Burp Suite


The Leading Web application testing tool on the market. Has a community edition that is free and handy for basic web app testing and CTF level functionality. Also has a pro version that has advanced features like a powerful brute forcing too, vulnerability scanner and access to more extensions.
Guides and Support Tools
Platform Components

Burp Extensions

Multi-Vuln Scanners
Single Vuln Scanners
  • Retire.JS - Burp/ZAP/Maven extension that integrate Retire.js repository to find vulnerable Javascript libraries.
  • sqlipy - SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
  • Backslash powered scanner - Active scan for SSTI detection
  • CSFR Scanner - Passive CSRF detection
  • Freddy - Find Deserialization Bugs
  • JSON Web Tokens - decode and manipulate JSON web tokens
  • Web cache deception scanner - Tests applications for the Web Cache Deception vulnerability.
  • HTTP Request Smuggler - Active scanner and launcher for HTTP Request Smuggling attacks
  • Upload Scanner - Tests various upload vulnerabilities
  • SSRF-KIng - SSRF plugin for burp Automates SSRF Detection in all of the Request
  • shelling - a comprehensive OS command injection payload generator
  • Autorise - Tool for detecting autorization vulerabilities such as Indirect Object Reference.
  • Java Deserialization Scanner - Active and passive scanner to find Java deserialization vulnerabilities
  • Hackbar - Hackbar is a plugin designed for the penetration tester such in order to help them to speed their manual testing procedures.
  • Burp-Send-To - Adds a customizable "Send to..."-context-menu to your Burp Suite. Handy for easily sending data into another tool like SQLmap
  • Turbo Intruder - Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. It's intended to complement Burp Intruder by handling attacks that require extreme speed or complexity.
  • burp-exporter - Exporter is a Burp Suite extension to copy a request to a file or the clipboard as multiple programming languages functions.
  • Flow - History of all burp tools, extensions and tests. Handy to pull all your results together
  • Decoder Improved - Decoder Improved is a data transformation plugin for Burp Suite that better serves the varying and expanding needs of information security professionals.
  • WSDLer - This extension takes a WSDL request, parses out the operations that are associated with the targeted web service, and generates SOAP requests that can then be sent to the SOAP endpoints.
  • WSDL Wizard: This extension scans a target server for WSDL files. After performing normal mapping of an application’s content, right click on the relevant target in the site map, and choose “Scan for WSDL files” from the context menu. The extension will search the already discovered contents for URLs with the .wsdl file extension, and guess the locations of any additional WSDL files based on the file names known to be in use. The results of the scanning appear within the extension’s output tab in the Burp Extender tool.

Burp Training

Burp Suite Essentials Series by PortSwigger

Advanced Burp Suite by Bugcrowd Univeristy

Hacker101 Burp Suite Series

Portswigger's Web Security Academy