Burp Suite


The Leading Web application testing tool on the market. Has a community edition that is free and handy for basic web app testing and CTF level functionality. Also has a pro version that has advanced features like a powerful brute forcing too, vulnerability scanner and access to more extensions.

Burp Platform Components

Burp Extensions

Extension Collections

Multi-Vulnerability Scanning Extensions

Single Vulnerability Extensions

  • ​Retire.JS - Burp/ZAP/Maven extension that integrate Retire.js repository to find vulnerable Javascript libraries.
  • ​sqlipy - SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
  • ​Backslash powered scanner - Active scan for SSTI detection
  • ​CSFR Scanner - Passive CSRF detection
  • ​Freddy - Find Deserialization Bugs
  • ​JSON Web Tokens - decode and manipulate JSON web tokens
  • ​Web cache deception scanner - Tests applications for the Web Cache Deception vulnerability.
  • ​HTTP Request Smuggler - Active scanner and launcher for HTTP Request Smuggling attacks
  • ​Upload Scanner - Tests various upload vulnerabilities
  • ​SSRF-KIng - SSRF plugin for burp Automates SSRF Detection in all of the Request
  • ​shelling - a comprehensive OS command injection payload generator
  • ​Autorise - Tool for detecting autorization vulerabilities such as Indirect Object Reference.
  • ​Java Deserialization Scanner - Active and passive scanner to find Java deserialization vulnerabilities

Utility Extensions

  • ​Hackbar - Hackbar is a plugin designed for the penetration tester such in order to help them to speed their manual testing procedures.
  • ​Burp-Send-To - Adds a customizable "Send to..."-context-menu to your Burp Suite. Handy for easily sending data into another tool like SQLmap
  • ​Turbo Intruder - Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. It's intended to complement Burp Intruder by handling attacks that require extreme speed or complexity.
  • ​burp-exporter - Exporter is a Burp Suite extension to copy a request to a file or the clipboard as multiple programming languages functions.
  • ​Flow - History of all burp tools, extensions and tests. Handy to pull all your results together
  • ​Decoder Improved - Decoder Improved is a data transformation plugin for Burp Suite that better serves the varying and expanding needs of information security professionals.
  • ​WSDLer - This extension takes a WSDL request, parses out the operations that are associated with the targeted web service, and generates SOAP requests that can then be sent to the SOAP endpoints.

Burp Payloads

Burp Training

Burp Suite Essentials Series by PortSwigger

Advanced Burp Suite by Bugcrowd Univeristy

Hacker101 Burp Suite Series

Portswigger's Web Security Academy