Unlock enhanced API scanning with Burp Suite Enterprise Edition  –  Learn more

New Burp Suite Extensibility

Dafydd Stuttard | 10 December 2012 at 11:30 UTC
burp extender burp

We will shortly be releasing Burp Suite Pro v1.5.01, which contains a new framework for extensibility in Burp.

A Short History

Burp has supported extensions for years. Burp's extensibility began its live very simple, and has evolved gradually without any overall plan.

The existing API is fairly limited, and its main uses have been for:

The existing framework has been used to good effect to extend Burp's capabilities, for example:

Current Limitations

The existing extensibility framework contains some significant limitations:

In an attempt to address these limitations, several people have developed extensibility frameworks layered over Burp's, including:

These third-party frameworks are well designed, and address some of Burp's shortcomings. Nevertheless, it is cumbersome to need to install an additional framework, and the limitations in the current API still remain.

The efforts that people were evidently going to, in an attempt to improve on what Burp itself offered, made me realize: it's time to fix Burp natively.

Objectives for New Extensibility

The overall objectives for the new extensibility framework are:

A key aspiration for the new extensibility is that people should find it quick and easy to create extensions mid-testing to work around all kinds of obstacles that can arise. For example, tasks like writing a Scanner check, creating a session handling action, or adding a new HTTP message analyzer to Burp's editor, should all be achievable in less time than it takes to work around an obstacle manually. With the new support for Python scripting, and a much more helpful API, even users without much programming experience will hopefully feel tempted to have a go, and so dramatically enhance the power of their testing with Burp.