Organizer
Sending messages to Organizer
Organizer table
Exporting results
Viewing HTTP messages
Annotating items
Filtering items
Context menu
Menu options
Filter settings
Filter settings
Managing the filter settings
Settings
User and project settings
Finding settings
Managing settings
Settings pages
Key settings
Target scope
Platform-level authentication
Session handling rules and macros
Schedule tasks
HTTP message appearance
Tools
Proxy
Proxy listeners
Binding
Request handling
Certificate
TLS Protocols
HTTP
Request and response interception rules
Adding an interception rule
Modifying intercepted messages
WebSocket interception rules
Response modification rules
HTTP and WebSocket match and replace rules
TLS pass through
Adding TLS passthrough targets
Applying TLS passthrough to out-of-scope items
Default Proxy history message display
Proxy history logging
Default Proxy interception state
Miscellaneous
Intruder
Default Intruder side panel layout
Automatic payload placement
New tab configuration
Behavior when closing result windows
Payload list location
Repeater
Connections
Message modification
Redirects
Follow redirects
Process cookies in redirects
Use selected protocol for cross-domain redirects
Streaming responses timeout
Default tab group
Tab view
Sequencer
Live capture
Token handling
Token analysis
Burp's browser
Browser data
Browser running
Project
Scope
Target scope
Out-of-scope request handling
Collaborator
Tasks
Resource pools
New task auto-start
Schedule tasks
Automatic backup
Logging
Sessions
Session handling overview
Session handling rules
Session handling tracer
Cookie jar
Macros
Session handling rule editor
Rule description
Rule actions
Use cookies from the session handling cookie jar
Set a specific cookie or parameter value
Check session is valid
Make requests to validate session
Inspect responses to determine session validity
Define behavior dependent on session validity
Run a macro to obtain a new valid session
Prompt for in-browser session recovery
Run a post-request macro
Invoke a Burp extension
Set a specific header value
Replace matching part of the request
Tools scope
URL scope
Parameter scope
Macros
Record macro
Configure item
Parameter handling
Custom parameter locations in response
Re-analyze macro
Test macro
Network
Connections
Platform authentication
Timeouts
Upstream proxy servers
SOCKS proxy
TLS
TLS negotiation
Client TLS certificates
Server TLS certificates
Java TLS settings
HTTP
Allowed redirect types
Streaming responses
Status 100 response handling
HTTP/1
HTTP/2
DNS
Preferred IP version for DNS resolution
Hostname resolution overrides
UI
Side panel
Default side panel layout
Inspector widgets
Message editor
Message editor request and response views
HTTP message display
Character sets
HTML rendering
HTTP message search
Uninteresting headers
Hotkeys
Display
Appearance
Scaling
Title bar appearance
Table appearance
Learn tab display
Suite
REST API
Enabling the REST API
Service URL
API key
Updates
Becoming an early adopter
Performance feedback
Logging exceptions to a local directory
Temporary files location
Startup behavior
Automated tasks on startup
Untrusted project files
Maximum Java memory usage
Shutdown behavior
Shutdown confirmation
AI
Extensions
Startup behavior
Load behavior
Java environment
Python environment
Ruby environment
Configuration library
Adding a custom configuration
Importing custom configurations
Exporting custom configurations
Managing custom configurations
Configuration files
Response extraction rules
Burp AI
Getting started with AI in Burp
AI features in Burp
Burp AI in Repeater
Explore Issue
Explainer
Broken access control false positive reduction
AI-powered recorded logins
AI-powered extensions
AI-powered custom actions in Burp Repeater
Security and privacy
AI credits
Buying AI credits
Using AI credits
Extensions
Writing effective prompts for Burp AI
Be specific and clear
Provide relevant context
Give scenario details
Highlight relevant sections
Add notes for context
Use an iterative workflow
Combine with manual analysis
Stay security-focused
Examples
API parameter analysis
Error message investigation
Authentication logic testing
AI security, privacy and data handling
Data security and access
How is my data secured, and who can access it?
Do AI providers store or retain my data?
Does PortSwigger store or retain my data?
How is my data processed when I make AI requests in Burp?
Can I review or delete AI data processed by Burp?
AI configuration
Can I fully disable Burp's AI features?
Does Burp automatically communicate with AI providers?
Which AI provider or model is used in Burp's AI features?
Where are Burp's AI providers hosted?
Can I choose a specific AI provider or model to use?
Do I need a specific network configuration to use Burp's AI features?
Can AI output be configured to align with company or client-specific compliance needs?
Security and privacy in AI-powered extensions
Can I disable AI features for an individual extension?
How can I tell if an extension uses AI?
What data does PortSwigger collect when I use an AI-powered extension?
Does PortSwigger guarantee the behavior of AI-powered extensions?
Troubleshooting AI connectivity
Step 1: Check your internet connection
Step 2: Configure an upstream proxy
Step 3: Identify and resolve an intercepting proxy
Option 1: Allowlist Burp in the intercepting proxy
Option 2: Configure Burp to use your system's trusted certificate store
Option 3: Import the intercepting proxy's certificate into Java's trust store
Scanner
How do scans work?
Crawling
Core approach
Session handling
Detecting changes in application state
Authenticated scanning
Application login credentials
Crawling volatile content
Crawling with Burp's browser
Viewing crawl paths
Auditing
Audit phases
Passive audit phase
Consolidation of frequently-occurring passive issues
Active audit phase
JavaScript analysis phase
Audit prioritization
Attack surface exposure
Interest level
Insertion points
Encoding data within insertion points
Nested insertion points
Modifying parameter locations
Handling of frequently occurring insertion points
Automatic session handling
Handling application errors
Scan configurations
Preset scan modes
Using presets in Burp Suite Professional
Setting preset scan modes for folders
Custom scan configurations
Scan configuration structure
Using custom configurations in Burp Suite Professional
Using custom configurations in Burp Suite DAST
Built-in configurations
Audit checks - all except JavaScript analysis
Audit checks - all except time-based detection methods
Audit checks - BChecks only
Audit checks - critical issues only
Audit checks - extensions only
Audit checks - light active
Audit checks - medium active
Audit checks - passive
Audit coverage - maximum
Audit coverage - thorough
Crawl and Audit - Balanced
Crawl and Audit - CICD Optimized
Crawl and Audit - Deep
Crawl and Audit - Fast
Crawl and Audit - Lightweight
Crawl limit - 10 minutes
Crawl limit - 30 minutes
Crawl limit - 60 minutes
Crawl strategy - faster
Crawl strategy - fastest
Crawl strategy - more complete
Crawl strategy - most complete
Minimize false negatives
Minimize false positives
Never stop audit due to application errors
Never stop crawl due to application errors
Audit settings
Audit behavior
Audit strategy
Audit speed
Audit accuracy
Skip checks unlikely to be effective
Automatically maintain session
Follow redirections where necessary
Allow crawl and audit phases to run in parallel
Total scan time
Issue noise reduction
Audit network timeouts
Handling repeated timeouts during audit
Scan checks
JavaScript analysis
Insertion points strategy
Set insertion point types
Ignore specific insertion points
Handling frequent insertion points
Nested insertion points
Insertion point limits
Payload relocation rules
Crawl settings
Crawl behavior
Crawl strategy
Crawl limits
Crawl network timeouts
Handling repeated timeouts during crawl
Login behavior
Authenticated crawl only
Testing login functions
API crawling
Browser behavior
Discovery logic
Browser-powered scanning
Use cases for browser-powered scanning
Authenticated scanning
Login credentials
How does Burp Scanner use login credentials?
Login settings
Identifying login and registration forms
Why is Burp Scanner not filling in my login forms?
Recorded login sequences
Status checker
Using recorded login sequences
Best practice for recording login sequences
Limitations of recorded login sequences
Tips for recording successful login sequences
Status checker best practices
Troubleshooting recorded login sequences for Burp Suite DAST
Recording login sequences
Preparing the Burp Suite Navigation Recorder extension
Using the extension without incognito mode
Recording a login sequence
Adding recorded login sequences to Burp
Troubleshooting recorded login sequences
Requirements for API scanning
Starting an API scan
Incidental API scanning
API definition requirements
OpenAPI definition requirements
OpenAPI endpoints
SOAP WSDL requirements
Postman Collection requirements
Postman requests
Crawling GraphQL APIs
Scanning single-page apps
Configuring scans of SPAs
Crawl strategy
Routing fragments
Non-standard clickable elements
Burp Scanner error reference
Burp Scanner errors in Burp Suite Professional
Burp Scanner errors in Burp Suite DAST
Vulnerabilities list
BCheck definitions
Managing BChecks in Burp Suite Professional
Managing BChecks in Burp Suite DAST
BCheck definition reference
Metadata
Control flow
Conditionals
Actions
Issue naming
Issue consolidation
Reserved variables
Functions
Combining functions
Misc
Strings
Character escaping
Regex
Comments
Special characters
BCheck structure
Worked examples
In this section
Example host check
Step 1: Add metadata
Step 2: Configure potential paths
Step 3: Configure the request
Step 4: Report issues
Example path check
Step 1: Add metadata
Step 2: Configure file extensions
Step 3: Configure the request
Step 4: Report issues
Example passive check
Step 1: Add metadata
Step 2: Add a string for the check to match
Step 3: Report the issue
Test this BCheck
Example insertion point check
Step 1: Add metadata
Step 2: Define the calculation
Step 3: Send the request
Step 4: Report issues
Example Collaborator-based check
Step 1: Add metadata
Step 2: Configure the request
Step 3: Analyze the results
Test this BCheck
Example Log4Shell check
Step 1: Add metadata
Step 2: Declare variables
Step 3: Send the request
Step 4: Send a follow-up request
Step 5: Report issues
Example server-side prototype pollution check
Step 1: Add metadata
Step 2: Declare variables
Step 3: Attempt to inject SSPP
Step 4: Force an error to check for SSPP
Step 5: Evaluate results and send follow-up request
Step 6: Do a second check for SSPP
Step 7: Report issues
Test this BCheck
Submitting BChecks to the community
Step 1 - Check the submission guidelines
Step 2 - Make a pull request
Step 3 - We review your BCheck
Burp Collaborator
Uses
External service interaction
Out-of-band resource load
Blind SQL injection
Blind cross-site scripting
Server
Private or public server
Deploying a private server
General setup
Setting up the domain and DNS records
Setting up the ports and firewall
Setting up your server resources
Setting up the configuration file
Launching the Collaborator server
Health check and troubleshooting
Basic setup
Example configuration file
Configuration file fields
Alternative configuration fields:
Configuring your private server
Configure TLS certificates
Add a polling interface
Use CNAME settings
Truncate interaction messages
Collect usage metrics
Log interaction information
Add custom HTTP content
Add custom DNS records
Troubleshooting
Collaborator health check
Server domain resolution
Data security
Data storage
Data retrieval
Collaborator-based email addresses
Contents
Results