[378星][3m] [Java] nccgroup/autorepeater Automated HTTP Request Repeating With Burp Suite
[376星][2y] [Py] 0x4d31/burpa A Burp Suite Automation Tool with Slack Integration. It can be used with Jenkins and Selenium to automate Dynamic Application Security Testing (DAST).
[141星][1y] [Java] tomsteele/burpbuddy burpbuddy exposes Burp Suites's extender API over the network through various mediums, with the goal of enabling development in any language without the restrictions of the JVM
[111星][22d] [Java] ozzi-/jwt4b JWT Support for Burp
[110星][2y] [Java] x-ai/burpunlimitedre This project !replace! BurpUnlimited of depend (BurpSutie version 1.7.27). It is NOT intended to replace them!
[103星][7m] [Py] kibodwapon/noeye A blind mode exploit framework (a dns server and a web app) that like wvs's AcuMonitor Service or burpsuite's collabrator or cloudeye
[42星][11m] [Java] secdec/attack-surface-detector-burp The Attack Surface Detector uses static code analyses to identify web app endpoints by parsing routes and identifying parameters
[41星][12m] [Py] zynga/hiccup [DEPRECATED] Hiccup is a framework that allows the Burp Suite (a web application security testing tool,
[41星][6y] [PHP] spiderlabs/upnp-request-generator A tool to parse UPnP descriptor XML files and generate SOAP control requests for use with Burp Suite or netcat
[40星][11m] [Go] joanbono/gurp Burp Commander written in Go
[38星][2m] [Py] zephrfish/burpfeed Hacked together script for feeding urls into Burp's Sitemap
[36星][8y] [Py] gdssecurity/burpee Python object interface to requests/responses recorded by Burp Suite
[36星][8y] [C#] gdssecurity/wcf-binary-soap-plug-in a Burp Suite plug-in designed to encode and decode WCF Binary Soap request and response data ("Content-Type: application/soap+msbin1)
[35星][1y] [Java] bit4woo/resign A burp extender that recalculate signature value automatically after you modified request parameter value.
[33星][3y] [Go] tomsteele/burpstaticscan Use burp's JS static code analysis on code from your local system.
[32星][10m] twelvesec/bearerauthtoken This burpsuite extender provides a solution on testing Enterprise applications that involve security Authorization tokens into every HTTP requests.Furthermore, this solution provides a better approach to solve the problem of Burp suite automated scanning failures when Authorization tokens exist.
[21星][5y] [Java] khai-tran/burpjdser a Burp plugin that will deserialze/serialize Java request and response to and from XML with the use of Xtream library
[18星][2m] [Py] xscorp/burpee A python module that accepts an HTTP request file and returns a dictionary of headers and post data
[17星][3m] [BitBake] sy3omda/burp-bounty is extension of Burp Suite that improve Burp scanner.
[16星][2y] [Visual Basic .NET] xcanwin/xburpcrack This is a tool to bypass the cracked version of the burpsuite_pro(Larry_Lau) certification deadline through time reversal.
[14星][7m] [Java] portswigger/openapi-parser Parse OpenAPI specifications, previously known as Swagger specifications, into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
[13星][14d] [Java] ankokuty/belle Belle (Burp Suite 非公式日本語化ツール)
[13星][6y] [Java] ioactive/burpjdser-ng Allows you to deserialize java objects to XML and lets you dynamically load classes/jars as needed
[2星][1y] [Py] bao7uo/burpelfish BurpelFish - Adds Google Translate to Burp's Context Menu. "Babel Fish" language translation for app-sec testing in other languages.
[2星][2y] [Java] cornerpirate/demoextender Code used for a tutorial to get Netbeans GUI editor to work with a Burp Suite Extender
[2星][2y] [Py] dnet/burp-scripts Scripts I wrote to extend Burp Suite functionality
[410星][8m] [Java] nccgroup/burpsuitehttpsmuggler A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques
[366星][23d] [Java] portswigger/http-request-smuggler an extension for Burp Suite designed to help you launch HTTP Request Smuggling attack
[364星][14d] [Kotlin] portswigger/turbo-intruder a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
[341星][2y] [Py] securityinnovation/authmatrix AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.
[340星][2y] [Py] pathetiq/burpsmartbuster A Burp Suite content discovery plugin that add the smart into the Buster!
[336星][23d] [Java] bit4woo/knife A burp extension that add some useful function to Context Menu 添加一些右键菜单让burp用起来更顺畅
[310星][1y] [Java] ebryx/aes-killer Burp plugin to decrypt AES Encrypted traffic of mobile apps on the fly
[273星][2m] [Py] quitten/autorize Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily in order to ease application security people work and allow them perform an automatic authorization tests
[143星][6m] [Py] codingo/minesweeper A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 23000 malicious cryptocurrency mining domains (cryptojacking).
[137星][2y] [Java] netspi/wsdler WSDL Parser extension for Burp
[123星][4y] [Py] moloch--/csp-bypass A Burp Plugin for Detecting Weaknesses in Content Security Policies
[118星][2m] [Py] prodigysml/dr.-watson a simple Burp Suite extension that helps find assets, keys, subdomains, IP addresses, and other useful information!
[103星][2y] [Java] clr2of8/gathercontacts A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results
[103星][2y] [Java] gosecure/csp-auditor Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP configuration from crawling a Website
[87星][10m] [Java] doyensec/burpdeveltraining Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"
[83星][1m] [Java] jgillam/burp-paramalyzer Burp extension for parameter analysis of large-scale web application penetration tests.
[83星][1y] [Py] nccgroup/blackboxprotobuf Blackbox protobuf is a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.
[75星][1y] [Java] bit4woo/u2c Unicode To Chinese -- U2C : A burpsuite Extender That Convert Unicode To Chinese 【Unicode编码转中文的burp插件】
[73星][2y] [Java] spiderlabs/burplay Burplay is a Burp Extension allowing for replaying any number of requests using same modifications definition. Its main purpose is to aid in searching for Privilege Escalation issues.
[63星][5m] [Java] nccgroup/berserko Burp Suite extension to perform Kerberos authentication
[58星][11m] [Java] portswigger/replicator Burp extension to help developers replicate findings from pen tests
[57星][6y] [Java] spiderlabs/burpnotesextension a plugin for Burp Suite that adds a Notes tab. The tool aims to better organize external files that are created during penetration testing.
[51星][1y] [Java] netspi/burpextractor A Burp extension for generic extraction and reuse of data within HTTP requests and responses.
[17星][2m] [Java] phefley/burp-javascript-security-extension A Burp Suite extension which performs checks for cross-domain scripting against the DOM, subresource integrity checks, and evaluates JavaScript resources against threat intelligence data.
[15星][10m] [Java] twelvesec/jdser-dcomp A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized java objects.
[14星][3y] [JS] rinetd/burpsuite-1 BurpSuite using the document and some extensions
[13星][5y] [Py] enablesecurity/identity-crisis A Burp Suite extension that checks if a particular URL responds differently to various User-Agent headers
[13星][7m] [Py] modzero/burp-responseclusterer Burp plugin that clusters responses to show an overview of received responses
[13星][1y] [Java] moeinfatehi/admin-panel_finder A burp suite extension that enumerates infrastructure and application admin interfaces (OTG-CONFIG-005)
[13星][7m] [Py] solomonsklash/sri-check A Burp Suite extension for identifying missing Subresource Integrity attributes.
[12星][5y] [Java] federicodotta/burpjdser-ng-edited Burp Suite plugin that allow to deserialize Java objects and convert them in an XML format. Unpack also gzip responses. Based on BurpJDSer-ng of omercnet.
[11星][6y] [Py] smeegesec/wsdlwizard WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
[9星][5y] [Java] allfro/dotnetbeautifier A BurpSuite extension for beautifying .NET message parameters and hiding some of the extra clutter that comes with .NET web apps (i.e. __VIEWSTATE).
[9星][4y] [Java] augustd/burp-suite-gwt-scan Burp Suite plugin identifies insertion points for GWT (Google Web Toolkit) requests
[9星][1y] [Java] sampsonc/authheaderupdater Burp extension to specify the token value for the Authenication header while scanning.
[9星][2y] [Java] aoncyberlabs/fastinfoset-burp-plugin Burp plugin to convert fast infoset (FI) to/from the text-based XML document format allowing easy editing
[8星][2y] [Py] bao7uo/waf-cookie-fetcher WAF Cookie Fetcher is a Burp Suite extension written in Python, which uses a headless browser to obtain the values of WAF-injected cookies which are calculated in the browser by client-side JavaScript code and adds them to Burp's cookie jar. Requires PhantomJS.
[8星][6y] [Java] cyberisltd/post2json Burp Suite Extension to convert a POST request to JSON message, moving any .NET request verification token to HTTP headers if present
[8星][5m] [Py] fsecurelabs/timeinator Timeinator is an extension for Burp Suite that can be used to perform timing attacks over an unreliable network such as the internet.
[7星][3y] [Java] dibsy/staticanalyzer StaticAnalyzer is a burp plugin that can be used to perform static analysis of the response information from server during run time. It will search for specific words in the response that is mentioned in the vectors.txt
[7星][3y] [Ruby] dradis/burp-dradis Dradis Framework extension for Burp Suite
[6星][3m] [Java] aress31/copy-as-powershell-requests Copy as PowerShell request(s) plugin for Burp Suite (approved by PortSwigger for inclusion in their official BApp Store).
[6星][1m] [Java] aress31/googleauthenticator Burp Suite plugin that dynamically generates Google 2FA codes for use in session handling rules (approved by PortSwigger for inclusion in their official BApp Store).
[5星][6y] [Java] eganist/burp-issue-poster This Burp Extension is intended to post to a service the details of an issue found either by active or passive scanning
[5星][2m] [Java] iamaldi/rapid Rapid is a Burp extension that enables you to save HTTP Request / Response to file in a user friendly text format a lot faster.
[5星][22d] [Ruby] dradis/dradis-burp Burp Suite plugin for the Dradis Framework
[5星][27d] [Java] parsiya/bug-diaries A extension for Burp's free edition that mimics the pro edition's custom scan issues.
[4星][6y] [Perl] allfro/browserrepeater BurpSuite extension for Repeater tool that renders responses in a real browser.
[4星][2y] [Java] dannegrea/tokenjar Burp Suite extension. Useful for managing tokens like anti-CSRF, CSurf, Session values. Can be used to set params that require random numbers or params that are computed based on application response.
[4星][2y] [Java] pentestpartners/fista A Burp Extender plugin allowing decoding of fastinfoset encoded communications.
[4星][3y] [Java] jksecurity/burp_savetofile BurpSuite plugin to save just the body of a request or response to a file
[3星][9m] [Java] raise-isayan/bigipdiscover It becomes the extension of Burp suite. The cookie set by the BipIP server may include a private IP, which is an extension to detect that IP
[3星][2y] [Py] snoopysecurity/noopener-burp-extension Find Target="_blank" values within web pages that are set without 'noopener' and 'noreferrer' attributes
[1星][7m] [Java] bort-millipede/burp-batch-report-generator Small Burp Suite Extension to generate multiple scan reports by host with just a few clicks. Works with Burp Suite Professional only.
[1星][9m] [Java] jonluca/burp-copy-as-node Burp extension to copy a request as a node.js requests function
[1星][2y] [Java] moradotai/cms-scan An active scan extension for Burp that provides supplemental coverage when testing popular content management systems.
[510星][2m] [Java] wagiro/burpbounty is a extension of Burp Suite that allows you, in a quick and simple way, to improve the active and passive scanner by means of personalized rules through a very intuitive graphical interface.
[395星][2y] [Java] federicodotta/java-deserialization-scanner All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
[136星][22d] [JS] h3xstream/burp-retire-js Burp/ZAP/Maven extension that integrate Retire.js repository to find vulnerable Javascript libraries.
[128星][2y] [Java] yandex/burp-molly-scanner Turn your Burp suite into headless active web application vulnerability scanner
[101星][2y] [Java] spiderlabs/airachnid-burp-extension A Burp Extension to test applications for vulnerability to the Web Cache Deception attack
[85星][4m] [Py] kapytein/jsonp a Burp Extension which attempts to reveal JSONP functionality behind JSON endpoints. This could help reveal cross-site script inclusion vulnerabilities or aid in bypassing content security policies.
[38星][1y] [Py] luh2/detectdynamicjs The DetectDynamicJS Burp Extension provides an additional passive scanner that tries to find differing content in JavaScript files and aid in finding user/session data.
[29星][2y] [Py] portswigger/wordpress-scanner Find known vulnerabilities in WordPress plugins and themes using Burp Suite proxy. WPScan like plugin for Burp.
[29星][7m] [Java] portswigger/scan-check-builder Burp Bounty is a extension of Burp Suite that improve an active and passive scanner by yourself. This extension requires Burp Suite Pro.
[23星][3y] [Java] vah13/burpcrlfplugin Another plugin for CRLF vulnerability detection
[22星][9m] [BitBake] ghsec/bbprofiles Burp Bounty (Scan Check Builder in BApp Store) is a extension of Burp Suite that improve an active and passive scanner by yourself. This extension requires Burp Suite Pro.
[21星][3y] [Py] f-secure/headless-scanner-driver A Burp Suite extension that starts scanning on requests it sees, and dumps results on standard output
[20星][3m] [Java] aress31/flarequench Burp Suite plugin that adds additional checks to the passive scanner to reveal the origin IP(s) of Cloudflare-protected web applications.
[19星][2m] [Java] mirfansulaiman/customheader This Burp Suite extension allows you to customize header with put a new header into HTTP REQUEST BurpSuite (Scanner, Intruder, Repeater, Proxy History)
[18星][6m] [Java] thomashartm/burp-aem-scanner Burp Scanner extension to fingerprint and actively scan instances of the Adobe Experience Manager CMS. It checks the website for common misconfigurations and security holes.
[10星][1y] [Py] portswigger/detect-dynamic-js The DetectDynamicJS Burp Extension provides an additional passive scanner that tries to find differing content in JavaScript files and aid in finding user/session data.
[10星][3y] [Java] ring04h/java-deserialization-scanner All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
[1星][2y] [Java] rammarj/burp-header-injector Burp Free plugin to test for host header injection vulnerabilities. (Development)
[1星][9m] [Py] jamesm0rr1s/burpsuite-add-and-track-custom-issues Add & Track Custom Issues is a Burp Suite extension that allows users to add and track manual findings that the automated scanner was unable to identify.
[303星][15d] [Java] ilmila/j2eescan a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
[66星][2m] [Java] static-flow/burpsuite-team-extension This Burpsuite plugin allows for multiple web app testers to share their proxy history with each other in real time. Requests that comes through your Burpsuite instance will be replicated in the history of the other testers and vice-versa!
[26星][7m] [Java] static-flow/directoryimporter a Burpsuite plugin built to enable you to import your directory bruteforcing results into burp for easy viewing later. This is an alternative to proxying bruteforcing tools through burp to catch the results.
[22星][3y] [Swift] melvinsh/burptoggle Status bar application for OS X to toggle the state of the system HTTP/HTTPS proxy.
[17星][2y] [Java] portswigger/j2ee-scan J2EEScan is a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
[11星][8y] [Java] gdssecurity/deflate-burp-plugin The Deflate Burp Plugin is a plug-in for Burp Proxy (it implements the IBurpExtender interface) that decompresses HTTP response content in the ZLIB (RFC1950) and DEFLATE (RFC1951) compression formats.
[11星][4y] [Py] vincd/burpproxypacextension Exemple d'extension Burp permettant d'utiliser les fichiers de configuration de proxy PAC
[32星][3m] [Java] righettod/log-requests-to-sqlite BURP extension to record every HTTP request send via BURP and create an audit trail log of an assessment.
[5星][8m] [Java] logicaltrust/burphttpmock This Burp extension provides mock responses based on the real ones.
[3星][1y] [Java] ax/burp-logs Logs is a Burp Suite extension to work with log files.
[34星][3y] [Py] attackercan/burp-xss-sql-plugin Burp plugin which I used for years which helped me to find several bugbounty-worthy XSSes, OpenRedirects and SQLi.
[8星][27d] [Java] hackvertor/taborator A Burp extension to show the Collaborator client in a tab
Fuzz
[209星][3m] [Java] h3xstream/http-script-generator ZAP/Burp plugin that generate script to reproduce a specific HTTP request (Intended for fuzzing or scripted attacks)
[18星][1y] [Py] mgeeky/burpcontextawarefuzzer BurpSuite's payload-generation extension aiming at applying fuzzed test-cases depending on the type of payload (integer, string, path; JSON; XML; GWT; binary) and following encoding-scheme applied originally.
[11星][3y] [Java] portswigger/reissue-request-scripter ZAP/Burp plugin that generate script to reproduce a specific HTTP request (Intended for fuzzing or scripted attacks)
[4星][2y] [Java] huvuqu/fuzz18plus Advance of fuzzing for Web pentest. Based on Burp extension, send HTTP request template out to Python fuzzer.
[70星][2y] [Java] ikkisoft/bradamsa Burp Suite extension to generate Intruder payloads using Radamsa
[56星][1y] [Py] destine21/zipfileraider ZIP File Raider - Burp Extension for ZIP File Payload Testing
[55星][2y] [Java] righettod/virtualhost-payload-generator BURP extension providing a set of values for the HTTP request "Host" header for the "BURP Intruder" in order to abuse virtual host resolution.
[5星][4y] [Java] antoinet/burp-decompressor An extension for BurpSuite used to access and modify compressed HTTP payloads without changing the content-encoding.
[5星][5y] [Py] enablesecurity/burp-luhn-payload-processor A plugin for Burp Suite Pro to work with attacker payloads and automatically generate check digits for credit card numbers and similar numbers that end with a check digit generated using the Luhn algorithm or formula (also known as the "modulus 10" or "mod 10" algorithm).
[3星][2y] [Java] pan-lu/recaptcha A Burp Extender that auto recognize CAPTCHA and use for Intruder payload
SQL
[381星][1y] [Py] rhinosecuritylabs/sleuthql Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
[274星][2y] [Java] mateuszk87/badintent Intercept, modify, repeat and attack Android's Binder transactions using Burp Suite
[9星][4m] [JS] shahidcodes/android-nougat-ssl-intercept It decompiles target apk and adds security exception to accept all certificates thus making able to work with Burp/Charles and Other Tools
其他
[584星][1y] [Java] federicodotta/brida The new bridge between Burp Suite and Frida!
[141星][6m] [Py] integrity-sa/burpcollaborator-docker a set of scripts to install a Burp Collaborator Server in a docker environment, using a LetsEncrypt wildcard certificate