logo

Burp Suite - Fundamentals

BurpSuite - Extensions

Easy
30 min

What are Burp Suite extensions?

Burp Suite supports extensions that can add new features to the tool or enhance existing ones.

Extensions can, for example, :

  • Add new windows and menus to Burp.
  • Analyze and modify HTTP messages passing through Burp.
  • Automate session management.
  • Teach the scanner to detect new vulnerabilities.

BApp Store

You can develop Burp Suite extensions yourself, but fortunately you don't always have to. Inside Burp, there is an "application store" where you can conveniently search for and install extensions.

Java vs. Python

Burp is made with Java so Burp's extensions are also Java. However, extensions can also be made with Python syntax, although technically it uses "Jython" in the background, which converts Python code to Java.

Installation of Jython

For the above mentioned reason, some plugins require Jython binary to work. It is not included in Burp for some reason, so it needs to be downloaded separately and you need to inform Burp where it is.

Select the Burp extension from the list, for example a tool called Autorize, and then select Download Jython.

This opens a website through which you can download the specific Jython program. You can also navigate to the link https://www.jython.org/download.html. Select the Standalone version of the program from this page and download it.

Go to the Extensions Settings page either by going to the settings through the toolbar or by selecting Extensions from the Extensions page and then selecting Extensions Settings. Finally, select Location of Jython Standalone JAR file from the Python Environment section and set this to the downloaded JAR file.

Now you can open the Autorize - extension again and you should be able to install the extension (and other extensions that require Jython).

Finally, a few proven add-ons available in the Community version that you should definitely explore. It's also important to remember that new add-ons are constantly being created, and their usability is a highly subjective matter. Security testers often have their own favorite add-ons, and it's worth freely exploring them.

  • Autorize - a good tool for testing access control
  • AuthMatrix - same idea as in the Autorize tool
  • Param Miner - helps find hidden parameters and headers
  • Http Request Smuggler - Helps to verify HTTP Request Smuggling vulnerabilities
  • Scope Monitor - Enhances the ability to monitor your own testing progress
  • PDF Viewer - You can view how a PDF document looks directly in Burp

Test your knowledge

What is the name of the program that BurpSuite needs to install plugins written in the Python programming language?

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.