Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-burp-extensions

A curated list of amazingly awesome Burp Extensions
https://github.com/snoopysecurity/awesome-burp-extensions

Last synced: 3 days ago
JSON representation

  • Scanners

    • Yara - This extension allows you to perform on-demand Yara scans of websites within the Burp interface based on custom Yara rules that you write or obtain.
    • WordPress Scanner - Find known vulnerabilities in WordPress plugins and themes using WPScan database.
    • Web Cache Deception Burp Extension - This extension tests applications for the Web Cache Deception vulnerability.
    • UUID Detector - This extension passively reports UUID/GUIDs observed within HTTP requests.
    • Software Vulnerability Scanner - This extension scans for vulnerabilities in detected software versions using the Vulners.com API.
    • Reverse Proxy Detector - This extension detects reverse proxy servers.
    • Reflected File Download Checker - This extension checks for reflected file downloads.
    • Headers Analyzer - This extension adds a passive scan check to report security issues in HTTP headers.
    • HeartBleed - This extension adds a new tab to Burp's Suite main UI allowing a server to be tested for the Heartbleed bug. If the server is vulnerable, data retrieved from the server's memory will be dumped and viewed.
    • Image Size Issues - This extension passively detects potential denial of service attacks due to the size of an image being specified in request parameters.
    • CMS Scanner - An active scan extension for Burp that provides supplemental coverage when testing popular content management systems.
    • Detect Dynamic JS - This extension compares JavaScript files with each other to detect dynamically generated content and content that is only accessible when the user is authenticated.
  • Custom Features

    • Distribute Damage - Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle and a context menu to trigger scans from.
    • Scan Manual Insertion Point - This Burp extension lets the user select a region of a request (typically a parameter value), and via the context menu do an active scan of just the insertion point defined by that selection.
    • Add & Track Custom Issues - This extension allows custom scan issues to be added and tracked within Burp.
    • Decoder Improved - Decoder Improved is a data transformation plugin for Burp Suite that better serves the varying and expanding needs of information security professionals.
    • Request Minimizer - This extension performs HTTP request minimization. It deletes parameters that are not relevant such as: random ad cookies, cachebusting nonces, etc.
    • Multi-Browser Highlighting - This extension highlights the Proxy history to differentiate requests made by different browsers. The way this works is that each browser would be assigned one color and the highlights happen automatically.
    • Manual Scan Issues - This extension allows users to manually create custom issues within the Burp Scanner results.
    • Handy Collaborator - Handy Collaborator is a Burp Suite Extension that lets you use the Collaborator tool during manual testing in a comfortable way.
    • Timeinator - Timeinator is an extension for Burp Suite that can be used to perform timing attacks over an unreliable network such as the internet.
    • Add & Track Custom Issues - This extension allows custom scan issues to be added and tracked within Burp.
    • Timeinator - Timeinator is an extension for Burp Suite that can be used to perform timing attacks over an unreliable network such as the internet.
    • Burp Bounty - Scan Check Builder - This BurpSuite extension allows you, in a quick and simple way, to improve the active and passive burpsuite scanner by means of personalized rules through a very intuitive graphical interface.
    • Decoder Pro - Burp Suite Plugin to decode and clean up garbage response text.
    • Request Highlighter - Request Highlighter is a simple extension for Burp Suite tool (for both community and professional editions) that provides an automatic way to highlight HTTP requests based on headers content (eg. Host, User-Agent, Cookies, Auth token, custom headers etc.).
    • Wildcard - There is number of great Burp extension out there. Most of them create their own tabs.
    • Hackvertor - Hackvertor is a tag-based conversion tool that supports various escapes and encodings including HTML5 entities, hex, octal, unicode, url encoding etc.
    • Custom Send To - Adds a customizable "Send to..."-context-menu to your BurpSuite.
    • IP Rotate - Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.
    • Taborator - Improved Collaborator client in its own tab.
    • pip3line - Raw bytes manipulation utility, able to apply well known and less well known transformations.
    • Response Pattern Matcher - Adds extensibility to Burp by using a list of payloads to pattern match on HTTP responses highlighting interesting and potentially vulnerable areas.
    • Add & Track Custom Issues - This extension allows custom scan issues to be added and tracked within Burp.
    • Piper for Burp Suite - Piper Burp Suite Extender plugin.
    • Response Grepper - This Burp extension will auto-extract and display values from HTTP Response bodies based on a Regular Expression.
    • Attack Surface Detector - The Attack Surface Detector uses static code analyses to identify web app endpoints by parsing routes and identifying parameters.
    • Timeinator - Timeinator is an extension for Burp Suite that can be used to perform timing attacks over an unreliable network such as the internet.
    • Copy Request & Response - The Copy Request & Response Burp Suite extension adds new context menu entries that can be used to simply copy the request and response from the selected message to the clipboard.
    • HaE - Highlighter and Extractor - HaE is used to highlight HTTP requests and extract information from HTTP response messages.
    • Burp-IndicatorsOfVulnerability - Burp extension that checks application requests and responses for indicators of vulnerability or targets for attack
    • BurpSuiteSharpener - This extension should add a number of UI and functional features to Burp Suite to make working with it easier.
    • Burp-Send-To-Extension - Adds a customizable "Send to..."-context-menu to your BurpSuite.
    • Reshaper for Burp - Extension for Burp Suite to trigger actions and reshape HTTP request and response traffic using configurable rules
    • RepeaterClips - The RepeaterClips extension lets you share requests with just two clicks and a paste.
    • Copy Regex Matches - Copy Regex Matches is a Burp Suite plugin to copy regex matches from selected requests and/or responses to the clipboard.
    • match-replace-burp - Useful Match and Replace BurpSuite Rules
    • Backup Finder - A burp suite extension that reviews backup, old, temporary, and unreferenced files on the webserver for sensitive information.
    • Diff Last Response - Diff last response will show the difference between the previous and current response.
    • WebAuthn CBOR Decoder - WebAuthn CBOR is a Burp Extension to decode WebAuthn CBOR format. WebAuthn is a W3C Standard to support strong authentication of users.
    • WebSocket Turbo Intruder - Extension to fuzz WebSocket messages using custom code
    • Conditional Match and Replace (CMAR) - An extension allowing you to create match and replace operations that execute only when a condition is matched (or not matched). The condition can be matched against the request Header/Body/All, or the response Header/Body/All. If the condition is matched, you can apply a match and replace rule against the specified area. You can create a condition that matches a request, then performs a match and replace in the response.
    • BlazorTrafficProcessor (BTP) - A BurpSuite extension to aid pentesting web applications that use Blazor Server/BlazorPack. Primary functionality includes converting BlazorPack messages to JSON and vice versa, introduces tamperability for BlazorPack serialized messages.
    • MagicByteSelector - Burp Suite Extension for inserting a magic byte into responder's request
    • CookieMonster - A Burp Suite plugin to easily manage cookies
    • DNS-Exfilnspector - Automagically decode DNS Exfiltration queries to convert Blind RCE into proper RCE via Burp Collaborator
    • Auto Drop - This extension allows you to automatically Drop requests that match a certain regex. Helpful in case the target has logging or tracking services enabled.
    • HAR Importer - A HAR importer.
    • SocketSleuth - Burp Extension to add additional functionality for pentesting websocket based applications
    • BatchRepeater - BatchRepeater is a BurpSuite extension that enhances the functionality of the Repeater tool by allowing users to send multiple selected HTTP requests to the Repeater in a single action.
    • BadIntent - Intercept, modify, repeat and attack Android's Binder transactions using Burp Suite.
  • Beautifiers and Decoders

    • XChromeLogger Decoder - his extension adds a new tab in the HTTP message editor to display X-ChromeLogger-Data in decoded form.
    • WebSphere Portlet State Decoder - This extension displays the decoded XML state of a WebSphere Portlet in a new tab when the request is viewed.
    • PDF Viewer - This extension adds a tab to the HTTP message viewer to render PDF files in responses.
    • NTLM Challenge Decoder - This extension decodes NTLM SSP headers.
    • JCryption Handler - This extension provides a way to perform manual and/or automatic Security Assessment for Web Applications that using JCryption JavaScript library to encrypt data sent through HTTP methods (GET and POST).
    • JSWS Parser - This extension can be used to parse a response containing a JavaScript Web Service Proxy (JSWS) and generate JSON requests for all supported methods.
    • JSON Decoder - This extension adds a new tab to Burp's HTTP message editor, and displays JSON messages in decoded form.
    • MessagePack - This extension supports: decoding MessagePack requests and responses to JSON format, converting requests from JSON format to MessagePack.
    • Fast Infoset Tester - This extension converts incoming Fast Infoset requests and responses to XML, and converts outgoing messages back to Fast Infoset.
    • BurpAMFDSer - BurpAMFDSer is a Burp plugin that will deserialze/serialize AMF request and response to and from XML with the use of Xtream library.
    • .NET Beautifier - A BurpSuite extension for beautifying .NET message parameters and hiding some of the extra clutter that comes with .NET web apps (i.e. __VIEWSTATE).
    • JS Beautifier - Burp Suite JS Beautifier
    • Burp ASN1 Toolbox - ASN.1 toolbox for Burp Suite.
    • JSON JTree viewer for Burp Suite - JSON JTree viewer for Burp Suite.
    • JSON Beautifier - JSON Beautifier for Burp written in Java
    • Browser Repeater - BurpSuite extension for Repeater tool that renders responses in a real browser.
    • GQL Parser - A repository for GraphQL Extension for Burp Suite
    • burp-protobuf-decoder - A simple Google Protobuf Decoder for Burp
    • Deflate Burp Plugin - The Deflate Burp Plugin is a plug-in for Burp Proxy (it implements the IBurpExtender interface) that decompresses HTTP response content in the ZLIB (RFC1950) and DEFLATE (RFC1951) compression formats.
    • Burp Suite GWT wrapper - Burp Suite GWT wrapper
    • GraphQL Beautifier - Burp Suite extension to help make Graphql request more readable.
    • Decoder Improved - Improved decoder for Burp Suite.
    • GraphQL Raider - GraphQL Raider is a Burp Suite Extension for testing endpoints implementing GraphQL.
    • Burp Beautifier - BurpBeautifier is a Burpsuite extension for beautifying request/response body, supporting JS, JSON, HTML, XML format, writing in Jython 2.7.
    • JSON/JS Beautifier - This is a Burp Extension for beautifying JSON and JavaScript output to make the body parameters more human readable.
    • Burp-Timestamp-Editor - Provides a GUI to view and edit Unix timestamps in Burp message editors.
    • ViewState Editor - This extension allows Burp users to view & edit the contents of ViewState.
    • Cyber Security Transformation Chef - The Cyber Security Transformation Chef (CSTC) is a Burp Suite extension. It is build for security experts to extend Burp Suite for chaining simple operations for each incomming or outgoing message.
    • burp-suite-jsonpath - Burp Suite extension to view and extract data from JSON responses.
  • Scripting

    • Reissue Request Scripter - This extension generates scripts to reissue a selected request.
    • Copy as PowerShell Requests - This extension copies the selected request(s) as PowerShell invocation(s).
    • Copy as Node Request - This extension copies the selected request(s) as Node.JS Request invocations.
    • Python Scripter - This extension allows execution of a custom Python script on each HTTP
    • Burpkit - BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically.
    • Burp Requests - Copy as requests plugin for Burp Suite.
    • Burpy - Portable and flexible web application security assessment tool.It parses Burp Suite log and performs various tests depending on the module provided and finally generate a HTML report.
    • Buby - A JRuby implementation of the BurpExtender interface for PortSwigger Burp Suite.
    • Burpee - Python object interface to requests/responses recorded by Burp Suite.
    • Burp Jython Tab - Description not available.
    • Burp Buddy - burpbuddy exposes Burp Suites's extender API over the network through various mediums, with the goal of enabling development in any language without the restrictions of the JVM.
    • Copy As Python-Requests - This extension copies selected request(s) as Python-Requests invocations.
    • Copy as JavaScript Request - This Burp Extension copies the selected request to the clipboard as JavaScript Fetch API.
    • BReWSki - BReWSki (Burp Rhino Web Scanner) is a Java extension for Burp Suite that allows user to write custom scanner checks in JavaScript.
    • JScriptor - Pre-Script and Post-Script like Postman extension for Burpsuite
    • BcryptMontoya - BcryptMontoya is a powerful plugin for Burp Suite that allows you to effortlessly modify HTTP requests and responses passing through the Burp Suite proxy using Jython code or gRPC, especially when dealing with encrypted requests.
    • Kollaborator Module Builder - Burp suite extension to build and handle collaborator interaction.
    • BcryptMontoya - BcryptMontoya is a powerful plugin for Burp Suite that allows you to effortlessly modify HTTP requests and responses passing through the Burp Suite proxy using Jython code or gRPC, especially when dealing with encrypted requests.
  • OAuth and SSO

    • SAML Encoder/Decoder - This extension adds a new tab to Burp's main UI, allowing encoding and decoding of SAML (Security Assertion Markup Language) formatted messages.
    • SAML Editor - This extension adds a new tab to Burp's HTTP message editor, allowing encoding and decoding of SAML (Security Assertion Markup Language) formatted messages.
    • PeopleSoft Token Extractor - This extension help test PeopleSoft SSO tokens.
    • JSON Web Token Attacker - This extension helps to test applications that use JavaScript Object Signing and Encryption, including JSON Web Tokens.
    • JSON Web Tokens - This extension lets you decode and manipulate JSON web tokens on the fly, check their validity and automate common attacks against them.
    • SAMLReQuest - Enables you to view, decode, and modify SAML requests and responses.
    • Burp OAuth - OAuth plugin for Burp Suite Extender.
    • EsPReSSO - An extension for BurpSuite that highlights SSO messages in Burp's proxy window..
    • Dupe Key Injector - Dupe Key Injetctor is a Burp Suite extension implementing Dupe Key Confusion, a new XML signature bypass technique presented at BSides/BlackHat/DEFCON 2019 "SSO Wars: The Token Menace" presentation.
    • OAUTHScan - OAUTHScan is a Burp Suite Extension written in Java with the aim to provide some automatic security checks, which could be useful during penetration testing on applications implementing OAUTHv2 and OpenID standards.
    • JWT Re-auth - Burp plugin to cache authentication tokens from an "auth" URL, and then add them as headers on all requests going to a certain scope.
    • OAuthv1 - Signing - The purpose of this extension is to provide an additional authentication method that is not natively supported by Burp Suite. Currently, this tool only supports OAuth v1.
    • JWT Editor - A Burp Suite extension for creating and editing JSON Web Tokens.
    • SignSaboteur - SignSaboteur is a Burp Suite extension for editing, signing, verifying various signed web tokens
    • OAuthv1 - Signing - The purpose of this extension is to provide an additional authentication method that is not natively supported by Burp Suite. Currently, this tool only supports OAuth v1.
  • Information Gathering

    • Google Hack - This extension provides a GUI interface for setting up and running Google Hacking queries, and lets you add results directly to Burp's site map..
    • Site Map Extractor - This extension extracts information from the Site Map. You can use the full site map or just in-scope items.
    • Site Map Fetcher - This extension fetches the responses of unrequested items in the site map.
    • Attack Surface Detector - The Attack Surface Detector uses static code analyses to identify web app endpoints by parsing routes and identifying parameters.
    • PwnBack/Wayback Machine - Burp Extender plugin that generates a sitemap of a website using Wayback Machine.
    • Directory File Listing Parser Importer - This is a Burp Suite extension in Python to parse a directory and file listing text file of a web application.
    • Burp CSJ - This extension integrates Crawljax, Selenium and JUnit together. The intent of this extension is to aid web application security testing, increase web application crawling capability and speed-up complex test-cases execution.
    • domain_hunter - A Burp Suite extender that try to find sub-domains,similar domains and related domains of an organization, not only domain.
    • BigIP Discover - A extension of Burp suite. The cookie set by the BipIP server may include a private IP, which is an extension to detect that IP
    • Asset Discover - Burp Suite extension to discover assets from HTTP response using passive scanning.
    • Dr. Watson - Dr. Watson is a simple Burp Suite extension that helps find assets, keys, subdomains, IP addresses, and other useful information.
    • Subdomain Extractor - A very simple, straightforward extension to export sub domains from Burp using a context menu option.
    • SAN Scanner - SAN Scanner is a Burp Suite extension for enumerating associated domains & services via the Subject Alt Names section of SSL certificates.
    • Add to sitemap++ - Add to sitemap++ is a BURP extension that can read URLs from files or clipboard and add the discovered information on the site map of the selected host(s).
    • Look Over There - This is a Burp Suite extension to help Burp know where to look during scanning.
  • Vulnerability Specific Extensions

    • Cross-site scripting

      • DOM XSS Checks - This Burp Suite plugin passively scans for DOM-Based Cross-Site Scripting.
      • Burp Hunter - XSS Hunter Burp Plugin.
      • Reflector - Burp plugin able to find reflected XSS on page in real-time while browsing on site
      • BitBlinder - Burp extension helps in finding blind xss vulnerabilities
      • JavaScript Security - A Burp Suite extension which performs checks for cross-domain scripting against the DOM, subresource integrity checks, and evaluates JavaScript resources against threat intelligence data.
      • Reflected Parameters - This extension monitors traffic and looks for request parameter values (longer than 3 characters) that are reflected in the response.
      • jsonp - jsonp is a Burp Extension which attempts to reveal JSONP functionality behind JSON endpoints. This could help reveal cross-site script inclusion vulnerabilities or aid in bypassing content security policies.
      • feminda - An automated blind-xss search plugin for Burp Suite.
      • XSS Cheatsheet - An extension to incorporate PortSwigger's Cross-site scripting cheat sheet in to Burp.
      • XSS Validator - This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
    • Broken Access Control

      • Auto Repeater - This extension automatically repeats requests, with replacement rules and response diffing. It provides a general-purpose solution for streamlining authorization testing within web applications.
      • AuthMatrix - AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.
      • Autorize - Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily in order to ease application security people work and allow them perform an automatic authorization tests.
      • AutoRepeater - Automated HTTP Request Repeating With Burp Suite.
      • UUID issues for Burp Suite - UUID issues for Burp Suite.
      • Authz - Burp plugin to test for authorization flaws.
      • Paramalyzer - Paramalyzer - Burp extension for parameter analysis of large-scale web application penetration tests.
      • Burp SessionAuth - Burp plugin which supports in finding privilege escalation vulnerabilities.
      • IncrementMe Please - Burp extension to increment a parameter in each active scan request.
      • Auth Analyzer - This Burp Extension helps you to find authorization bugs by repeating Proxy requests with self defined headers and tokens.
      • Burplay/Multi Session Replay - Burplay is a Burp Extension allowing for replaying any number of requests using same modifications definition. Its main purpose is to aid in searching for Privilege Escalation issues.
      • AdminPanelFinder - A burp suite extension that enumerates infrastructure and application Admin Interfaces (OWASP OTG-CONFIG-005)
    • Cross-Site Request Forgery

      • Match/Replace Session Action - This extension provides match and replace functionality as a Session Handling Rule.
      • CSRF Token Tracker - This extension provides a sync function for CSRF token parameters.
      • CSRF Scanner - CSRF Scanner Extension for Burp Suite Pro.
      • CSurfer - CSurfer is a CSRF guard hiding extension that keeps track of the latest guard value per session and update new requests accordingly.
      • Additional CSRF Checks/EasyCSRF - EasyCSRF helps to find weak CSRF-protection in WebApp which can be easily bypassed.
      • Token Rewrite - This extension lets you search for specific values like CSRF tokens in responses and use their values to modify parameters in future requests or set a cookie.
      • burp-multistep-csrf-poc - Burp extension to generate multi-step CSRF POC.
      • Anti-CSRF Token From Referer - The extension works by registering a new session handling rule called "Anti-CSRF token from referer".
      • burp-samesite-reporter - Burp extension that passively reports various SameSite flags.
    • Deserialization

      • PHP Object Injection Check - This extension adds an active scan check to find PHP object injection vulnerabilities..
      • Java Serialized Payloads - This extension generates various Java serialized payloads designed to execute OS commands..
      • Freddy, Deserialization Bug Finder - Helps with detecting and exploiting serialization libraries/APIs.
      • CustomDeserializer - This extension speeds up manual testing of web applications by performing custom deserialization.
      • BurpJDSer - BurpJDSer is a Burp plugin that will deserialze/serialize Java request and response to and from XML with the use of Xtream library.
      • Java-Deserialization-Scanner - All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities.
      • Java Serial Killer - Burp extension to perform Java Deserialization Attacks.
      • BurpJDSer-ng - Allows you to deserialize java objects to XML and lets you dynamically load classes/jars as needed.
      • PHP Object Injection Slinger - Designed to help you find PHP Object Injection vulnerabilities on popular PHP Frameworks.
      • GadgetProbe - This extension augments Intruder to probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
      • fastjson-check - fastjson payload creator
    • Sensitive Data Exposure

      • Param Miner - This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
      • MindMap Exporter - Aids with documentation of the following OWASP Testing Guide V4 tests: OTG-INFO-007: Map execution paths through application, OTG-INFO-006: Identify application entry points.
      • Image Location and Privacy Scanner - Passively scans for GPS locations or embedded privacy related exposure (like camera serial numbers) in images during normal security assessments of websites via a Burp plug-in.
      • Image Metadata - This extension extract metadata present in image files. The information found is rarely critical, but it can be useful for general reconnaissance. These information can be usernames who created the files, local paths and technologies used.
      • ExifTool Scanner - This Burp extension reads metadata from various filetypes (JPEG, PNG, PDF, DOC, XLS and much more) using ExifTool. Results are presented as Passive scan issues and Message editor tabs.
      • SSL Scanner - This extension enables Burp to scan for SSL vulnerabilities.
      • Burp Smart Buster - A Burp Suite content discovery plugin that add the smart into the Buster!.
      • PDF Metadata - The PDF Metadata Burp Extension provides an additional passive Scanner check for metadata in PDF files.
      • SpyDir - BurpSuite extension to assist with Automated Forced Browsing/Endpoint Enumeration.
      • Burp Hash - Many applications will hash parameters such as ID numbers and email addresses for use in secure tokens, like session cookies.
      • Interesting Files Scanner - Interesting Files Scanner extends Burp Suite's active scanner, with scans for interesting files and directories. A main feature of the extension is the check for false positives with tested patterns for each case.
      • BeanStack - Stack-trace Fingerprinter - Java Fingerprinting using Stack Traces. Note that this extension sends potentially private stack-traces to a third party for processing.
      • JS Link Finder - Burp Extension for a passively scanning JavaScript files for endpoint links. - Export results the text file - Exclude specific 'js' files e.g. jquery, google-analytics.
      • Xkeys - A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage. and lists them as information issues.
      • HTTP Methods Discloser - This extension makes a OPTIONS request and determines if other HTTP methods than the original request are available.
      • Burp JS Miner - This tool tries to find interesting stuff inside static files; mainly JavaScript and JSON files.
      • Levo Burp Extension - Build OpenApi specs from Burp's traffic using Levo.ai. Also detect and classify the PII, and annotate specs with the PII details.
      • Headers Burp Extension - It removes the hassle of reporting missing security headers in your pentest reports.
      • Sensitive Discoverer - Sensitive Discoverer, a Burp extension to discovers sensitive information inside HTTP messages.
      • Directory Importer - This is a Burpsuite plugin for importing directory bruteforcing results into Burp for futher analysis.
      • Secret Finder (beta v0.1) - A Burp Suite extension to help pentesters to discover a apikeys,accesstokens and more sensitive data using a regular expressions.
      • CYS4-SensitiveDiscoverer - CYS4-SensitiveDiscoverer is a Burp Suite tool used to extract Regular Expression or File Extension form HTTP response automatically or at the end of all tests or during the test.
    • SQL/NoSQL Injection

      • SQLiPy Sqlmap Integration - This extension integrates Burp Suite with SQLMap.
      • InjectMate - Burp Extension that generates payloads for XSS, SQLi, and Header injection vulns
      • Burptime - Show time cost in burp proxy history, it's useful when testing time-based sql injection..
      • SQLi Query Tampering - SQLi Query Tampering extends and adds custom Payload Generator/Processor in Burp Suite's Intruder.
      • Burp NoSQLi Scanner - NoSQL Injection scans for Burp
      • SQLMap DNS Collaborator - SqlmapDnsCollaborator is a Burp Extension that lets you perform DNS exfiltration with Sqlmap with zero configuration needed.
      • InjectMate - Burp Extension that generates payloads for XSS, SQLi, and Header injection vulns
      • Burptime - Show time cost in burp proxy history, it's useful when testing time-based sql injection..
      • Burp NoSQLi Scanner - NoSQL Injection scans for Burp
      • SQLMap DNS Collaborator - SqlmapDnsCollaborator is a Burp Extension that lets you perform DNS exfiltration with Sqlmap with zero configuration needed.
      • InjectMate - Burp Extension that generates payloads for XSS, SQLi, and Header injection vulns
      • SQLiPy - SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
      • Burptime - Show time cost in burp proxy history, it's useful when testing time-based sql injection..
      • Burp NoSQLi Scanner - NoSQL Injection scans for Burp
      • SQLMap DNS Collaborator - SqlmapDnsCollaborator is a Burp Extension that lets you perform DNS exfiltration with Sqlmap with zero configuration needed.
      • burp-xss-sql-plugin - ublishing plugin which I used for years which helped me to find several bugbounty-worthy XSSes, OpenRedirects and SQLi.
      • SQLi Query Tampering - SQLi Query Tampering extends and adds custom Payload Generator/Processor in Burp Suite's Intruder.
    • XXE

      • Office OpenXML Editor - Burp extension that add a tab to edit Office Open XML document (xlsx,docx,pptx).
      • Office OpenXML Editor - Burp extension that add a tab to edit Office Open XML document (xlsx,docx,pptx).
      • Office OpenXML Editor - Burp extension that add a tab to edit Office Open XML document (xlsx,docx,pptx).
    • Insecure File Uploads

      • Upload Scanner - A Burp Suite Pro extension to do security tests for HTTP file uploads.
      • File Upload Traverser - This extension verifies if file uploads are vulnerable to directory traversal vulnerabilities.
      • Upload Scanner - A Burp Suite Pro extension to do security tests for HTTP file uploads.
      • Upload Scanner - A Burp Suite Pro extension to do security tests for HTTP file uploads.
      • ZIP File Raider - Burp Extension for ZIP File Payload Testing.
    • Session Management

      • Burp Wicket Handler - Used as part of Burps Session Handling, Record a Macro which just gets the page you want to submit
      • TokenJar - This extension provides a way of managing tokens like anti-CSRF, CSurf, Session IDs.
      • Token Incrementor - A simple but useful extension to increment a parameter in each request, intended for use with Active Scan.
      • Session Auth - This extension can be used to identify authentication privilege escalation vulnerabilities.
      • Session Timeout Test - This extension attempts to determine how long it takes for a session to timeout at the server.
      • Session Tracking Checks - This extension checks for the presence of known session tracking sites.
      • ExtendedMacro - This extension provides a similar but extended version of the Burp Suite macro feature.
      • Request Randomizer - This extension registers a session handling rule which places a random value into a specified location within requests.
      • BearerAuthToken - This burpsuite extender provides a solution on testing Enterprise applications that involve security Authorization tokens into every HTTP requests.
      • Add Request to Macro - This Burp extension lets you add a request to an existing macro.
      • Cookie Decrypter - A Burp Suite Professional extension for decrypting/decoding various types of cookies.
      • Authentication Token Obtain and Replace (ATOR) - The plugin is created to help automated scanning using Burp in certain session management scenarios.
      • TokenJar - This extension provides a way of managing tokens like anti-CSRF, CSurf, Session IDs.
      • Token Incrementor - A simple but useful extension to increment a parameter in each request, intended for use with Active Scan.
      • Session Auth - This extension can be used to identify authentication privilege escalation vulnerabilities.
      • Session Timeout Test - This extension attempts to determine how long it takes for a session to timeout at the server.
      • Session Tracking Checks - This extension checks for the presence of known session tracking sites.
      • ExtendedMacro - This extension provides a similar but extended version of the Burp Suite macro feature.
      • Request Randomizer - This extension registers a session handling rule which places a random value into a specified location within requests.
      • BearerAuthToken - This burpsuite extender provides a solution on testing Enterprise applications that involve security Authorization tokens into every HTTP requests.
      • Burp Wicket Handler - Used as part of Burps Session Handling, Record a Macro which just gets the page you want to submit
      • Add Request to Macro - This Burp extension lets you add a request to an existing macro.
      • Cookie Decrypter - A Burp Suite Professional extension for decrypting/decoding various types of cookies.
      • Authentication Token Obtain and Replace (ATOR) - The plugin is created to help automated scanning using Burp in certain session management scenarios.
      • TokenJar - This extension provides a way of managing tokens like anti-CSRF, CSurf, Session IDs.
      • Token Incrementor - A simple but useful extension to increment a parameter in each request, intended for use with Active Scan.
      • Session Auth - This extension can be used to identify authentication privilege escalation vulnerabilities.
      • Session Timeout Test - This extension attempts to determine how long it takes for a session to timeout at the server.
      • Session Tracking Checks - This extension checks for the presence of known session tracking sites.
      • BearerAuthToken - This burpsuite extender provides a solution on testing Enterprise applications that involve security Authorization tokens into every HTTP requests.
      • Add Request to Macro - This Burp extension lets you add a request to an existing macro.
      • Cookie Decrypter - A Burp Suite Professional extension for decrypting/decoding various types of cookies.
      • Authentication Token Obtain and Replace (ATOR) - The plugin is created to help automated scanning using Burp in certain session management scenarios.
      • Session-Handler-Plus - The Session Handler Plus (SH+) Burp Suite extension offers enhanced session handling capabilities for JWTs, access tokens, refresh tokens, and CSRF tokens. Additionally, it allows for custom scripts to be launched through session handling actions, and facilitates the triggering of Selenium automation to execute complex or JavaScript based login procedures.
      • Token Extractor - This extension allows tokens to be extracted from a response and replaced in requests.
      • AuthHeader Updater - Burp extension to specify the token value for the Authenication header while scanning.
    • Directory Traversal

      • Uploader - Burp extension to test for directory traversal attacks in insecure file uploads.
      • off-by-slash - Burp extension to detect alias traversal via NGINX misconfiguration at scale.
      • Uploader - Burp extension to test for directory traversal attacks in insecure file uploads.
      • off-by-slash - Burp extension to detect alias traversal via NGINX misconfiguration at scale.
      • Uploader - Burp extension to test for directory traversal attacks in insecure file uploads.
      • off-by-slash - Burp extension to detect alias traversal via NGINX misconfiguration at scale.
    • Command Injection

    • Template Injection

      • tplmap Burp Extenson - Burp extension for Tplmap, a Server-Side Template Injection and Code Injection Detection and Exploitation Tool
      • tplmap Burp Extenson - Burp extension for Tplmap, a Server-Side Template Injection and Code Injection Detection and Exploitation Tool
    • CORS Misconfigurations

    • Type Confusion

      • Type Confusion Extension - This Burp Extension was created by Certus Cybersecurity to help find type confusion vulnerablities in applications.
    • SSRF

      • Encode IP - This extension will encode an IP address using a variety of lesser-known encoding techniques
  • Web Application Firewall Evasion

    • Template Injection

      • WAFDetect - This extension passively detects the presence of a web application firewall (WAF) from HTTP responses.
      • Bypass WAF - Add headers to all Burp requests to bypass some WAF products.
      • Random IP Address Header - This extension automatically generates IPV6 and IPV4 fake source address headers to evade WAF filtering.
      • What-The-WAF - This extension adds a custom payload type to the Intruder tool, to help test for bypasses of Web Application Firewalls (WAFs).
      • WAF Cookie Fetcher - This extension allows web application security testers to register various types of cookie-related session handling actions to be performed by the Burp session handling rules.
      • WAFDetect - This extension passively detects the presence of a web application firewall (WAF) from HTTP responses.
      • What-The-WAF - This extension adds a custom payload type to the Intruder tool, to help test for bypasses of Web Application Firewalls (WAFs).
      • BurpSuiteHTTPSmuggler - A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques.
      • Chunked coding converter - This entension use a Transfer-Encoding technology to bypass the waf.
      • LightBulb WAF Auditing Framework - LightBulb is an open source python framework for auditing web application firewalls and filters.
      • BurpSuiteHTTPSmuggler - A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques.
      • Chunked coding converter - This entension use a Transfer-Encoding technology to bypass the waf.
      • 403Bypasser - A Burp Suite extension made to automate the process of bypassing 403 pages.
      • JSON Escaper - The JSON Escaper Burp Suite plugin simplifies the process of escaping JSON payloads for pentesters, as there is no built-in option for this in Burp.
    • SSRF

      • Bypass WAF - Add headers to all Burp requests to bypass some WAF products.
      • Random IP Address Header - This extension automatically generates IPV6 and IPV4 fake source address headers to evade WAF filtering.
      • BurpSuiteHTTPSmuggler - A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques.
      • Chunked coding converter - This entension use a Transfer-Encoding technology to bypass the waf.
      • 403Bypasser - A Burp Suite extension made to automate the process of bypassing 403 pages.
      • Awesome TLS - This extension overrides Burp Suite's default HTTP and TLS stack to make it immune to WAF fingerprinting methods such as JA3, HTTP2 frames, etc.
      • JSON Escaper - The JSON Escaper Burp Suite plugin simplifies the process of escaping JSON payloads for pentesters, as there is no built-in option for this in Burp.
      • WAF Bypadd - This Burp Suite extension is designed to bypass Web Application Firewalls (WAFs) by padding HTTP requests with dummy data.
      • WAFDetect - This extension passively detects the presence of a web application firewall (WAF) from HTTP responses.
      • WAF Cookie Fetcher - This extension allows web application security testers to register various types of cookie-related session handling actions to be performed by the Burp session handling rules.
      • LightBulb WAF Auditing Framework - LightBulb is an open source python framework for auditing web application firewalls and filters.
  • Logging and Notes

    • Template Injection

      • Burp Notes - Burp Notes Extension is a plugin for Burp Suite that adds a Notes tab. The tool aims to better organize external files that are created during penetration testing..
      • Logger++ - Burp Suite Logger++: Log activities of all the tools in Burp Suite.
      • Burp Dump - A Burp plugin to dump HTTP(S) requests/responses to a file system.
      • Burp SQLite logger - SQLite logger for Burp Suite.
      • Burp Git Version - Description not available.
      • Burp Commentator - Generates comments for selected request(s) based on regular expressions.
      • Burp Suite Importer - Connect to multiple web servers while populating the sitemap.
      • Burp Replicator - Burp extension to help developers replicate findings from pen tests.
      • Notes - This extension adds a new tab to Burp's UI, for taking notes and organizing external files that are created during penetration testing.
      • Log Requests to SQLite - This extension keeps a trace of every HTTP request that has been sent via BURP, in an SQLite database. This is useful for keeping a record of exactly what traffic a pen tester has generated.
      • Log Requests to SQLite - BURP extension to record every HTTP request send via BURP and create an audit trail log of an assessment.
      • Burp Response Clusterer - Burp plugin that clusters responses to show an overview of received responses.
      • Burp Collect500 - Burp plugin that collects all HTTP 500 messages.
      • Sink Logger - Sink Logger is a Burp Suite Extension that allows to transparently monitor various JavaScript sinks.
      • Log Viewer - Lets you view log files generated by Burp in a graphical enviroment.
      • Rapid - A fairly simple Burp Suite extension that enables you to save HTTP Requests and Responses to files a lot faster and in one go.
      • Scope Monitor - A Burp Suite Extension to monitor and keep track of tested endpoints.
      • Progress Tracker - Burp Suite extension to track vulnerability assessment progress.
      • Pentest Mapper - A Burp Suite Extension for Application Penetration Testing to map flows and vulnerabilities and write test cases for each flow, API and http request.
      • Burp Notes - Burp Notes Extension is a plugin for Burp Suite that adds a Notes tab. The tool aims to better organize external files that are created during penetration testing..
      • Burp Dump - A Burp plugin to dump HTTP(S) requests/responses to a file system.
      • Burp SQLite logger - SQLite logger for Burp Suite.
      • Burp Git Version - Description not available.
      • Burp Commentator - Generates comments for selected request(s) based on regular expressions.
      • Burp Suite Importer - Connect to multiple web servers while populating the sitemap.
      • Burp Replicator - Burp extension to help developers replicate findings from pen tests.
      • Notes - This extension adds a new tab to Burp's UI, for taking notes and organizing external files that are created during penetration testing.
      • Log Requests to SQLite - This extension keeps a trace of every HTTP request that has been sent via BURP, in an SQLite database. This is useful for keeping a record of exactly what traffic a pen tester has generated.
      • Flow - This extension provides a Proxy history-like view along with search filter capabilities for all Burp tools.
      • Custom Logger - This extension adds a new tab to Burp's main UI containing a simple log of all requests made by all Burp tools.
      • Log Requests to SQLite - BURP extension to record every HTTP request send via BURP and create an audit trail log of an assessment.
      • Burp Response Clusterer - Burp plugin that clusters responses to show an overview of received responses.
      • Burp Collect500 - Burp plugin that collects all HTTP 500 messages.
      • Sink Logger - Sink Logger is a Burp Suite Extension that allows to transparently monitor various JavaScript sinks.
      • Burp Savetofile - BurpSuite plugin to save just the body of a request or response to a file
      • Log Viewer - Lets you view log files generated by Burp in a graphical enviroment.
      • Progress Tracker - Burp Suite extension to track vulnerability assessment progress.
      • Pentest Mapper - A Burp Suite Extension for Application Penetration Testing to map flows and vulnerabilities and write test cases for each flow, API and http request.
    • SSRF

      • Flow - This extension provides a Proxy history-like view along with search filter capabilities for all Burp tools.
      • Custom Logger - This extension adds a new tab to Burp's main UI containing a simple log of all requests made by all Burp tools.
      • Burp Notes - Burp Notes Extension is a plugin for Burp Suite that adds a Notes tab. The tool aims to better organize external files that are created during penetration testing..
      • Burp Dump - A Burp plugin to dump HTTP(S) requests/responses to a file system.
      • Burp SQLite logger - SQLite logger for Burp Suite.
      • Burp Git Version - Description not available.
      • Burp Commentator - Generates comments for selected request(s) based on regular expressions.
      • Burp Suite Importer - Connect to multiple web servers while populating the sitemap.
      • Burp Replicator - Burp extension to help developers replicate findings from pen tests.
      • Log Requests to SQLite - BURP extension to record every HTTP request send via BURP and create an audit trail log of an assessment.
      • Burp Response Clusterer - Burp plugin that clusters responses to show an overview of received responses.
      • Burp Collect500 - Burp plugin that collects all HTTP 500 messages.
      • Sink Logger - Sink Logger is a Burp Suite Extension that allows to transparently monitor various JavaScript sinks.
      • Log Viewer - Lets you view log files generated by Burp in a graphical enviroment.
      • Rapid - A fairly simple Burp Suite extension that enables you to save HTTP Requests and Responses to files a lot faster and in one go.
      • Scope Monitor - A Burp Suite Extension to monitor and keep track of tested endpoints.
      • Progress Tracker - Burp Suite extension to track vulnerability assessment progress.
      • Pentest Mapper - A Burp Suite Extension for Application Penetration Testing to map flows and vulnerabilities and write test cases for each flow, API and http request.
      • Notes - This extension adds a new tab to Burp's UI, for taking notes and organizing external files that are created during penetration testing.
      • Log Requests to SQLite - This extension keeps a trace of every HTTP request that has been sent via BURP, in an SQLite database. This is useful for keeping a record of exactly what traffic a pen tester has generated.
      • Burp Savetofile - BurpSuite plugin to save just the body of a request or response to a file
      • Burp Scope Monitor Extension - A Burp Suite Extension to monitor and keep track of tested endpoints.
      • Bookmarks - A Burp Suite extension to bookmark requests for later, instead of those 100 unnamed repeater tabs you've got open.
  • Payload Generators and Fuzzers

    • Template Injection

      • Bradamsa - Burp Suite extension to generate Intruder payloads using Radamsa.
      • Payload Parser - Burp Extension for parsing payloads containing/excluding characters you provide.
      • Burp Luhn Payload Processor - A plugin for Burp Suite Pro to work with attacker payloads and automatically generate check digits for credit card numbers and similar numbers that end with a check digit generated using the Luhn algorithm or formula (also known as the "modulus 10" or "mod 10" algorithm)..
      • Gather Contacts - A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results.
      • Blazer - Burp Suite AMF Extension.
      • Payload Parser - Burp Extension for parsing payloads containing/excluding characters you provide.
      • Burp Luhn Payload Processor - A plugin for Burp Suite Pro to work with attacker payloads and automatically generate check digits for credit card numbers and similar numbers that end with a check digit generated using the Luhn algorithm or formula (also known as the "modulus 10" or "mod 10" algorithm)..
      • Gather Contacts - A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results.
      • Blazer - Burp Suite AMF Extension.
      • Wordlist Extractor - Scrapes all unique words and numbers for use with password cracking.
      • PsychoPATH - This extension provides a customizable payload generator, suitable for detecting a variety of file path vulnerabilities in file upload and download functionality.
      • PsychoPATH - This extension provides a customizable payload generator, suitable for detecting a variety of file path vulnerabilities in file upload and download functionality.
      • Meth0dMan - This extension helps with testing HTTP methods. It generates custom Burp Intruder payloads based on the site map, allowing quick identification of several HTTP method issues.
      • Intruder Time Payloads - This extension lets you include the current epoch time in Intruder payloads.
      • reCAPTCHA - A burp plugin that automatically recognizes the graphics verification code and is used for Payload in Intruder.
      • Virtual Host Payload Generator - Burp extension providing a set of values for the HTTP request Host header for the Burp Intruder in order to abuse virtual host resolution.
      • Turbo Intruder - Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
      • Username Generator - This is a Python extension that will parse email addresses out of selected URLs from the target tab and display them in the output window of the Extensions tab.
      • LogicalFuzzingEngine - A Burpsuite extension written in Python to perform basic validation fuzzing
      • Hashcat Maskprocessor Intruder Payloads - Burp Hashcat Maskprocessor Extension, inspired by hashcat maskprocessor https://github.com/hashcat/maskprocessor
      • Fuzzy Encoding Generator - This extension allows a user to quickly test various encoding for a given value in Burp Intruder.
      • HopLa - This extension adds autocompletion support and useful payloads in Burp Suite to make your intrusion easier.
      • Meth0dMan - This extension helps with testing HTTP methods. It generates custom Burp Intruder payloads based on the site map, allowing quick identification of several HTTP method issues.
      • Intruder File Payload Generator - This extension provides a way to use file contents and filenames as Intruder payloads.
      • Intruder Time Payloads - This extension lets you include the current epoch time in Intruder payloads.
      • Virtual Host Payload Generator - Burp extension providing a set of values for the HTTP request Host header for the Burp Intruder in order to abuse virtual host resolution.
      • Turbo Intruder - Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
      • HackBar - HackBar plugin for Burpsuite v1.0.
      • Username Generator - This is a Python extension that will parse email addresses out of selected URLs from the target tab and display them in the output window of the Extensions tab.
      • LogicalFuzzingEngine - A Burpsuite extension written in Python to perform basic validation fuzzing
      • Hashcat Maskprocessor Intruder Payloads - Burp Hashcat Maskprocessor Extension, inspired by hashcat maskprocessor https://github.com/hashcat/maskprocessor
      • Fuzzy Encoding Generator - This extension allows a user to quickly test various encoding for a given value in Burp Intruder.
      • HopLa - This extension adds autocompletion support and useful payloads in Burp Suite to make your intrusion easier.
    • SSRF

      • Wordlist Extractor - Scrapes all unique words and numbers for use with password cracking.
      • Bradamsa - Burp Suite extension to generate Intruder payloads using Radamsa.
      • Payload Parser - Burp Extension for parsing payloads containing/excluding characters you provide.
      • Burp Luhn Payload Processor - A plugin for Burp Suite Pro to work with attacker payloads and automatically generate check digits for credit card numbers and similar numbers that end with a check digit generated using the Luhn algorithm or formula (also known as the "modulus 10" or "mod 10" algorithm)..
      • Gather Contacts - A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results.
      • Blazer - Burp Suite AMF Extension.
      • Virtual Host Payload Generator - Burp extension providing a set of values for the HTTP request Host header for the Burp Intruder in order to abuse virtual host resolution.
      • Turbo Intruder - Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
      • burpContextAwareFuzzer - BurpSuite's payload-generation extension aiming at applying fuzzed test-cases depending on the type of payload (integer, string, path; JSON; XML; GWT; binary) and following encoding-scheme applied originally.
      • Adhoc Payload Processors - Generate payload processors on the fly, without having to create individual extensions.
      • Username Generator - This is a Python extension that will parse email addresses out of selected URLs from the target tab and display them in the output window of the Extensions tab.
      • LogicalFuzzingEngine - A Burpsuite extension written in Python to perform basic validation fuzzing
      • Hashcat Maskprocessor Intruder Payloads - Burp Hashcat Maskprocessor Extension, inspired by hashcat maskprocessor https://github.com/hashcat/maskprocessor
      • Fuzzy Encoding Generator - This extension allows a user to quickly test various encoding for a given value in Burp Intruder.
      • HopLa - This extension adds autocompletion support and useful payloads in Burp Suite to make your intrusion easier.
      • Agartha - LFI, RCE, SQLi, Authentication, Authorization and Copy as JavaScript - Agartha is a penetration testing tool which creates dynamic payload lists and user access matrix to reveal injection flaws and authentication/authorization issues.
      • ParaForge - ParaForge is a simple Burp Suite extension to extract the paramters and endpoints from the request to create custom wordlist for fuzzing and enumeration.
      • Sheet Intruder - Sheet Intruder is a Burp Suite extension designed to simplify the process of fuzzing for Excel file uploads. It works by representing the content of an Excel file as a tag, which can then be integrated into various locations. This tag then allows configuration such as replacements for fuzzing targets.
      • URL Fuzzer 401/403 Bypass - A Burp extension to Fuzz URLs for HTTP parser inconsistencies
      • PsychoPATH - This extension provides a customizable payload generator, suitable for detecting a variety of file path vulnerabilities in file upload and download functionality.
      • Meth0dMan - This extension helps with testing HTTP methods. It generates custom Burp Intruder payloads based on the site map, allowing quick identification of several HTTP method issues.
      • Intruder File Payload Generator - This extension provides a way to use file contents and filenames as Intruder payloads.
      • Intruder Time Payloads - This extension lets you include the current epoch time in Intruder payloads.
      • CO2 - A collection of enhancements for Portswigger's popular Burp Suite web penetration testing tool.
      • GAP (Get All Parameters, Links, and Words) - This extension helps find potential endpoints, parameters, and generate a custom target wordlist.
      • Stepper - Stepper is designed to be a natural evolution of Burp Suite's Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
  • Cryptography

    • Template Injection

      • WhatsApp Protocol Decryption Burp Tool - This tool was created during our research on Whatsapp Protocol.
      • AES Burp/AES Payloads - Burp Extension to manipulate AES encrypted payloads.
      • Crypto Attacker - The extension helps detect and exploit some common crypto flaws.
      • AES Killer - Burp plugin to decrypt AES Encrypted traffic of mobile apps on the fly.
      • TLS-Attacker-BurpExtension - The extension is based on the TLS-Attacker and developed by the Chair for Network and Data Security from the Ruhr-University Bochum to assist pentesters and security researchers in the evaluation of TLS Server configurations with Burp Suite.
      • Resign v2.0 - A burp extender that recalculate signature value automatically after you modified request parameter value.but you need to know the signature algorithm detail and configure at GUI.
      • BurpCrypto - Burpcrypto is a collection of burpsuite encryption plug-ins, supporting AES/RSA/DES/ExecJs(execute JS encryption code in burpsuite).
      • Padding Oracle Hunter - Padding Oracle Hunter is a Burp Suite extension that helps penetration testers quickly identify and exploit the PKCS#7 and PKCS#1 v1.5 padding oracle vulnerability.
      • PyCript - Burp Suite extension that allows for bypassing client-side encryption using custom logic for manual and automation testing with Python and NodeJS. It enables efficient testing of encryption methods and identification of vulnerabilities in the encryption process.
      • PyCript - Burp Suite extension that allows for bypassing client-side encryption using custom logic for manual and automation testing with Python and NodeJS. It enables efficient testing of encryption methods and identification of vulnerabilities in the encryption process.
      • WhatsApp Protocol Decryption Burp Tool - This tool was created during our research on Whatsapp Protocol.
      • AES Burp/AES Payloads - Burp Extension to manipulate AES encrypted payloads.
      • AES Killer - Burp plugin to decrypt AES Encrypted traffic of mobile apps on the fly.
      • Resign v2.0 - A burp extender that recalculate signature value automatically after you modified request parameter value.but you need to know the signature algorithm detail and configure at GUI.
      • BurpCrypto - Burpcrypto is a collection of burpsuite encryption plug-ins, supporting AES/RSA/DES/ExecJs(execute JS encryption code in burpsuite).
      • Padding Oracle Hunter - Padding Oracle Hunter is a Burp Suite extension that helps penetration testers quickly identify and exploit the PKCS#7 and PKCS#1 v1.5 padding oracle vulnerability.
    • SSRF

      • WhatsApp Protocol Decryption Burp Tool - This tool was created during our research on Whatsapp Protocol.
      • AES Burp/AES Payloads - Burp Extension to manipulate AES encrypted payloads.
      • Crypto Attacker - The extension helps detect and exploit some common crypto flaws.
      • AES Killer - Burp plugin to decrypt AES Encrypted traffic of mobile apps on the fly.
      • Resign v2.0 - A burp extender that recalculate signature value automatically after you modified request parameter value.but you need to know the signature algorithm detail and configure at GUI.
      • BurpCrypto - Burpcrypto is a collection of burpsuite encryption plug-ins, supporting AES/RSA/DES/ExecJs(execute JS encryption code in burpsuite).
      • Padding Oracle Hunter - Padding Oracle Hunter is a Burp Suite extension that helps penetration testers quickly identify and exploit the PKCS#7 and PKCS#1 v1.5 padding oracle vulnerability.
      • PyCript - Burp Suite extension that allows for bypassing client-side encryption using custom logic for manual and automation testing with Python and NodeJS. It enables efficient testing of encryption methods and identification of vulnerabilities in the encryption process.
      • Add To TLS Pass Through Extension - Burp Extension to add context menus for configuration of the Add to TLS Pass Through setting
      • Length Extension Attacks - This extension lets you perform hash length extension attacks on weak signature mechanisms.
  • Web Services

    • Template Injection

      • WCF-Binary-SOAP-Plug-In - This is a Burp Suite plug-in designed to encode and decode WCF Binary Soap request and response data ("Content-Type: application/soap+msbin1).
      • WSDL Wizard - WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
      • BurpWCFDSer - BurpWCFDSer is a Burp plugin that will deserialze/serialize WCF request and response to and from XML.
      • JSWS - Burp Extenstion to parse JavaScript WebService Proxies and create sample requests.
      • POST2JSON - Burp Suite Extension to convert a POST request to JSON message, moving any .NET request verification token to HTTP headers if present.
      • WCF Deserializer - This extension allows Burp to view and modify binary SOAP objects.
      • Postman Integration - This extension integrates with the Postman tool by generating a Postman collection JSON file.
      • Burp Non HTTP Extension - Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
      • WCF-Binary-SOAP-Plug-In - This is a Burp Suite plug-in designed to encode and decode WCF Binary Soap request and response data ("Content-Type: application/soap+msbin1).
      • WSDL Wizard - WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
      • BurpWCFDSer - BurpWCFDSer is a Burp plugin that will deserialze/serialize WCF request and response to and from XML.
      • JSWS - Burp Extenstion to parse JavaScript WebService Proxies and create sample requests.
      • POST2JSON - Burp Suite Extension to convert a POST request to JSON message, moving any .NET request verification token to HTTP headers if present.
      • WCF Deserializer - This extension allows Burp to view and modify binary SOAP objects.
      • Swurg - Swurg is a Burp Suite extension designed for OpenAPI testing.
      • Postman Integration - This extension integrates with the Postman tool by generating a Postman collection JSON file.
      • OpenAPI Parser - Parse OpenAPI specifications, previously known as Swagger specifications, into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
      • Content Type Converter - Burp extension to convert XML to JSON, JSON to XML, x-www-form-urlencoded to XML, and x-www-form-urlencoded to JSON.
      • WCFDSer-ngng - A Burp Extender plugin, that will make binary soap objects readable and modifiable.
      • UPnP Hunter - This extension finds active UPnP services/devices and extracts the related SOAP requests (IPv4 and IPv6 are supported), it then analyzes them using any of the various Burp tools (i.e. Intruder, Repeater)
      • burp-suite-swaggy - Burp Suite extension for parsing Swagger web service definition files.
      • Burp WS-Security - This extension calculate a valid WS security token for every request (In Proxy, Scanner, Intruder, Repeater, Sequencer, Extender), and replace variables in theses requests by the valid token.
      • burp-suite-swaggy - Burp Suite extension for parsing Swagger web service definition files.
      • Burp WS-Security - This extension calculate a valid WS security token for every request (In Proxy, Scanner, Intruder, Repeater, Sequencer, Extender), and replace variables in theses requests by the valid token.
      • Content Type Converter - Burp extension to convert XML to JSON, JSON to XML, x-www-form-urlencoded to XML, and x-www-form-urlencoded to JSON.
    • SSRF

      • BurpWCFDSer - BurpWCFDSer is a Burp plugin that will deserialze/serialize WCF request and response to and from XML.
      • POST2JSON - Burp Suite Extension to convert a POST request to JSON message, moving any .NET request verification token to HTTP headers if present.
      • WCF Deserializer - This extension allows Burp to view and modify binary SOAP objects.
      • WCF-Binary-SOAP-Plug-In - This is a Burp Suite plug-in designed to encode and decode WCF Binary Soap request and response data ("Content-Type: application/soap+msbin1).
      • WSDL Wizard - WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
      • JSWS - Burp Extenstion to parse JavaScript WebService Proxies and create sample requests.
      • JSON Decoder - This extension adds a new tab to Burp's HTTP message editor, and displays JSON messages in decoded form.
      • WSDLer - WSDL Parser extension for Burp.
      • WCFDSer-ngng - A Burp Extender plugin, that will make binary soap objects readable and modifiable.
      • UPnP Hunter - This extension finds active UPnP services/devices and extracts the related SOAP requests (IPv4 and IPv6 are supported), it then analyzes them using any of the various Burp tools (i.e. Intruder, Repeater)
      • burp-suite-swaggy - Burp Suite extension for parsing Swagger web service definition files.
      • Burp WS-Security - This extension calculate a valid WS security token for every request (In Proxy, Scanner, Intruder, Repeater, Sequencer, Extender), and replace variables in theses requests by the valid token.
      • 5GC_API_parse - 5GC API parse is a BurpSuite extension allowing to assess 5G core network functions, by parsing the OpenAPI 3.0 not supported by previous OpenAPI extension in Burp, and generating requests for intrusion tests purposes.
      • SwaggerParser-BurpExtension - With this extension, you can parse Swagger Documents. You can view the parsed requests in the table and send them to Repeater, Intruder, Scanner.
      • Postman Integration - This extension integrates with the Postman tool by generating a Postman collection JSON file.
      • OpenAPI Parser - Parse OpenAPI specifications, previously known as Swagger specifications, into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
      • Content Type Converter - Burp extension to convert XML to JSON, JSON to XML, x-www-form-urlencoded to XML, and x-www-form-urlencoded to JSON.
  • Tool Integration

    • Template Injection

      • Report To Elastic Search - This extension passes along issues discovered by Burp to either stdout or an ElasticSearch database.
      • Qualys WAS - The Qualys WAS Burp extension provides a way to easily push Burp scanner findings to the Web Application Scanning (WAS) module within the Qualys Cloud Platform.
      • NMAP Parser - This extension provides a GUI interface for parsing Nmap output files, and adding common web application ports to Burp's target scope.
      • WebInspect Connector - Binary-only repository for the HP WebInspect Connector, authored by HP.
      • Faraday - This extension integrates Burp with the Faraday Integrated Penetration-Test Environment.
      • Git Bridge - This extension lets Burp users store Burp data and collaborate via git. Users can right-click supported items in Burp to send them to a git repo and use the Git Bridge tab to send items back to the originating Burp tools.
      • Issue Poster - This extension can be used to post details of discovered Scanner issues to an external web service.
      • Code Dx - This extension uploads scan reports directly to CodeDx, a software vulnerability correlation and management system.
      • ElasticBurp - This extension stores requests and responses from selected Burp tools in an ElasticSearch index including metadata like headers and parameters.
      • Burp Dirbuster - Dirbuster plugin for Burp Suite.
      • Pcap Importer - This extension enables Pcap and Pcap-NG files to be imported into the Burp Target site map, and passively scanned.
      • Burp Chat - This extension enables collaborative usage of Burp using XMPP/Jabber. You can send items between Burp instances by connecting over a chat session.
      • ThreadFix - This extension provides an interface between Burp and ThreadFix.
      • Nessus Loader - his extension parses a Nessus scan XML file to detect web servers. Any web servers discovered are added to the site map.
      • Peach API Integration - This Burp plugin provides integration between Burp and Peach API Security.
      • YesWeBurp - YesWeBurp is an extension for BurpSuite allowing you to access all your https://yeswehack.com/ bug bounty programs directly inside Burp.
      • Nucleus Burp Extension - This extension allows Burp Suite scans to be pushed to the Nucleus platform.
      • Import To Sitemap - Import To Sitemap is a Burp Suite Extension to import wstalker CSV file or ZAP export file into Burp Sitemap.
      • bbrf-burp-plugin - Extension for Bug Bounty Reconnaissance Framework
      • GAT Security Platform Integration - Burp Extension, integration GAT Digital
      • Nuclei Template Generator Burp Plugin - A BurpSuite plugin intended to help with nuclei template generation.
      • Semgrepper - The current project provides a Burp Suite extension to allow users to include Semgrep results to extend the checks in use by the passive scanner.
      • Report To Elastic Search - This extension passes along issues discovered by Burp to either stdout or an ElasticSearch database.
      • Qualys WAS - The Qualys WAS Burp extension provides a way to easily push Burp scanner findings to the Web Application Scanning (WAS) module within the Qualys Cloud Platform.
      • NMAP Parser - This extension provides a GUI interface for parsing Nmap output files, and adding common web application ports to Burp's target scope.
      • WebInspect Connector - Binary-only repository for the HP WebInspect Connector, authored by HP.
      • Faraday - This extension integrates Burp with the Faraday Integrated Penetration-Test Environment.
      • Git Bridge - This extension lets Burp users store Burp data and collaborate via git. Users can right-click supported items in Burp to send them to a git repo and use the Git Bridge tab to send items back to the originating Burp tools.
      • Code Dx - This extension uploads scan reports directly to CodeDx, a software vulnerability correlation and management system.
      • ElasticBurp - This extension stores requests and responses from selected Burp tools in an ElasticSearch index including metadata like headers and parameters.
      • Burp Dirbuster - Dirbuster plugin for Burp Suite.
      • Pcap Importer - This extension enables Pcap and Pcap-NG files to be imported into the Burp Target site map, and passively scanned.
      • ThreadFix - This extension provides an interface between Burp and ThreadFix.
      • Nessus Loader - his extension parses a Nessus scan XML file to detect web servers. Any web servers discovered are added to the site map.
      • Peach API Integration - This Burp plugin provides integration between Burp and Peach API Security.
      • YesWeBurp - YesWeBurp is an extension for BurpSuite allowing you to access all your https://yeswehack.com/ bug bounty programs directly inside Burp.
      • Nucleus Burp Extension - This extension allows Burp Suite scans to be pushed to the Nucleus platform.
      • Import To Sitemap - Import To Sitemap is a Burp Suite Extension to import wstalker CSV file or ZAP export file into Burp Sitemap.
      • bbrf-burp-plugin - Extension for Bug Bounty Reconnaissance Framework
      • GAT Security Platform Integration - Burp Extension, integration GAT Digital
      • Nuclei Template Generator Burp Plugin - A BurpSuite plugin intended to help with nuclei template generation.
      • Semgrepper - The current project provides a Burp Suite extension to allow users to include Semgrep results to extend the checks in use by the passive scanner.
      • Burptrast - Burptrast is designed to pull endpoint information from Teamserver and import it into Burp's sitemap.
      • Burptrast - Burptrast is designed to pull endpoint information from Teamserver and import it into Burp's sitemap.
    • SSRF

      • Dradis Framework - This extension integrates Burp with the Dradis Framework.
      • Issue Poster - This extension can be used to post details of discovered Scanner issues to an external web service.
      • Burp Chat - This extension enables collaborative usage of Burp using XMPP/Jabber. You can send items between Burp instances by connecting over a chat session.
      • Report To Elastic Search - This extension passes along issues discovered by Burp to either stdout or an ElasticSearch database.
      • Qualys WAS - The Qualys WAS Burp extension provides a way to easily push Burp scanner findings to the Web Application Scanning (WAS) module within the Qualys Cloud Platform.
      • NMAP Parser - This extension provides a GUI interface for parsing Nmap output files, and adding common web application ports to Burp's target scope.
      • Faraday - This extension integrates Burp with the Faraday Integrated Penetration-Test Environment.
      • Git Bridge - This extension lets Burp users store Burp data and collaborate via git. Users can right-click supported items in Burp to send them to a git repo and use the Git Bridge tab to send items back to the originating Burp tools.
      • Code Dx - This extension uploads scan reports directly to CodeDx, a software vulnerability correlation and management system.
      • WebInspect Connector - Binary-only repository for the HP WebInspect Connector, authored by HP.
      • Burp Dirbuster - Dirbuster plugin for Burp Suite.
      • Nessus Loader - his extension parses a Nessus scan XML file to detect web servers. Any web servers discovered are added to the site map.
      • Peach API Integration - This Burp plugin provides integration between Burp and Peach API Security.
      • YesWeBurp - YesWeBurp is an extension for BurpSuite allowing you to access all your https://yeswehack.com/ bug bounty programs directly inside Burp.
      • Nucleus Burp Extension - This extension allows Burp Suite scans to be pushed to the Nucleus platform.
      • Import To Sitemap - Import To Sitemap is a Burp Suite Extension to import wstalker CSV file or ZAP export file into Burp Sitemap.
      • bbrf-burp-plugin - Extension for Bug Bounty Reconnaissance Framework
      • GAT Security Platform Integration - Burp Extension, integration GAT Digital
      • Nuclei Template Generator Burp Plugin - A BurpSuite plugin intended to help with nuclei template generation.
      • Semgrepper - The current project provides a Burp Suite extension to allow users to include Semgrep results to extend the checks in use by the passive scanner.
      • Burptrast - Burptrast is designed to pull endpoint information from Teamserver and import it into Burp's sitemap.
      • Faction Burp Suite Extension - This Burp Suite Extension allows you to integrate BurpSuite into the Faction assessment collaboration framework.
      • ElasticBurp - This extension stores requests and responses from selected Burp tools in an ElasticSearch index including metadata like headers and parameters.
      • Pcap Importer - This extension enables Pcap and Pcap-NG files to be imported into the Burp Target site map, and passively scanned.
      • ThreadFix - This extension provides an interface between Burp and ThreadFix.
      • Brida - Brida is a Burp Suite Extension that, working as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers.
  • Misc

    • Template Injection

      • Burp Rest API - REST/JSON API to the Burp Suite security tool.
      • Burpa - A Burp Suite Automation Tool.
      • CVSS Calculator - This extension calculates CVSS v2 and v3 scores of vulnerabilities.
      • Burp Uniqueness - Uniqueness plugin for Burp Suite.
      • Sample Burp Suite extension: custom scanner checks - Sample Burp Suite extension: custom scanner checks
      • Burp Bing translator - Testing non-English web apps is pretty straight forward which you can just use browser extension to translate what you see on screens.
      • knife - A burp extension that add some useful function to Context Menu. This includes *one key to update cookie*, *one key add host to scope* to the right click context menu, *insert payload* of Hackbar or self-configured to current request.
      • Burp Rest API - REST/JSON API to the Burp Suite security tool.
      • Burpa - A Burp Suite Automation Tool.
      • CVSS Calculator - This extension calculates CVSS v2 and v3 scores of vulnerabilities.
      • Burp Uniqueness - Uniqueness plugin for Burp Suite.
      • Sample Burp Suite extension: custom scanner checks - Sample Burp Suite extension: custom scanner checks
      • Burp Bing translator - Testing non-English web apps is pretty straight forward which you can just use browser extension to translate what you see on screens.
      • Similar Request Excluder - A Burp Suite extension that automatically marks similar requests as 'out-of-scope'.
      • jython-burp-api - Develop Burp extensions in Jython.
      • Jython Burp Extensions - Description not available.
      • Add Custom Header - A Burp Suite extension to add a custom header (e.g. JWT).
      • Target Redirector - This extension allows you to redirect requests to a particular target by replacing an incorrect target hostname/IP with the intended one. The Host header can optionally also be updated.
      • Similar Request Excluder - Similar Request Excluder is an extension that enables you to automatically reduce the target scope of your active scan by excluding similar (and therefore redundant) requests.
      • Request Timer - This extension captures response times for requests made by all Burp tools. It could be useful in uncovering potential timing attacks.
      • Response Clusterer - This extension clusters similar responses together, and shows a summary with one request/response per cluster. This allows the tester to get an overview of the tested website's responses from all Burp Suite tools.
      • Autowasp - a Burp Suite extension that integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow for the modern-day penetration tester
      • Kerberos Authentication - This extension provides support for performing Kerberos authentication. This is useful for testing in a Windows domain when NTLM authentication is not supported.
      • JVM Property Editor - This extension allows the user to view and modify JVM system properties while Burp is running.
      • Lair - This extension provides the facility to send Burp Scanner issues directly to a remote Lair project.
      • Google Authenticator - This Burp Suite extension turns Burp into a Google Authenticator client.
      • Carbonator - This extension provides a command-line interface to automate the process of configuring target scope, spidering and scanning.
      • Custom Parameter Handler - This extension provides a simple way to modify any part of an HTTP message, allowing manipulation with surgical precision even (and especially) when using macros.
      • Proxy Auto Config - This extension automatically configures Burp upstream proxies to match desktop proxy settings.
      • Proxy Action Rules - This extension can automatically forward, intercept, and drop proxy requests while actively displaying proxy log information and centralizing list management.
      • Perfmon - Perfmon is an extension for Burp Suite that shows information about threads, memory being used, and memory allocated.
      • Unicode To Chinese - A burpsuite Extender That Convert Unicode To Chinese.
      • Curlit - Burp Python plugin to turn requests into curl commands.
      • Similar Request Excluder - A Burp Suite extension that automatically marks similar requests as 'out-of-scope'.
      • Jython Burp Extensions - Description not available.
      • Add Custom Header - A Burp Suite extension to add a custom header (e.g. JWT).
      • Request Timer - This extension captures response times for requests made by all Burp tools. It could be useful in uncovering potential timing attacks.
      • Response Clusterer - This extension clusters similar responses together, and shows a summary with one request/response per cluster. This allows the tester to get an overview of the tested website's responses from all Burp Suite tools.
      • Autowasp - a Burp Suite extension that integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow for the modern-day penetration tester
      • Replicator - Replicator helps developers to reproduce issues discovered by pen testers.
      • Kerberos Authentication - This extension provides support for performing Kerberos authentication. This is useful for testing in a Windows domain when NTLM authentication is not supported.
      • JVM Property Editor - This extension allows the user to view and modify JVM system properties while Burp is running.
      • Lair - This extension provides the facility to send Burp Scanner issues directly to a remote Lair project.
      • Google Authenticator - This Burp Suite extension turns Burp into a Google Authenticator client.
      • GWT Insertion Points - This extension automatically identifies insertion points for GWT (Google Web Toolkit) requests when sending them to the active Scanner or Burp Intruder.
      • Headless Burp - This extension allows you to run Burp Suite's Spider and Scanner tools in headless mode via the command-line.
      • HTTP Mock - This Burp extension provides mock responses that can be customized, based on the real ones.
      • Carbonator - This extension provides a command-line interface to automate the process of configuring target scope, spidering and scanning.
      • Batch Scan Report Generator - This extension can be used to generate multiple scan reports by host with just a few clicks.
      • Decompressor - Often, HTTP traffic is compressed by the server before it is sent to the client in order to reduce network load.
      • Custom Parameter Handler - This extension provides a simple way to modify any part of an HTTP message, allowing manipulation with surgical precision even (and especially) when using macros.
      • CFURL Cache inspector for Burp Suite - CFURL Cache inspector for Burp Suite.
      • Proxy Auto Config - This extension automatically configures Burp upstream proxies to match desktop proxy settings.
      • Proxy Action Rules - This extension can automatically forward, intercept, and drop proxy requests while actively displaying proxy log information and centralizing list management.
      • Perfmon - Perfmon is an extension for Burp Suite that shows information about threads, memory being used, and memory allocated.
      • Unicode To Chinese - A burpsuite Extender That Convert Unicode To Chinese.
      • Curlit - Burp Python plugin to turn requests into curl commands.
      • BurpSuite-Team-Extension - This Burpsuite plugin allows for multiple web app testers to share their proxy history with each other in real time.
      • BurpelFish - Adds Google Translate to Burp's context menu.
      • BlockerLite - Simple Burp extension to drop blacklisted hosts.
      • Burp-Quicker-Context-Extension - This extension adds the "Quicker Context" dialog which is a lightweight dialog to select tabs or execute application- and context-menu-entries more easily by typing parts of the name or choosing one stored in history.
      • Tea Break - Burp Suite extension to increase productivity among bug bounty hunters and security researchers while prompting to take break after set time to avoid burnout and health issues.
      • BurpSuite-Team-Extension - This Burpsuite plugin allows for multiple web app testers to share their proxy history with each other in real time.
      • BurpelFish - Adds Google Translate to Burp's context menu.
      • Burp-Quicker-Context-Extension - This extension adds the "Quicker Context" dialog which is a lightweight dialog to select tabs or execute application- and context-menu-entries more easily by typing parts of the name or choosing one stored in history.
      • Burp Share Requests - This Burp Suite extension enables the generation of shareable links to specific requests which other Burp Suite users can import.
      • Tea Break - Burp Suite extension to increase productivity among bug bounty hunters and security researchers while prompting to take break after set time to avoid burnout and health issues.
      • Turbo Data Miner - This extension adds a new tab Turbo Miner to Burp Suite's GUI as well as an new entry Process in Turbo Miner to Burp Suite's context menu. In the new tab, you are able to write new or select existing Python scripts that are executed on each request/response item currently stored in the Proxy History, Side Map, or on each request/response item that is sent or received by Burp Suite.
      • BugPoC - Burp Suite Extension to send raw HTTP Requests to BugPoC.com.
      • uproot-JS - Extract JavaScript files from burp suite project with ease.
      • OData Explorer - OData Explorer is a Burp Suite extension specifically designed for black-box security testing of OData services.
      • Copy to Bcheck - The purpose of this extension is to streamline the process of creating simple bcheck scripts, reducing the time required to generate them.
      • Copy Headers As -H Arguments - The "Copy Headers As -H Arguments" Burp Suite extension adds a new context menu entry that will copy the headers from the selected request to the clipboard in various formats
      • Turbo Data Miner - This extension adds a new tab Turbo Miner to Burp Suite's GUI as well as an new entry Process in Turbo Miner to Burp Suite's context menu. In the new tab, you are able to write new or select existing Python scripts that are executed on each request/response item currently stored in the Proxy History, Side Map, or on each request/response item that is sent or received by Burp Suite.
      • BugPoC - Burp Suite Extension to send raw HTTP Requests to BugPoC.com.
      • FixerUpper - A Burp extension to enable modification of FIX messages when relayed from MitM_Relay
      • SourceMapper - This is a Burpsuite extension for injecting offline source maps for easier JavaScript debugging.
      • uproot-JS - Extract JavaScript files from burp suite project with ease.
      • OData Explorer - OData Explorer is a Burp Suite extension specifically designed for black-box security testing of OData services.
      • Copy to Bcheck - The purpose of this extension is to streamline the process of creating simple bcheck scripts, reducing the time required to generate them.
      • Copy Headers As -H Arguments - The "Copy Headers As -H Arguments" Burp Suite extension adds a new context menu entry that will copy the headers from the selected request to the clipboard in various formats
      • Hackbar - HackBar plugin for Burpsuite v1.0.
    • SSRF

      • Decompressor - Often, HTTP traffic is compressed by the server before it is sent to the client in order to reduce network load.
      • JVM Property Editor - This extension allows the user to view and modify JVM system properties while Burp is running.
      • Lair - This extension provides the facility to send Burp Scanner issues directly to a remote Lair project.
      • Google Authenticator - This Burp Suite extension turns Burp into a Google Authenticator client.
      • Carbonator - This extension provides a command-line interface to automate the process of configuring target scope, spidering and scanning.
      • Custom Parameter Handler - This extension provides a simple way to modify any part of an HTTP message, allowing manipulation with surgical precision even (and especially) when using macros.
      • Proxy Auto Config - This extension automatically configures Burp upstream proxies to match desktop proxy settings.
      • Curlit - Burp Python plugin to turn requests into curl commands.
      • Filter Options Method - Burp extension that filters out OPTIONS requests from populating Burp's Proxy history.
      • knife - A burp extension that add some useful function to Context Menu. This includes *one key to update cookie*, *one key add host to scope* to the right click context menu, *insert payload* of Hackbar or self-configured to current request.
      • Burp Rest API - REST/JSON API to the Burp Suite security tool.
      • Burpa - A Burp Suite Automation Tool.
      • Burp Uniqueness - Uniqueness plugin for Burp Suite.
      • Sample Burp Suite extension: custom scanner checks - Sample Burp Suite extension: custom scanner checks
      • Burp Bing translator - Testing non-English web apps is pretty straight forward which you can just use browser extension to translate what you see on screens.
      • Similar Request Excluder - A Burp Suite extension that automatically marks similar requests as 'out-of-scope'.
      • jython-burp-api - Develop Burp extensions in Jython.
      • Jython Burp Extensions - Description not available.
      • Add Custom Header - A Burp Suite extension to add a custom header (e.g. JWT).
      • HUNT - HUNT Suite is a collection of Burp Suite Pro/Free and OWASP ZAP extensions. Identifies common parameters vulnerable to certain vulnerability classes (Burp Suite Pro and OWASP ZAP). Organize testing methodologies (Burp Suite Pro and Free).
      • Autowasp - a Burp Suite extension that integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow for the modern-day penetration tester
      • Kerberos Upstream Proxy Extension for Burp Suite - An extension to allow the use of Burp Suite with an upstream proxy that requires Kerberos authentication.
      • CFURL Cache inspector for Burp Suite - CFURL Cache inspector for Burp Suite.
      • Proxy Action Rules - This extension can automatically forward, intercept, and drop proxy requests while actively displaying proxy log information and centralizing list management.
      • Perfmon - Perfmon is an extension for Burp Suite that shows information about threads, memory being used, and memory allocated.
      • Unicode To Chinese - A burpsuite Extender That Convert Unicode To Chinese.
      • burp-suite-paste-curl - Burp Suite extension to allow pasting cURL commands into a new tab in Repeater. The pasted cURL command will be parsed into a raw HTTP request suitable for use with Repeater.
      • Copy as FFUF Command - Burp Suite extension for FFUF command generation.
      • BurpSuite-Team-Extension - This Burpsuite plugin allows for multiple web app testers to share their proxy history with each other in real time.
      • BurpelFish - Adds Google Translate to Burp's context menu.
      • BlockerLite - Simple Burp extension to drop blacklisted hosts.
      • Burp-Quicker-Context-Extension - This extension adds the "Quicker Context" dialog which is a lightweight dialog to select tabs or execute application- and context-menu-entries more easily by typing parts of the name or choosing one stored in history.
      • Burp Share Requests - This Burp Suite extension enables the generation of shareable links to specific requests which other Burp Suite users can import.
      • Tea Break - Burp Suite extension to increase productivity among bug bounty hunters and security researchers while prompting to take break after set time to avoid burnout and health issues.
      • Turbo Data Miner - This extension adds a new tab Turbo Miner to Burp Suite's GUI as well as an new entry Process in Turbo Miner to Burp Suite's context menu. In the new tab, you are able to write new or select existing Python scripts that are executed on each request/response item currently stored in the Proxy History, Side Map, or on each request/response item that is sent or received by Burp Suite.
      • BugPoC - Burp Suite Extension to send raw HTTP Requests to BugPoC.com.
      • FixerUpper - A Burp extension to enable modification of FIX messages when relayed from MitM_Relay
      • SourceMapper - This is a Burpsuite extension for injecting offline source maps for easier JavaScript debugging.
      • uproot-JS - Extract JavaScript files from burp suite project with ease.
      • OData Explorer - OData Explorer is a Burp Suite extension specifically designed for black-box security testing of OData services.
      • Copy to Bcheck - The purpose of this extension is to streamline the process of creating simple bcheck scripts, reducing the time required to generate them.
      • Copy Headers As -H Arguments - The "Copy Headers As -H Arguments" Burp Suite extension adds a new context menu entry that will copy the headers from the selected request to the clipboard in various formats
      • Burp Suite History Explorer - This extension was developed to assist in filtering search results by host. During a large assessment I conducted, I wanted a clear view of which servers were operating on which software. While searching in Burp for the Server: .*, it returned the desired information, but I still had to sift through each request.
      • Asset Saver - Burp Suite - Burp Suite extension for saving previously loaded assets .
      • BCheck Helper - BCheck Helper makes finding and importing BChecks scripts into Burp easier by loading them from either a remote GitHub or local Git repository.
      • Change Menu Level - A simple BurpSuite extension to change extension context menu level, using in BurpSuite v2021.7 version and newer.
      • Header Snipper - This extension will improve the user reporting experience. The extension is used to snip any header from all the requests with just 1 click!
      • Hackbar - HackBar plugin for Burpsuite v1.0.
      • Burp Customizer - This extension allows you to use these themes in Burp Suite, and includes a number of bundled themes to try.
      • CVSS Calculator - This extension calculates CVSS v2 and v3 scores of vulnerabilities.
      • Target Redirector - This extension allows you to redirect requests to a particular target by replacing an incorrect target hostname/IP with the intended one. The Host header can optionally also be updated.
      • Similar Request Excluder - Similar Request Excluder is an extension that enables you to automatically reduce the target scope of your active scan by excluding similar (and therefore redundant) requests.
      • Request Timer - This extension captures response times for requests made by all Burp tools. It could be useful in uncovering potential timing attacks.
      • Response Clusterer - This extension clusters similar responses together, and shows a summary with one request/response per cluster. This allows the tester to get an overview of the tested website's responses from all Burp Suite tools.
      • Replicator - Replicator helps developers to reproduce issues discovered by pen testers.
      • Kerberos Authentication - This extension provides support for performing Kerberos authentication. This is useful for testing in a Windows domain when NTLM authentication is not supported.
      • GWT Insertion Points - This extension automatically identifies insertion points for GWT (Google Web Toolkit) requests when sending them to the active Scanner or Burp Intruder.
      • Headless Burp - This extension allows you to run Burp Suite's Spider and Scanner tools in headless mode via the command-line.
      • HTTP Mock - This Burp extension provides mock responses that can be customized, based on the real ones.
      • Batch Scan Report Generator - This extension can be used to generate multiple scan reports by host with just a few clicks.
  • Burp Extension Training Resources

  • Cloud Security

    • AWS Security Checks - This extensions provides additional Scanner checks for AWS security issues.
    • AWS Extender - AWS Extender (Cloud Storage Tester) is a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.
    • AWS Signer - Burp Extension for AWS Signing.
    • cloud_enum - Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. Must be run from a *nix environment.
    • Burp-AnonymousCloud - Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities.
    • AWS Cognito - This extension helps identify key information from requests to AWS Cognito, provides several passive scan checks, and suggests HTTP request templates for exploiting several known vulnerabilities.
    • AWS SigV4 - This is a Burp extension for signing AWS requests with SigV4.