Burp extensions are flexible and powerful plugins that enable you to customize Burp Suite to suit your workflow.
You can create your own extensions in Java using our Montoya API. This enables you to, for example:
Add new security testing features.
Modify traffic handling.
Integrate external tools.
Interact with internal Burp tools.
Extend Burp's user interface.
Before you begin development, refine your idea and gather inspiration:
Browse the BApp store - Check the list of BApps. You may find one that already meets your needs.
Look at example extensions - Explore example extensions in the Montoya API examples GitHub repository. These showcase different ways to extend Burp.
Join the conversation - Connect with other extension developers on the PortSwigger Discord #extensions channel.
Review our acceptance criteria - If you plan to submit your extension to the BApp store, check our BApp store acceptance criteria before you begin.
Burp offers different customization options depending on your needs:
Bambdas are best for customizing match-and-replace rules, table columns, or custom filters. Bambdas are small sections of Java-based code that run directly in Burp, making them easier to write as they don't require project setup or UI configuration. For more information, see Creating Bambdas.
BChecks are best for defining custom scan checks. BChecks use an easy-to-learn, purpose-built language to create tailored checks. They provide a way to extend Burp Scanner without requiring a full extension. For more information, see Creating BChecks.
Extensions are best for complex functionality. They offer greater flexibility but require additional setup. To help you get started, we provide a starter project for managing dependencies and development.
The Montoya API enables you to integrate advanced AI features into your Burp Suite extensions. Your extensions can now send prompts to a Large Language Model (LLM), allowing real-time input analysis and intelligent responses.
For more information, see Creating AI extensions.
When issuing new requests from your extension, you're free to send kettled requests using HTTP/2 formatting. This enables you to develop extensions to test for HTTP/2-exclusive vulnerabilities.
However, it is not currently possible for extensions to modify kettled requests that were issued by Burp. This is because the API only allows them to access the normalized, HTTP/1 style request representation.
Make sure that any ExtensionHttpRequestEditor returned does not use an HttpRequestEditor as the UI component when it registers an HttpRequestEditorProvider. This avoids a scenario where the HttpRequestEditor is created within another HttpRequestEditor, potentially creating an infinite loop of HttpRequestEditor components and causing Burp to crash.
For the same reason, avoid returning an HttpResponseEditor when registering an HttpResponseEditorProvider.