![]() Logo of PortSwigger, the company that develops Burp Suite | |
![]() | |
Developer(s) | PortSwigger |
---|---|
Written in | Java |
Type | Security testing |
Website |
portswigger![]() |
Burp Suite is an industry-standard tool for modern security assessment & penetration testing of web applications. [1] [2] This software was initially developed from 2003-2006 by author Dafydd Stuttard [3] to automate his own security testing needs, after realizing the capabilities of automatable web tools like Selenium. [4] Stuttard created the company PortSwigger to flagship Burp Suite's development. A community, professional, & enterprise version of this product are available.
Notable capabilities in this suite include features to proxy web-crawls (Burp Proxy) [5], log HTTP requests/responses[5], capture/intercept in-motion HTTP requests (Burp Intercept) [6], and aggregate reports which indicate weaknesses (Burp Scanner). [7] This software uses a built-in database containing known-unsafe syntax patterns & keywords to search within captured HTTP requests/responses. [8]
Burp Suite possesses several penetration-type functionalities. A few built-in PoC services include tests for HTTP downgrade [9], interaction with tool-hosted external sandbox servers (Burp Collaborator) [10], & analysis for pseudorandomization strength (Burp Sequencer). [11] This tool permits integration of user-defined functionalities through download of open-source plugins (such as Java Deserialization Scanner [12] & Autorize [13]).
As a web security analyzer, Burp Suite offers several built-in features designed to assist testers in auditing their web applications.
The Community Edition version of Burp Suite includes the following features. [14]
Burp Suite's Professional edition includes all Community features plus those listed below.
BApps Burp Suite offers an extension store [33] where users can upload and download plugins for functionalities not supported natively. Different plugins alter in functionality, ranging from adjustments for UI readability, additions to scanner rules, and implementations of new analysis-based features.
Burp Suite's extension API is open-source. [34] [35] Support for Java plugins is natively supported, while extensions which use Python & Ruby require users to download JAR files for Jython & JRuby respectively. [36]
Many Burp plugins have also been created by Portswigger employees as a means of developing proof-of-concepts for research conducted by the company. [37] Examples of these include extensions created by James Kettle, Portswigger's Director of Research [38], including Backslash Powered Scanner [39] [40], Param Miner [41] [42], and HTTP Request Smuggler. [43] [44]
BChecks were added to Burp Suite in June 2023 [45] as a means of permitting users to create and customize their own scanner rules. [46] A curated collection of BChecks are maintained by Portswigger through an open-source GitHub project. [47]
Users can write Java scripts to create custom HTTP request/response index filtering in Burp Suite's proxy HTTP History, WebSocket History, & Logger lists. [48] [49]
Granted Queen's Award for Enterprise for International Trade in 2019. [50]
![]() Logo of PortSwigger, the company that develops Burp Suite | |
![]() | |
Developer(s) | PortSwigger |
---|---|
Written in | Java |
Type | Security testing |
Website |
portswigger![]() |
Burp Suite is an industry-standard tool for modern security assessment & penetration testing of web applications. [1] [2] This software was initially developed from 2003-2006 by author Dafydd Stuttard [3] to automate his own security testing needs, after realizing the capabilities of automatable web tools like Selenium. [4] Stuttard created the company PortSwigger to flagship Burp Suite's development. A community, professional, & enterprise version of this product are available.
Notable capabilities in this suite include features to proxy web-crawls (Burp Proxy) [5], log HTTP requests/responses[5], capture/intercept in-motion HTTP requests (Burp Intercept) [6], and aggregate reports which indicate weaknesses (Burp Scanner). [7] This software uses a built-in database containing known-unsafe syntax patterns & keywords to search within captured HTTP requests/responses. [8]
Burp Suite possesses several penetration-type functionalities. A few built-in PoC services include tests for HTTP downgrade [9], interaction with tool-hosted external sandbox servers (Burp Collaborator) [10], & analysis for pseudorandomization strength (Burp Sequencer). [11] This tool permits integration of user-defined functionalities through download of open-source plugins (such as Java Deserialization Scanner [12] & Autorize [13]).
As a web security analyzer, Burp Suite offers several built-in features designed to assist testers in auditing their web applications.
The Community Edition version of Burp Suite includes the following features. [14]
Burp Suite's Professional edition includes all Community features plus those listed below.
BApps Burp Suite offers an extension store [33] where users can upload and download plugins for functionalities not supported natively. Different plugins alter in functionality, ranging from adjustments for UI readability, additions to scanner rules, and implementations of new analysis-based features.
Burp Suite's extension API is open-source. [34] [35] Support for Java plugins is natively supported, while extensions which use Python & Ruby require users to download JAR files for Jython & JRuby respectively. [36]
Many Burp plugins have also been created by Portswigger employees as a means of developing proof-of-concepts for research conducted by the company. [37] Examples of these include extensions created by James Kettle, Portswigger's Director of Research [38], including Backslash Powered Scanner [39] [40], Param Miner [41] [42], and HTTP Request Smuggler. [43] [44]
BChecks were added to Burp Suite in June 2023 [45] as a means of permitting users to create and customize their own scanner rules. [46] A curated collection of BChecks are maintained by Portswigger through an open-source GitHub project. [47]
Users can write Java scripts to create custom HTTP request/response index filtering in Burp Suite's proxy HTTP History, WebSocket History, & Logger lists. [48] [49]
Granted Queen's Award for Enterprise for International Trade in 2019. [50]