BurpSuite

• 400+ 开源Burp插件，400+文章和视频。
• English Version

目录

• 资源收集 -> (7)工具 (2)文章
• Burp组件
  • Collaborator -> (10)工具 (17)文章
  • Intruder -> (1)工具 (15)文章
  • Repeater -> (4)工具 (3)文章
  • Extender -> (11)工具 (5)文章
  • Macros -> (1)工具 (10)文章
  • (3) Extractor
  • (5) Spider
• 平台
  • Web
    • WAF -> (3)工具 (3)文章
    • HTTP/HTTPS -> (21)工具 (24)文章
    • XSS -> (11)工具 (9)文章
    • CSRF -> (1)工具 (13)文章
    • REST -> (5)工具 (4)文章
    • JWT -> (3)工具 (1)文章
  • Windows -> (3)文章
  • Linux -> (1)文章
  • Apple -> (4)文章
  • Android -> (2)工具 (10)文章
  • Cloud -> (3)工具
• 漏洞 -> (24)工具 (19)文章
• 扫描 -> (40)工具 (16)文章
• Fuzz -> (11)工具 (10)文章
• SQL -> (10)工具 (33)文章
• 日志 -> (9)工具
• Payload -> (14)工具 (5)文章
• 开发与调试 -> (2)工具 (18)文章
• 爆破 -> (4)工具 (5)文章
• 验证码 -> (1)工具 (2)文章
• 编码/解码 -> (10)工具 (2)文章
• 认证/登录 -> (6)工具 (10)文章
• Brida -> (1)工具 (8)文章
• 代理 -> (18)工具 (22)文章
• 域/子域 -> (4)工具 (1)文章
• 工具
  • (172) 新添加
  • (3) 文档
• 文章
  • (159) 新添加

资源收集

---

工具

• [1197星][1m] snoopysecurity/awesome-burp-extensions Burp扩展收集
• [1167星][9d] [Py] bugcrowd/hunt Burp和ZAP的扩展收集
• [108星][2m] [Java] jgillam/burp-co2 A collection of enhancements for Portswigger's popular Burp Suite web penetration testing tool.
• [87星][11m] [Py] laconicwolf/burp-extensions A collection of scripts to extend Burp Suite
• [67星][12d] [Py] lich4/personal_script 010Editor/BurpSuite/Frida/IDA等多个工具的多个脚本
  • 010Editor 010Editor的多个脚本
  • ParamChecker Burp插件
  • Frida Frida多个脚本
  • IDA IDA Scripts
  • IDA-read_unicode.py IDA插件，识别程序中的中文字符
  • IDA-add_xref_for_macho 辅助识别Objective-C成员函数的caller和callee
  • IDA-add_info_for_androidgdb 使用gdbserver和IDA调试Android时，读取module列表和segment
  • IDA-trace_instruction 追踪指令流
  • IDA-detect_ollvm 检测OLLVM，在某些情况下修复（Android/iOS）
  • IDA-add_block_for_macho 分析macho文件中的block结构
• [23星][4y] [Java] ernw/burpsuite-extensions A collection of Burp Suite extensions
• [16星][9d] [Batchfile] mr-xn/burpsuite-collections BurpSuite收集：包括不限于 Burp 文章、破解版、插件(非BApp Store)、汉化等相关教程

---

文章

• 2019.10 [trustfoundry] The Top 8 Burp Suite Extensions That I Use to Hack Web Sites
• 2014.08 [insinuator] ERNW’s Top 9 Burp Plugins

Burp组件

---

Collaborator

工具

• [142星][8m] [Py] integrity-sa/burpcollaborator-docker a set of scripts to install a Burp Collaborator Server in a docker environment, using a LetsEncrypt wildcard certificate
• [91星][2y] [Java] federicodotta/handycollaborator Burp Suite plugin created for using Collaborator tool during manual testing in a comfortable way!
• [71星][4m] [Java] netspi/burpcollaboratordnstunnel A DNS tunnel utilizing the Burp Collaborator
• [52星][5y] [Py] jfoote/burp-git-bridge Store Burp data and collaborate via git
• [40星][2y] [Java] bit4woo/burp_collaborator_http_api 基于Burp Collaborator的HTTP API
• [32星][1m] [Shell] putsi/privatecollaborator A script for installing private Burp Collaborator with free Let's Encrypt SSL-certificate
• [31星][3y] [Java] silentsignal/burp-collab-gw Simple socket-based gateway to the Burp Collaborator
• [25星][23d] [Java] portswigger/taborator A Burp extension to show the Collaborator client in a tab
• [18星][2y] [HCL] 4armed/terraform-burp-collaborator Terraform configuration to build a Burp Private Collaborator Server
• [9星][23d] [Java] hackvertor/taborator A Burp extension to show the Collaborator client in a tab

文章

• 2019.06 [bugbountywriteup] Deploy a private Burp Collaborator Server in Azure
• 2019.06 [0x00sec] Achieving Persistent Access to Burp Collaborator Sessions
• 2019.01 [freebuf] Burpsuite Collaborato模块详解
• 2018.06 [integrity] CVE-2018-10377 - Insufficient Validation of Burp Collaborator Server Certificate
• 2018.05 [aliyun] 基于Burp Collaborator的HTTP API
• 2018.05 [tevora] Blind Command Injection Testing with Burp Collaborator
• 2018.04 [aliyun] 如何搭建自己的 Burp Collaborator 服务器
• 2018.03 [4hou] 使用BurpSuite的Collaborator查找.Onion隐藏服务的真实IP地址
• 2017.11 [digitalforensicstips] Using Burp Suite’s Collaborator to Find the True IP Address for a .Onion Hidden Service
• 2017.09 [netspi] BurpCollaboratorDNSTunnel 介绍
• 2017.09 [freebuf] Handy Collaborator ：用于挖掘out-of-band类漏洞的Burp插件介绍
• 2017.09 [mediaservice] HandyCollaborator介绍
• 2017.04 [] Build a Private Burp Collaborator Server on AWS with Terraform and Ansible
• 2017.01 [360] 超越检测：利用Burp Collaborator执行SQL盲注
• 2017.01 [silentsignal] Beyond detection: exploiting blind SQL injections with Burp Collaborator
• 2016.07 [] Burpsuite之Burp Collaborator模块介绍
• 2015.04 [portswigger] Introducing Burp Collaborator | Blog

---

Intruder

工具

• [2081星][1y] [BitBake] 1n3/intruderpayloads BurpSuite Intruder Payload收集

文章

• 2019.10 [KacperSzurek] [BURP] Intruder: Jak sprawdzić typ konta?
• 2019.09 [Nahamsec] Using BurpSuite's Intruder to find bugs and solve Bug Bounty Notes & Hacker101 CTFs
• 2018.02 [dustri] Ghetto recursive payload in the Burp Intruder
• 2017.12 [pediy] [翻译]使用Burp Suite执行更复杂的Intruder攻击
• 2017.12 [trustedsec] More Complex Intruder Attacks with Burp!
• 2017.11 [polaris] reCAPTCHA：一款自动识别图形验证码并用于Intruder Payload中的BurpSuite插件
• 2016.10 [kalilinuxtutorials] Burpsuite – Use Burp Intruder to Bruteforce Forms
• 2016.02 [THER] Learn Burp Suite, the Nr. 1 Web Hacking Tool - 07 - Intruder and Comparer
• 2014.02 [nvisium] Challenges of Mobile API Signature Forgery with Burp Intruder
• 2012.06 [freebuf] [连载]Burp Suite详细使用教程-Intruder模块详解(3)
• 2012.06 [freebuf] [连载]Burp Suite详细使用教程-Intruder模块详解(2)
• 2012.06 [freebuf] [技巧]Burp Intruder中的Timing选项的使用
• 2012.05 [freebuf] Burp Suite详细使用教程-Intruder模块详解
• 2011.11 [digi] Burp Intruder Attack Types
• 2011.06 [console] Burp Intruder Time fields

---

Repeater

工具

• [66星][19d] [Java] coreyd97/stepper A natural evolution of Burp Suite's Repeater tool
• [52星][29d] [Java] portswigger/stepper A natural evolution of Burp Suite's Repeater tool
• [36星][1m] [Kotlin] typeerror/bookmarks A Burp Suite Extension to take back your repeater tabs
• [6星][6y] [Perl] allfro/browserrepeater BurpSuite extension for Repeater tool that renders responses in a real browser.

文章

• 2019.10 [KacperSzurek] [BURP] 12 trików do Burp Repeater
• 2019.09 [aliyun] BurpSuite插件 - AutoRepeater说明
• 2016.02 [THER] Learn Burp Suite, the Nr. 1 Web Hacking Tool - 04 - Repeater Module

---

Extender

工具

• [192星][2y] [Java] p3gleg/pwnback Burp Extender plugin that generates a sitemap of a website using Wayback Machine
• [143星][1y] [Java] tomsteele/burpbuddy burpbuddy exposes Burp Suites's extender API over the network through various mediums, with the goal of enabling development in any language without the restrictions of the JVM
• [59星][5y] [Ruby] tduehr/buby A JRuby implementation of the BurpExtender interface for PortSwigger Burp Suite.
• [33星][2y] [Java] dnet/burp-oauth OAuth plugin for Burp Suite Extender
• [28星][2y] [Java] bit4woo/gui_burp_extender_para_encrypter Burp_Extender_para_encrypter
• [19星][1y] [Java] nccgroup/wcfdser-ngng A Burp Extender plugin, that will make binary soap objects readable and modifiable.
• [15星][4m] [Java] twelvesec/jdser-dcomp A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized java objects.
• [10星][2y] [Py] sahildhar/burpextenderpractise burp extender practise
• [6星][2y] [Java] secureskytechnology/burpextender-proxyhistory-webui Burp Extender . Proxy History viewer in Web UI
• [4星][2y] [Java] pentestpartners/fista A Burp Extender plugin allowing decoding of fastinfoset encoded communications.
• [3星][6y] [Java] directdefense/noncetracker A Burp extender module that tracks and updates nonce values per a specific application action.

文章

• 2017.05 [trustwave] Airachnid: Web Cache Deception Burp Extender
• 2014.08 [liftsecurity] Burp Extender With Scala
• 2013.12 [directdefense] Multiple NONCE (one-time token) Value Tracking with Burp Extender
• 2009.04 [portswigger] Using Burp Extender | Blog
• 2008.11 [portswigger] [MoBP] Burp Extender extended | Blog

---

Macros

工具

• [7星][2y] [Java] pajswigger/add-request-to-macro Burp extension to add a request to a macro

文章

• 2019.01 [aliyun] 使用Burp Suite 宏自动化处理 Session 会话
• 2018.12 [parsiya] Tiredful API - Part 1 - Burp Session Validation with Macros
• 2018.12 [4hou] 通过Burp Macros自动化平台对Web应用的模糊输入进行处理
• 2018.12 [parsiya] Tiredful API. Part1: 使用宏验证Burp会话
• 2017.12 [freebuf] 经验分享 | Burpsuite中宏的使用
• 2017.09 [freebuf] 如何通过BurpSuiteMacro自动化模糊测试Web应用的输入点
• 2017.02 [cyberis] Creating Macros for Burp Suite
• 2015.12 [blackhillsinfosec] Using Simple Burp Macros to Automate Testing
• 2015.11 [gracefulsecurity] Burp Macros: Automatic Re-authentication
• 2011.03 [portswigger] Burp v1.4 preview - Macros | Blog

---

Extractor

• 2018.08 [4hou] Burp Extractor扩展工具介绍
• 2018.08 [aliyun] BurpSuite Extender之巧用Marco和Extractor绕过Token限制
• 2018.08 [netspi] Introducing Burp Extractor

---

Spider

• 2017.07 [360] BurpSuite插件：利用BurpSuite Spider收集子域名和相似域名
• 2017.07 [polaris] BurpSuite插件：利用BurpSuite Spider收集子域名和相似域名
• 2017.06 [hackingarticles] How to Spider Web Applications using Burpsuite
• 2017.02 [HackingMonks] Web Spidering (Manual and Automated with Burp Suite)
• 2016.02 [THER] Learn Burp Suite, the Nr. 1 Web Hacking Tool - 05 - Target and Spider

平台

---

Web

WAF

工具

• [421星][10m] [Java] nccgroup/burpsuitehttpsmuggler A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques
• [269星][3y] [Java] codewatchorg/bypasswaf Add headers to all Burp requests to bypass some WAF products
• [8星][7m] [Py] bao7uo/waf-cookie-fetcher WAF Cookie Fetcher is a Burp Suite extension written in Python, which uses a headless browser to obtain the values of WAF-injected cookies which are calculated in the browser by client-side JavaScript code and adds them to Burp's cookie jar. Requires PhantomJS.

文章

• 2018.11 [4hou] 利用burp插件Hackvertor绕过waf并破解XOR加密
• 2017.10 [4hou] Bypass WAF：使用Burp插件绕过一些WAF设备
• 2015.06 [freebuf] 可绕过WAF的Burp Suite插件 – BypassWAF

HTTP/HTTPS

工具

• [403星][5m] [Java] nccgroup/autorepeater Automated HTTP Request Repeating With Burp Suite
• [396星][21d] [Java] portswigger/http-request-smuggler an extension for Burp Suite designed to help you launch HTTP Request Smuggling attack
• [391星][11d] [Kotlin] portswigger/turbo-intruder a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
• [240星][2m] [Py] m4ll0k/burpsuite-secret_finder Burp Suite extension to discover apikeys/accesstokens and sensitive data from HTTP response.
• [128星][15d] [Py] redhuntlabs/burpsuite-asset_discover Burp Suite extension to discover assets from HTTP response.
• [103星][2y] [Java] gosecure/csp-auditor Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP configuration from crawling a Website
• [69星][12d] [Java] c0ny1/httpheadmodifer 一款快速修改HTTP数据包头的Burp Suite插件
• [54星][6m] [Py] gh0stkey/jsonandhttpp Burp Suite Plugin to convert the json text that returns the body into HTTP request parameters.
• [51星][2y] [Java] netspi/burpextractor A Burp extension for generic extraction and reuse of data within HTTP requests and responses.
• [33星][12m] twelvesec/bearerauthtoken This burpsuite extender provides a solution on testing Enterprise applications that involve security Authorization tokens into every HTTP requests.Furthermore, this solution provides a better approach to solve the problem of Burp suite automated scanning failures when Authorization tokens exist.
• [30星][7m] [Java] bit4woo/burp-api-drops burp suite API 处理http请求和响应的基本流程
• [29星][2m] [Java] ibey0nd/nstproxy 一款存储HTTP请求入库的burpsuite插件
• [13星][5y] [Py] enablesecurity/identity-crisis A Burp Suite extension that checks if a particular URL responds differently to various User-Agent headers
• [11星][3y] [Ruby] crashgrindrips/burp-dump A Burp plugin to dump HTTP(S) requests/responses to a file system
• [8星][2y] [Py] andresriancho/burp-proxy-search Burp suite HTTP history advanced search
• [8星][7y] [Java] cyberisltd/post2json Burp Suite Extension to convert a POST request to JSON message, moving any .NET request verification token to HTTP headers if present
• [8星][3y] [Java] eonlight/burpextenderheaderchecks A Burp Suite Extension that adds Header Checks and other helper functionalities
• [6星][2y] [Java] stackcrash/burpheaders Burp extension for checking optional headers
• [6星][2m] [Java] iamaldi/rapid Rapid is a Burp extension that enables you to save HTTP Request / Response to file in a user friendly text format a lot faster.
• [5星][3y] [Py] floyd-fuh/burp-collect500 Burp plugin that collects all HTTP 500 messages
• [3星][2y] [Py] externalist/aes-encrypt-decrypt-burp-extender-plugin-example A POC burp extender plugin to seamlessly decrypt/encrypt encrypted HTTP network traffic.

文章

• 2019.08 [chawdamrunal] How i exploit out-of-band resource load (HTTP) using burp suite extension plugin (taborator)
• 2019.06 [infosecinstitute] Intercepting HTTPS traffic with Burp Suite
• 2019.01 [nxadmin] Android 7.0+手机burpsuite抓包https
• 2018.12 [ecforce] 创建Burp扩展, 使用HMAC签名替换HTTP Header
• 2018.06 [NetworkHeros] Ethical Hacking (CEHv10) :Intercept HTTPS (SSL) traffic with Burpsuite
• 2018.02 [nxadmin] ios 11.2.5 burpsuite抓https
• 2018.01 [freebuf] 经验分享 | Burpsuite抓取非HTTP流量
• 2017.12 [freebuf] 如何使用Burp和Magisk在Android 7.0监测HTTPS流量
• 2017.12 [nviso] Intercepting HTTPS Traffic from Apps on Android 7+ using Magisk & Burp
• 2017.12 [4hou] 如何使用 Burp 代理调试安卓应用中的 HTTP(S) 流量
• 2017.11 [nxadmin] burpsuite抓包https请求相关
• 2017.03 [HackingMonks] HTTP Header Injection (Mannual and Burpsuite)
• 2017.03 [HackingMonks] BurpSuite HTTPS proxy setting (Install CA certificates)
• 2017.01 [hackingarticles] Hack the Basic HTTP Authentication using Burpsuite
• 2016.09 [freebuf] 新手教程：如何使用Burpsuite抓取手机APP的HTTPS数据
• 2015.10 [g0tmi1k] DVWA Brute Force (Low Level) - HTTP GET Form [Hydra, Patator, Burp]
• 2014.06 [robert] Howto install and use the Burp Suite as HTTPS Proxy on Ubuntu 14.04
• 2014.06 [sensepost] Associating an identity with HTTP requests – a Burp extension
• 2014.02 [trustwave] “Reversing” Non-Proxy Aware HTTPS Thick Clients w/ Burp
• 2013.10 [agarri] Exploiting WPAD with Burp Suite and the "HTTP Injector" extension
• 2013.10 [agarri] Exploiting WPAD with Burp Suite and the "HTTP Injector" extension
• 2013.02 [freebuf] Burpsuite教程与技巧之HTTP brute暴力破解
• 2013.02 [freebuf] AuthTrans(原创工具)+BurpSuite的暴力美学-破解Http Basic认证
• 2012.12 [freebuf] iPhone上使用Burp Suite捕捉HTTPS通信包方法

XSS

工具

• [308星][1y] [Java] elkokc/reflector Burp 插件，浏览网页时实时查找反射 XSS
• [306星][3y] [Java] nvisium/xssvalidator This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
• [166星][4m] [Py] wish-i-was/femida Automated blind-xss search for Burp Suite
• [102星][1y] [Java] mystech7/burp-hunter XSS Hunter Burp Plugin
• [48星][11d] [Py] bitthebyte/bitblinder Burp extension helps in finding blind xss vulnerabilities
• [34星][3y] [Py] attackercan/burp-xss-sql-plugin Burp plugin which I used for years which helped me to find several bugbounty-worthy XSSes, OpenRedirects and SQLi.
• [34星][2m] [JS] psych0tr1a/elscripto XSS explot kit/Blind XSS framework/BurpSuite extension
• [29星][3y] [Java] portswigger/xss-validator This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
• [24星][23d] [Py] jiangsir404/xss-sql-fuzz burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
  • 重复区段: Fuzz->工具 |SQL->工具 |
• [23星][3m] [Py] hpd0ger/supertags 一个Burpsuite插件，用于检测隐藏的XSS
• [2星][3m] [Java] conanjun/xssblindinjector burp插件，实现自动化xss盲打以及xss log

文章

• 2018.05 [freebuf] Burp Xss Scanner插件开发思路分享（附下载）
• 2017.08 [4hou] 如何使用Burp Suite模糊测试SQL注入、XSS、命令执行漏洞
• 2017.07 [hackingarticles] Fuzzing SQL,XSS and Command Injection using Burp Suite
• 2017.04 [freebuf] 如何通过BurpSuite检测Blind XSS漏洞
• 2017.04 [agarri] Exploiting a Blind XSS using Burp Suite
• 2017.04 [agarri] Exploiting a Blind XSS using Burp Suite
• 2015.12 [toolswatch] Sleepy Puppy Burp Extension for XSS v1.0
• 2014.01 [nvisium] Accurate XSS Detection with BurpSuite and PhantomJS
• 2013.07 [cyberis] Testing .NET MVC for JSON Request XSS - POST2JSON Burp Extension

CSRF

工具

• [12星][2y] [Java] ah8r/csrf CSRF Scanner Extension for Burp Suite Pro

文章

• 2018.01 [4hou] 如何绕过csrf保护，并在burp suite中使用intruder？
• 2017.09 [securestate] Updating Anti-CSRF Tokens in Burp Suite
• 2017.09 [securestate] Updating Anti-CSRF Tokens in Burp Suite
• 2017.01 [360] 使用Burp的intruder功能测试有csrf保护的应用程序
• 2016.06 [securityblog] Using Burp Intruder to Test CSRF Protected Applications
• 2015.11 [gracefulsecurity] Burp Suite vs CSRF Tokens: Round Two
• 2015.11 [gracefulsecurity] Burp Suite vs CSRF Tokens Part 2: CSRFTEI for Remote Tokens
• 2015.11 [gracefulsecurity] Burp Suite vs CSRF Tokens
• 2015.11 [gracefulsecurity] Burp Suite vs CSRF Tokens: CSRFTEI
• 2014.07 [notsosecure] Pentesting Web Service with anti CSRF token using BurpPro
• 2014.02 [nvisium] Using Burp Intruder to Test CSRF Protected Applications
• 2012.09 [trustwave] Adding Anti-CSRF Support to Burp Suite Intruder
• 2012.05 [edge] Testing CSRF aware webapps with Burp

REST

工具

• [307星][1y] [Java] vmware/burp-rest-api REST/JSON API to the Burp Suite security tool.
• [47星][1y] [Ruby] pentestgeek/burpcommander Ruby command-line interface to Burp Suite's REST API
• [35星][7y] [Java] continuumsecurity/resty-burp REST/JSON interface to Burp Suite
• [34星][3m] [Py] dionach/headersanalyzer Burp extension that checks for interesting and security headers
• [13星][11m] [Py] anandtiwarics/python-burp-rest-api Python Package for burprestapi

文章

• 2018.12 [mindpointgroup] REST Assured: Penetration Testing REST APIs Using Burp Suite: Part 3 – Reporting
• 2018.11 [mindpointgroup] 使用Burp对REST API进行渗透测试. Part2
• 2018.11 [mindpointgroup] 使用Burp Suite对REST API进行渗透测试. Part1:介绍与配置
• 2018.11 [doyensec] Introducing burp-rest-api v2

JWT

工具

• [112星][9d] [Java] ozzi-/jwt4b JWT Support for Burp
• [22星][1m] [Java] portswigger/json-web-tokens JWT Support for Burp
• [7星][1m] [Java] lorenzog/burpaddcustomheader A Burp Suite extension to add a custom header (e.g. JWT)

文章

• 2017.05 [compass] JWT Burp Extension

---

Windows

文章

• 2018.03 [nviso] Intercepting Belgian eID (PKCS#11) traffic with Burp Suite on OS X / Kali / Windows
• 2017.02 [HackingMonks] Burp Suite complete Version (Windows installation)
• 2016.02 [parsiya] Installing Burp Certificate Authority in Windows Certificate Store

---

Linux

文章

• 2018.03 [nviso] Intercepting Belgian eID (PKCS#11) traffic with Burp Suite on OS X / Kali / Windows

---

Apple

文章

• 2018.03 [nviso] Intercepting Belgian eID (PKCS#11) traffic with Burp Suite on OS X / Kali / Windows
• 2016.08 [bogner] Burp.app – Making Burp a little more OS X like
• 2015.12 [nabla] Burp and iOS 9 App Transport Security
• 2014.08 [appsecconsulting] Running Stubborn Devices Through Burp Suite via OSX Mountain Lion and Above

---

Android

工具

• [282星][3y] [Java] mateuszk87/badintent Intercept, modify, repeat and attack Android's Binder transactions using Burp Suite
• [12星][21d] [JS] shahidcodes/android-nougat-ssl-intercept It decompiles target apk and adds security exception to accept all certificates thus making able to work with Burp/Charles and Other Tools

文章

• 2019.06 [bugbountywriteup] Digging Android Applications — Part 1 — Drozer + Burp
• 2018.12 [doyler] Proxy Android Apps through Burp for Mobile Assessments
• 2018.01 [nviso] 结合使用 Burp 与自定义 rootCA 来探查 Android N 网络流量
• 2018.01 [freebuf] 如何在Android Nougat中正确配置Burp Suite？
• 2018.01 [ropnop] Configuring Burp Suite with Android Nougat
• 2017.12 [aliyun] 安卓脱壳&&协议分析&&Burp辅助分析插件编写
• 2016.11 [nxadmin] Burpsuite抓包Android模拟器(AVD)设置
• 2014.01 [nvisium] Android Assessments with GenyMotion + Burp
• 2012.08 [freebuf] Burp Suite V1.4.12发布: 新增破解Android SSL功能
• 2012.08 [toolswatch] Burp Suite v1.4.12 in the wild with the support of Android SSL Analysis

---

Cloud

工具

• [293星][9d] [Py] rhinosecuritylabs/iprotate_burp_extension Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.
• [178星][2y] [Py] virtuesecurity/aws-extender a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.
• [47星][3m] [Java] netspi/awssigner Burp Extension for AWS Signing

漏洞

---

工具

• [691星][11m] [Java] vulnerscom/burp-vulners-scanner Burp扫描插件，基于vulners.com搜索API
• [401星][2y] [Java] federicodotta/java-deserialization-scanner All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
• [140星][2m] [JS] h3xstream/burp-retire-js Burp/ZAP/Maven extension that integrate Retire.js repository to find vulnerable Javascript libraries.
• [131星][2y] [Java] yandex/burp-molly-scanner Turn your Burp suite into headless active web application vulnerability scanner
• [104星][6m] [Py] kapytein/jsonp a Burp Extension which attempts to reveal JSONP functionality behind JSON endpoints. This could help reveal cross-site script inclusion vulnerabilities or aid in bypassing content security policies.
• [104星][2y] [Java] spiderlabs/airachnid-burp-extension A Burp Extension to test applications for vulnerability to the Web Cache Deception attack
• [81星][10m] [Py] nccgroup/argumentinjectionhammer A Burp Extension designed to identify argument injection vulnerabilities.
• [75星][4y] [Java] directdefense/superserial SuperSerial - Burp Java Deserialization Vulnerability Identification
• [74星][5y] [Py] integrissecurity/carbonator The Burp Suite Pro extension that automates scope, spider & scan from the command line.
• [65星][2y] [Py] capt-meelo/telewreck A Burp extension to detect and exploit versions of Telerik Web UI vulnerable to CVE-2017-9248.
• [59星][3y] [Java] vulnerscom/burp-dirbuster Dirbuster plugin for Burp Suite
• [57星][3y] [Java] linkedin/sometime A BurpSuite plugin to detect Same Origin Method Execution vulnerabilities
• [56星][2y] [Java] bigsizeme/burplugin-java-rce Burp plugin, Java RCE
• [47星][2y] [Java] portswigger/httpoxy-scanner A Burp Suite extension that checks for the HTTPoxy vulnerability.
• [39星][3y] [Java] directdefense/superserial-active SuperSerial-Active - Java Deserialization Vulnerability Active Identification Burp Extender
• [35星][3y] [Py] thomaspatzke/burp-sessionauthtool Burp plugin which supports in finding privilege escalation vulnerabilities
• [30星][29d] [Py] portswigger/wordpress-scanner Find known vulnerabilities in WordPress plugins and themes using Burp Suite proxy. WPScan like plugin for Burp.
• [25星][3y] [Java] vankyver/burp-vulners-scanner Burp scanner plugin based on Vulners.com vulnerability database
• [23星][3y] [Java] vah13/burpcrlfplugin Another plugin for CRLF vulnerability detection
• [11星][10d] [Java] codewatchorg/burp-indicatorsofvulnerability Burp extension that checks application requests and responses for indicators of vulnerability or targets for attack
• [4星][2y] [Java] codedx/burp-extension Burp Suite plugin to send data to Code Dx software vulnerability management system
• [2星][1y] [Java] moeinfatehi/cvss_calculator CVSS Calculator - a burp suite extension for calculating CVSS v2 and v3 scores of vulnerabilities.
• [2星][4y] [Java] thec00n/dradis-vuln-table Dradis Vuln Table extension for Burp suite
• [1星][2y] [Java] rammarj/burp-header-injector Burp Free plugin to test for host header injection vulnerabilities. (Development)

---

文章

• 2020.01 [freebuf] 挖洞经验 | 用BurpSuite实现越权漏洞（IDOR）的自动发现识别
• 2019.03 [int0x33] Day 82: Hunting for Vulnerabilities in Android Apps with Burp and APK Tools
• 2019.01 [sans] Extending Burp to Find Struts and XXE Vulnerabilities
• 2018.09 [4hou] 使用Burp和Ysoserial实现Java反序列化漏洞的盲利用
• 2018.05 [thief] burpsuite插件开发之检测越权访问漏洞
• 2018.01 [security] Burp WP - Find vulnerabilities in WordPress using Burp
• 2017.12 [avleonov] Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome
• 2017.09 [aliyun] 请问能burpsuite的插件中直接获取到直接获取到漏洞报告吗？
• 2017.08 [freebuf] HUNT：一款可提升漏洞扫描能力的BurpSuite漏洞扫描插件
• 2017.07 [freebuf] Burp Suite扫描器漏洞扫描功能介绍及简单教程
• 2017.07 [hackingarticles] Vulnerability Analysis in Web Application using Burp Scanner
• 2017.07 [vulners] 2 years of Vulners and new plugin for Burp Scanner
• 2017.06 [4hou] 使用 Burp Infiltrator 进行漏洞挖掘
• 2017.06 [4hou] 将Burp Scanner漏洞结果转换为Splunk事件
• 2017.02 [HackingMonks] Website Vulnerability Scanning Burp Suite in Kali Linux
• 2015.12 [mediaservice] Scanning for Java Deserialization Vulnerabilities in web applications with Burp Suite
• 2015.08 [freebuf] 本地文件包含漏洞检测工具 – Burp国产插件LFI scanner checks
• 2013.08 [freebuf] BurpSuite权限提升漏洞检测插件——The Burp SessionAuth
• 2013.08 [toolswatch] The Burp SessionAuth – Extension for Detection of Possible Privilege escalation vulnerabilities

扫描

---

工具

• [553星][4m] [Java] wagiro/burpbounty is a extension of Burp Suite to improve the active and passive scanner by means of personalized rules through a very intuitive graphical interface.
• [449星][8m] [Py] albinowax/activescanplusplus ActiveScan++ Burp Suite Plugin
• [308星][10d] [Java] c0ny1/passive-scan-client Burp被动扫描流量转发插件
• [253星][11d] [Py] initroot/burpjslinkfinder Burp Extension for a passive scanning JS files for endpoint links.
• [231星][8m] [Perl] modzero/mod0burpuploadscanner HTTP file upload scanner for Burp Proxy
• [189星][15d] [Perl] portswigger/upload-scanner HTTP file upload scanner for Burp Proxy
• [42星][2y] [Py] modzero/interestingfilescanner Burp extension to scans for interesting files and directories
• [40星][1y] [Py] luh2/detectdynamicjs Burp Extension provides an additional passive scanner that tries to find differing content in JavaScript files and aid in finding user/session data.
• [37星][1y] [Java] augustd/burp-suite-error-message-checks Burp Suite extension to passively scan for applications revealing server error messages
• [36星][5m] [Py] arbazkiraak/burpblh 使用IScannerCheck发现被劫持的损坏链接. Burp插件
• [35星][8m] [Py] portswigger/active-scan-plus-plus ActiveScan++ Burp Suite Plugin
• [34星][4y] [Py] politoinc/yara-scanner Yara intergrated into BurpSuite
• [34星][6m] [Py] portswigger/js-link-finder Burp Extension for a passive scanning JS files for endpoint links.
• [30星][24d] [Java] portswigger/scan-check-builder a extension of Burp Suite that improve an active and passive scanner by yourself. This extension requires Burp Suite Pro.
• [27星][6y] [Py] opensecurityresearch/custompassivescanner A Custom Scanner for Burp
• [27星][4m] [Java] mirfansulaiman/customheader This Burp Suite extension allows you to customize header with put a new header into HTTP REQUEST BurpSuite (Scanner, Intruder, Repeater, Proxy History)
• [24星][3y] [Py] silentsignal/activescan3plus Modified version of ActiveScan++ Burp Suite extension
• [23星][11m] [BitBake] ghsec/bbprofiles a extension of Burp Suite that improve an active and passive scanner by yourself
• [21星][2y] [Py] unamer/ctfhelper A simple Burp extension for scanning stuffs in CTF
• [21星][4y] [Py] f-secure/headless-scanner-driver A Burp Suite extension that starts scanning on requests it sees, and dumps results on standard output
• [20星][5m] [Java] aress31/flarequench Burp Suite plugin that adds additional checks to the passive scanner to reveal the origin IP(s) of Cloudflare-protected web applications.
• [19星][8m] [Java] thomashartm/burp-aem-scanner Burp Scanner extension to fingerprint and actively scan instances of the Adobe Experience Manager CMS. It checks the website for common misconfigurations and security holes.
• [18星][9d] [Java] augustd/burp-suite-software-version-checks Burp extension to passively scan for applications revealing software version numbers
• [18星][4y] codewatchorg/burp-yara-rules Yara rules to be used with the Burp Yara-Scanner extension
• [18星][2m] [BitBake] sy3omda/burp-bounty is extension of Burp Suite that improve Burp scanner.
• [13星][11m] [Py] thomaspatzke/burp-missingscannerchecks Collection of scanner checks missing in Burp
• [10星][4y] [Java] augustd/burp-suite-token-fetcher Burp Extender to add unique form tokens to scanner requests.
• [10星][2y] [Java] securifybv/phpunserializecheck PHP Unserialize Check - Burp Scanner Extension
• [10星][2m] [Java] veggiespam/imagelocationscanner Scan for GPS location exposure in images with this Burp & ZAP plugin.
• [7星][3y] [Py] luh2/pdfmetadata The PDF Metadata Burp Extension provides an additional passive Scanner check for metadata in PDF files.
• [7星][23d] [Java] parsiya/bug-diaries A extension for Burp's free edition that mimics the pro edition's custom scan issues.
• [5星][4y] [Java] eganist/burp-issue-poster This Burp Extension is intended to post to a service the details of an issue found either by active or passive scanning
• [4星][4y] [Ruby] blazeinfosec/activeevent ActiveEvent is a Burp plugin that integrates Burp Scanner and Splunk events
• [3星][2y] [Java] alexlauerman/incrementmeplease Burp extension to increment a parameter in each active scan request
• [2星][5y] [Shell] evilpacket/bower-burp-static-analysis Nov 2014 scan of bower using burp suite static analysis engine
• [2星][10m] [Py] jamesm0rr1s/burpsuite-add-and-track-custom-issues Add & Track Custom Issues is a Burp Suite extension that allows users to add and track manual findings that the automated scanner was unable to identify.
• [1星][8m] [Java] bort-millipede/burp-batch-report-generator Small Burp Suite Extension to generate multiple scan reports by host with just a few clicks. Works with Burp Suite Professional only.
• [1星][1y] [Java] logicaltrust/burpexiftoolscanner Burp extension, reads metadata using ExifTool
• [1星][2y] [Java] moradotai/cms-scan An active scan extension for Burp that provides supplemental coverage when testing popular content management systems.
• [0星][11m] [Java] xorrbit/burp-nessusloader Burp Suite extension to import detected web servers from a Nessus scan xml file (.nessus)

---

文章

• 2019.10 [trustfoundry] Scanning At Scale: Burp Suite Enterprise Edition
• 2019.05 [web] Scanning TLS Server Configurations with Burp Suite
• 2018.08 [jerrygamblin] Bulk Bug Bounty Scanning With The Burp 2.0 API
• 2018.02 [ZeroNights] [Defensive Track]Eldar Zaitov, Andrey Abakumov - Automation of Web Application Scanning With Burp
• 2017.08 [360] Burp Suite扩展之Java-Deserialization-Scanner
• 2017.07 [intrinsec] Burp extension « Scan manual insertion point »
• 2017.05 [moxia] 【技术分享】Burp Suite扩展开发之Shodan扫描器（已开源）
• 2016.12 [360] Burp Suite扩展开发之Shodan扫描器（已开源）
• 2016.11 [jerrygamblin] Automated Burp Suite Scanning and Reporting To Slack.
• 2016.04 [freebuf] 针对非Webapp测试的Burp技巧（二）：扫描、重放
• 2016.03 [parsiya] Thick Client Proxying - Part 2: Burp History, Intruder, Scanner and More
• 2016.03 [parsiya] Thick Client Proxying - Part 2: Burp History, Intruder, Scanner and More
• 2016.02 [THER] Learn Burp Suite, the Nr. 1 Web Hacking Tool - 06 - Sequencer and Scanner
• 2015.10 [freebuf] J2EEScan：J2EE安全扫描（Burp插件）
• 2012.12 [portswigger] Sample Burp Suite extension: custom scanner checks | Blog
• 2012.12 [portswigger] Sample Burp Suite extension: custom scan insertion points | Blog

Fuzz

---

工具

• [211星][5m] [Java] h3xstream/http-script-generator ZAP/Burp plugin that generate script to reproduce a specific HTTP request (Intended for fuzzing or scripted attacks)
• [63星][7m] [Py] pinnace/burp-jwt-fuzzhelper-extension Burp扩展, 用于Fuzzing JWT
• [55星][3y] [Py] mseclab/burp-pyjfuzz Burp Suite plugin which implement PyJFuzz for fuzzing web application.
• [42星][3y] team-firebugs/burp-lfi-tests Fuzzing for LFI using Burpsuite
• [28星][3y] [Py] floyd-fuh/burp-httpfuzzer Burp plugin to do random fuzzing of HTTP requests
• [24星][23d] [Py] jiangsir404/xss-sql-fuzz burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
  • 重复区段: 平台->Web->XSS->工具 |SQL->工具 |
• [21星][7y] raz0r/burp-radamsa Radamsa fuzzer extension for Burp Suite
• [18星][1y] [Py] mgeeky/burpcontextawarefuzzer BurpSuite's payload-generation extension aiming at applying fuzzed test-cases depending on the type of payload (integer, string, path; JSON; XML; GWT; binary) and following encoding-scheme applied originally.
• [6星][29d] [Java] nscuro/bradamsa-ng Burp Suite extension for Radamsa-powered fuzzing with Intruder
• [4星][2y] [Java] huvuqu/fuzz18plus Advance of fuzzing for Web pentest. Based on Burp extension, send HTTP request template out to Python fuzzer.
• [1星][7m] [Kotlin] gosecure/burp-fuzzy-encoding-generator Quickly test various encoding for a given value in Burp Intruder

---

文章

• 2018.11 [d0znpp] Extending fuzzing with Burp by FAST
• 2017.09 [4hou] 利用Burp“宏”解决自动化 web fuzzer的登录问题
• 2017.09 [360] 如何使用Burp Suite Macros绕过防护进行自动化fuzz测试
• 2017.09 [securelayer7] 使用 Burp 的宏功能，实现 WebApp 输入 Fuzzing 的自动化
• 2017.09 [securelayer7] Automating Web Apps Input fuzzing via Burp Macros
• 2016.10 [code610] HTTP Server fuzzing with Burp
• 2013.10 [debasish] Fuzzing Facebook for $$$ using Burpy
• 2013.06 [raz0r] Radamsa Fuzzer Extension for Burp Suite
• 2012.11 [freebuf] 渗透测试神器Burp弹药扩充-fuzzdb
• 2010.09 [netspi] Fuzzing Parameters in CSRF Resistant Applications with Burp Proxy

SQL

---

工具

• [393星][2y] [Py] rhinosecuritylabs/sleuthql Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
• [237星][2y] [Java] difcareer/sqlmap4burp sqlmap embed in burpsuite
• [186星][4m] [Py] codewatchorg/sqlipy Burp Suite 插件, 使用 SQLMap API 集成SQLMap
• [156星][2m] trietptm/sql-injection-payloads SQL Injection Payloads for Burp Suite, OWASP Zed Attack Proxy,...
  • 重复区段: Payload->工具 |
• [120星][12d] [Java] c0ny1/sqlmap4burp-plus-plus 一款兼容Windows，mac，linux多个系统平台的Burp与sqlmap联动插件
• [24星][23d] [Py] jiangsir404/xss-sql-fuzz burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
  • 重复区段: 平台->Web->XSS->工具 |Fuzz->工具 |
• [24星][3m] [Py] portswigger/sqli-py a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
• [22星][8y] [Py] milo2012/burpsql Automating SQL injection using Burp Proxy Logs and SQLMap
• [9星][1m] [Py] orleven/burpcollect 基于BurpCollector的二次开发， 记录Burpsuite Site Map记录的里的数据包中的目录路径参数名信息，并存入Sqlite，并可导出txt文件。
• [0星][3y] [Java] silentsignal/burp-sqlite-logger SQLite logger for Burp Suite
  • 重复区段: 日志->工具 |

---

文章

• 2019.08 [nviso] Using Burp’s session Handling Rules to insert authorization cookies into Intruder, Repeater and even sqlmap
• 2018.11 [pediy] [原创]利用BurpSuite到SQLMap批量测试SQL注入
• 2018.05 [freebuf] Burpsuit结合SQLMapAPI产生的批量注入插件（X10）
• 2018.05 [freebuf] Burpsuit结合SQLMapAPI产生的批量注入插件
• 2018.04 [valeriyshevchenko] BurpSuit + SqlMap = One Love
• 2018.04 [freebuf] 关于Sql注入以及Burpsuite Intruders使用的一些浅浅的见解
• 2017.08 [freebuf] 使用Burp和自定义Sqlmap Tamper利用二次注入漏洞
• 2017.08 [4hou] 通过Burp以及自定义的Sqlmap Tamper进行二次SQL注入
• 2017.08 [360] 如何借助Burp和SQLMap Tamper利用二次注入
• 2017.08 [pentest] 使用 Burp 和自定义的Sqlmap Tamper 脚本实现 Second Order SQLi 漏洞利用
• 2017.03 [4hou] 利用Burp“宏”自动化另类 SQLi
• 2017.03 [freebuf] Burpsuite+SQLMAP双璧合一绕过Token保护的应用进行注入攻击
• 2017.03 [360] 使用burp macros和sqlmap绕过csrf防护进行sql注入
• 2017.01 [hackingarticles] Sql Injection Exploitation with Sqlmap and Burp Suite (Burp CO2 Plugin)
• 2017.01 [HackingMonks] Burpsuite - 1 (SQL injection,intercepting)
• 2016.11 [360] Burp Suite插件开发之SQL注入检测（已开源）
• 2016.11 [vkremez] Burp Suite and sqlmap
• 2016.05 [freebuf] BurpSuite日志分析过滤工具，加快SqlMap进行批量扫描的速度
• 2016.03 [freebuf] 如何编写burpsuite联动sqlmap的插件
• 2014.09 [freebuf] 渗透神器合体：在BurpSuite中集成Sqlmap
• 2014.08 [nvisium] iOS Assessments with Burp + iFunBox + SQLite
• 2013.04 [pediy] [原创]利用sqlmap和burpsuite绕过csrf token进行SQL注入
• 2013.02 [pentestlab] SQL Injection Authentication Bypass With Burp
• 2012.12 [freebuf] Burpsuite sqlmap插件
• 2012.11 [freebuf] Burp Suite—BLIND SQL INJECTION
• 2012.10 [] 使用BurpSuite来进行sql注入
• 2012.09 [freebuf] BurpSuite教程与技巧之SQL Injection
• 2012.06 [milo2012] Automating SQL Injection with Burp, Sqlmap and GDS Burp API
• 2012.06 [websec] Using Burp to exploit a Blind SQL Injection
• 2012.05 [freebuf] [技巧]使用Burpsuite辅助Sqlmap进行POST注入测试
• 2012.04 [firebitsbr] Pentest tool: Gason: A plugin to run sqlmap into burpsuite.
• 2011.05 [console] Web Hacking Video Series #1 Automating SQLi with Burp Extractor
• 2011.04 [depthsecurity] Blind SQL Injection & BurpSuite - Like a Boss

日志

---

工具

• [523星][4m] [Py] romanzaikin/burpextension-whatsapp-decryption-checkpoint Burp extension to decrypt WhatsApp Protocol
• [251星][2y] [Java] nccgroup/burpsuiteloggerplusplus Burp Suite Logger++: Log activities of all the tools in Burp Suite
• [97星][2y] [Py] debasishm89/burpy parses Burp Suite log and performs various tests depending on the module provided and finally generate a HTML report.
• [66星][4y] [Py] tony1016/burplogfilter A python3 program to filter Burp Suite log file.
• [43星][1y] [Py] bayotop/sink-logger Burp扩展,无缝记录所有传递到已知JavaScript sinks的数据
• [35星][25d] [Java] righettod/log-requests-to-sqlite BURP extension to record every HTTP request send via BURP and create an audit trail log of an assessment.
• [5星][7m] [Java] logicaltrust/burphttpmock This Burp extension provides mock responses based on the real ones.
• [3星][1y] [Java] ax/burp-logs Logs is a Burp Suite extension to work with log files.
• [0星][3y] [Java] silentsignal/burp-sqlite-logger SQLite logger for Burp Suite
  • 重复区段: SQL->工具 |

Payload

---

工具

• [441星][9d] [Java] bit4woo/recaptcha 自动识别图形验证码并用于burp intruder爆破模块的插件
• [156星][2m] trietptm/sql-injection-payloads SQL Injection Payloads for Burp Suite, OWASP Zed Attack Proxy,...
  • 重复区段: SQL->工具 |
• [74星][2y] [Java] ikkisoft/bradamsa Burp Suite extension to generate Intruder payloads using Radamsa
• [60星][1y] [Py] destine21/zipfileraider ZIP File Raider - Burp Extension for ZIP File Payload Testing
• [55星][2y] [Java] righettod/virtualhost-payload-generator BURP extension providing a set of values for the HTTP request "Host" header for the "BURP Intruder" in order to abuse virtual host resolution.
• [34星][11d] tdifg/payloads for burp
• [20星][4m] thehackingsage/burpsuite BurpSuite Pro, Plugins and Payloads
• [19星][5y] [Java] lgrangeia/aesburp Burp Extension to manipulate AES encrypted payloads
• [12星][3m] [Java] tmendo/burpintruderfilepayloadgenerator Burp Intruder File Payload Generator
• [10星][2y] antichown/burp-payloads Burp Payloads
• [5星][4y] [Java] antoinet/burp-decompressor An extension for BurpSuite used to access and modify compressed HTTP payloads without changing the content-encoding.
• [5星][5y] [Py] enablesecurity/burp-luhn-payload-processor A plugin for Burp Suite Pro to work with attacker payloads and automatically generate check digits for credit card numbers and similar numbers that end with a check digit generated using the Luhn algorithm or formula (also known as the "modulus 10" or "mod 10" algorithm).
• [3星][7y] [Py] infodel/burp.extension-payloadparser Burp Extension for parsing payloads containing/excluding characters you provide.
• [3星][2y] [Java] pan-lu/recaptcha A Burp Extender that auto recognize CAPTCHA and use for Intruder payload

---

文章

• 2018.02 [hackingarticles] Payload Processing Rule in Burp suite (Part 2)
• 2018.02 [hackingarticles] Payload Processing Rule in Burp suite (Part 1)
• 2018.01 [hackingarticles] Beginners Guide to Burpsuite Payloads (Part 2)
• 2018.01 [hackingarticles] Beginners Guide to Burpsuite Payloads (Part 1)
• 2012.10 [freebuf] Burp Suite PayLoad下载

开发与调试

---

工具

• [150星][3y] [Java] mwielgoszewski/jython-burp-api Develop Burp extensions in Jython
• [90星][11m] [Java] doyensec/burpdeveltraining Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"

---

文章

• 2020.01 [aliyun] 打造高度自定义的渗透工具-Burp插件开发（一）
• 2019.12 [parsiya] Developing and Debugging Java Burp Extensions with Visual Studio Code
• 2019.01 [freebuf] 详细讲解 | 利用python开发Burp Suite插件（二）
• 2019.01 [freebuf] 详细讲解 | 利用python开发Burp Suite插件（一）
• 2019.01 [4hou] 利用Python编写具有加密和解密功能的Burp插件 （下）
• 2019.01 [4hou] 利用Python编写具有加密和解密功能的Burp插件 （上）
• 2017.05 [elearnsecurity] Developing Burp Suite Extensions
• 2017.01 [polaris] BurpSuite插件开发Tips：请求响应参数的AES加解密
• 2016.06 [freebuf] BurpSuite插件开发Tips：请求响应参数的AES加解密
• 2016.04 [freebuf] Burpsuite插件开发（二）：信息采集插件
• 2016.02 [xxlegend] Burpsuite 插件开发之RSA加解密
• 2016.02 [xxlegend] Burpsuite 插件开发之RSA加解密
• 2016.01 [freebuf] Burpsuite插件开发之RSA加解密
• 2015.12 [nsfocus] Burpsuite插件开发之RSA加解密
• 2015.05 [netspi] Debugging Burp Extensions
• 2014.01 [sethsec] Writing and Debugging BurpSuite Extensions in Python
• 2013.12 [freebuf] Java编写代理服务器(Burp拦截Demo)一
• 2012.07 [console] Setting up a Burp development environment

爆破

---

工具

• [291星][3m] [Java] c0ny1/jsencrypter 一个用于加密传输爆破的Burp Suite插件
• [247星][13d] [Py] teag1e/burpcollector 通过BurpSuite来构建自己的爆破字典，可以通过字典爆破来发现隐藏资产。
• [198星][9m] [Py] thekingofduck/burpfakeip 一个用于伪造ip地址进行爆破的Burp Suite插件
• [128星][2m] cujanovic/content-bruteforcing-wordlist Wordlist for content(directory) bruteforce discovering with Burp or dirsearch

---

文章

• 2019.09 [BrokenSecurity] 036 part of Ethical Hacking - Burpsuite login bruteforce
• 2018.06 [bugbountywriteup] How to brute force efficiently without Burp Pro
• 2018.03 [HackerSploit] Web App Penetration Testing - #3 - Brute Force Attacks With Burp Suite
• 2016.09 [hackingarticles] Brute Force Website Login Page using Burpsuite (Beginner Guide)
• 2012.12 [pentestlab] Brute Force Attack With Burp

验证码

---

工具

• [85星][2m] [Java] c0ny1/captcha-killer burp验证码识别接口调用插件

---

文章

• 2018.04 [freebuf] 实现一个简单的Burp验证码本地识别插件
• 2012.01 [idontplaydarts] Extending Burp Suite to solve reCAPTCHA

编码/解码

---

工具

• [121星][3m] [Java] nccgroup/decoder-improved Improved decoder for Burp Suite
• [83星][6y] [Py] mwielgoszewski/burp-protobuf-decoder A simple Google Protobuf Decoder for Burp
• [77星][1y] [Java] bit4woo/u2c Unicode编码转中文的burp插件
• [68星][3y] [Py] stayliv3/burpsuite-changeu burpsuite 插件。将返回值中的unicode明文
• [36星][9y] [C#] gdssecurity/wcf-binary-soap-plug-in a Burp Suite plug-in designed to encode and decode WCF Binary Soap request and response data ("Content-Type: application/soap+msbin1)
• [25星][12m] [Kotlin] gosecure/burp-ntlm-challenge-decoder Burp extension to decode NTLM SSP headers and extract domain/host information
• [25星][4y] [Java] pokeolaf/pokemongodecoderforburp A simpe decoder to decode requests/responses made by PokemonGo in burp
• [2星][2y] [Java] matanatr96/decoderproburpsuite Burp Suite Plugin to decode and clean up garbage response text
• [0星][2y] [Java] adityachaudhary/phantom-cryptor Burp Suite extender to encrypt requests and decrypt response.
• [0星][4y] [Java] luj1985/albatross XML Fast Infoset decoder for Burp Suite

---

文章

• 2018.01 [hackingarticles] Burpsuite Encoder & Decoder Tutorial
• 2017.03 [HackingMonks] Encoding and Decoding (Burp Suite Decoder)

认证/登录

---

工具

• [350星][20d] [Py] securityinnovation/authmatrix AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.
• [295星][1m] [Py] quitten/autorize Automatic authorization enforcement detection extension for burp suite written in Jython in order to ease application security people work and allow them perform an automatic authorization tests
• [74星][6m] [Java] nccgroup/berserko Burp Suite extension to perform Kerberos authentication
• [40星][7y] [Java] wuntee/burpauthzplugin Burp plugin to test for authorization flaws
• [9星][1y] [Java] sampsonc/authheaderupdater Burp extension to specify the token value for the Authenication header while scanning.
• [0星][2y] [Java] insighti/burpamx AMX Authorization Burp Suite Extension

---

文章

• 2018.11 [vanimpe] Hunt for devices with default passwords (with Burp)
• 2018.06 [hackers] Online Password Cracking with THC-Hydra and BurpSuite
• 2018.02 [hackers] Online Password Cracking with THC-Hydra and Burp Suite
• 2017.10 [TechnoHacker] How to Crack Logins with Burp Suite
• 2017.08 [avleonov] Burp Suite Free Edition and NTLM authentication in ASP.net applications
• 2017.05 [4hou] NTLM认证失效时，如何使用Fiddler配合Burp Suite进行渗透测试？
• 2017.05 [mediaservice] NTLM认证失效时，如何使用Fiddler配合Burp Suite进行渗透测试？
• 2016.12 [hackers] Web App Hacking: Hacking Form Authentication with Burp Suite
• 2015.09 [NetSecNow] How To: Brute Forcing website logins with Hydra and Burpsuite in Kali Linux 2.0
• 2014.02 [silentsignal] Testing websites using ASP.NET Forms Authentication with Burp Suite

Brida

---

工具

• [609星][1y] [Java] federicodotta/brida The new bridge between Burp Suite and Frida!

---

文章

• 2019.01 [pediy] [原创]Brida操作指南
• 2018.04 [mediaservice] Brida用户指南
• 2017.10 [mediaservice] Advanced mobile penetration testing with Brida – Slides HackInBo 2017 WE
• 2017.08 [freebuf] Brida：使用Frida进行移动应用渗透测试
• 2017.08 [360] 联合Frida和BurpSuite的强大扩展--Brida
• 2017.08 [4hou] Brida:将frida与burp结合进行移动app渗透测试
• 2017.07 [mediaservice] Brida 实战
• 2017.01 [freebuf] 使用Frida配合Burp Suite追踪API调用

代理

---

工具

• [919星][3y] [Java] summitt/burp-non-http-extension Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
• [354星][2y] [Shell] koenbuyens/kalirouter 将 KaliLinux 主机转变为路由器，使用 Wireshark 记录所有的网络流量，同时将 HTTP/HTTPS 流量发送到其他主机的拦截代理（例如 BurpSuite）
• [318星][1m] [Java] ilmila/j2eescan a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
• [253星][2y] [Java] portswigger/collaborator-everywhere Burp Suite 扩展，通过注入非侵入性 headers 来增强代理流量，通过引起 Pingback 到 Burp Collaborator 来揭露后端系统
• [230星][1y] [Py] audibleblink/doxycannon 为一堆OpenVPN文件分别创建Docker容器, 每个容器开启SOCKS5代理服务器并绑定至Docker主机端口, 再结合使用Burp或ProxyChains, 构建私有的Botnet
• [151星][7m] [Py] kacperszurek/burp_wp Find known vulnerabilities in WordPress plugins and themes using Burp Suite proxy. WPScan like plugin for Burp.
• [89星][8m] [Java] rub-nds/burpssoextension An extension for BurpSuite that highlights SSO messages in Burp's proxy window..
• [73星][10d] [Py] jiangsir404/pbscan 基于burpsuite headless 的代理式被动扫描系统
• [71星][4m] [Java] static-flow/burpsuite-team-extension This Burpsuite plugin allows for multiple web app testers to share their proxy history with each other in real time. Requests that comes through your Burpsuite instance will be replicated in the history of the other testers and vice-versa!
• [49星][2y] [Py] mrschyte/socksmon 使用 BURP 或 ZAP 的 TCP 拦截代理
• [27星][2y] [Py] mrts/burp-suite-http-proxy-history-converter Python script that converts Burp Suite HTTP proxy history files to CSV or HTML
• [26星][8m] [Java] static-flow/directoryimporter a Burpsuite plugin built to enable you to import your directory bruteforcing results into burp for easy viewing later. This is an alternative to proxying bruteforcing tools through burp to catch the results.
• [13星][1y] [Java] retanoj/burpmultiproxy Burpsuite 切换代理插件
• [11星][4y] [Py] vincd/burpproxypacextension Exemple d'extension Burp permettant d'utiliser les fichiers de configuration de proxy PAC
• [5星][3y] [Java] mrts/burp-suite-http-proxy-history-viewer Burp Suite HTTP proxy history viewer
• [5星][3y] [Java] netspi/jsws JavaScript Web Service Proxy Burp Plugin
• [3星][2y] [Kotlin] pajswigger/filter-options Burp extension to filter OPTIONS requests from proxy history
• [2星][1y] [Java] coastalhacking/burp-pac Burp Proxy Auto-config Extension

---

文章

• 2019.06 [NetworkHeros] Bug Bounty : BurpSuite Professional v2.0.11 Free and Set up for Proxy Intercept
• 2019.04 [parsiya] Hiding OPTIONS - An Adventure in Dealing with Burp Proxy in an Extension
• 2018.10 [valerio] MITM using arpspoof + Burp or mitmproxy on Kali Linux
• 2018.06 [NetworkHeros] Ethical Hacking (CEHv10): BurpSuite install and configure proxy
• 2017.04 [360] BurpSuite 代理设置的小技巧
• 2017.04 [blackhillsinfosec] Using Burp with ProxyCannon
• 2017.02 [polaris] 使用BurpSuite攻击JavaScript Web服务代理
• 2017.02 [freebuf] 使用Burpsuite代理和pypcap抓包进行抢红包的尝试
• 2016.08 [] Configuring Google Chrome to Proxy Through Burp Suite
• 2016.04 [freebuf] 针对非Webapp测试的Burp技巧(一)：拦截和代理监听
• 2016.04 [parsiya] Thick Client Proxying - Part 4: Burp in Proxy Chains
• 2016.04 [parsiya] Thick Client Proxying - Part 4: Burp in Proxy Chains
• 2016.04 [parsiya] Thick Client Proxying - Part 3: Burp Options and Extender
• 2016.04 [parsiya] Thick Client Proxying - Part 3: Burp Options and Extender
• 2016.03 [parsiya] Thick Client Proxying - Part 1: Burp Interception and Proxy Listeners
• 2016.03 [parsiya] Thick Client Proxying - Part 1: Burp Interception and Proxy Listeners
• 2016.02 [THER] Learn Burp Suite, the Nr. 1 Web Hacking Tool - 03 - Proxy Module
• 2015.12 [jerrygamblin] Proxying BurpSuite through TOR
• 2015.10 [parsiya] Proxying Hipchat Part 2: So You Think You Can Use Burp?
• 2014.01 [nvisium] Intro To Burp Suite Part I: Setting Up BurpSuite with Firefox and FoxyProxy
• 2013.05 [] Burp Suite处理“不支持代理”的客户端
• 2013.01 [rapid7] Video Tutorial: Introduction to Burp-Suite 1.5 Web Pen Testing Proxy

域/子域

---

工具

• [383星][1m] [Java] bit4woo/domain_hunter 利用burp收集整个企业、组织的域名（不仅仅是单个主域名）的插件
• [147星][8m] [Py] codingo/minesweeper A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 23000 malicious cryptocurrency mining domains (cryptojacking).
• [133星][4m] [Py] prodigysml/dr.-watson a simple Burp Suite extension that helps find assets, keys, subdomains, IP addresses, and other useful information!
• [17星][4m] [Java] phefley/burp-javascript-security-extension A Burp Suite extension which performs checks for cross-domain scripting against the DOM, subresource integrity checks, and evaluates JavaScript resources against threat intelligence data.

---

文章

• 2018.05 [pentestingexperts] Minesweeper – A Burpsuite plugin (BApp) to aid in the detection of cryptocurrency mining domains (cryptojacking)

工具

---

新添加

• [740星][1y] [Java] d3vilbug/hackbar HackBar plugin for Burpsuite
• [622星][11m] [Java] c0ny1/chunked-coding-converter Burp suite 分块传输辅助插件
• [383星][3y] [Py] 0x4d31/burpa A Burp Suite Automation Tool with Slack Integration. It can be used with Jenkins and Selenium to automate Dynamic Application Security Testing (DAST).
• [377星][4y] [JS] allfro/burpkit Next-gen BurpSuite penetration testing tool
• [364星][2m] [Java] bit4woo/knife A burp extension that add some useful function to Context Menu 添加一些右键菜单让burp用起来更顺畅
• [342星][3y] [Py] pathetiq/burpsmartbuster A Burp Suite content discovery plugin that add the smart into the Buster!
• [315星][1y] [Java] ebryx/aes-killer Burp plugin to decrypt AES Encrypted traffic of mobile apps on the fly
• [241星][4m] [Java] samlraider/samlraider SAML2 Burp Extension
• [223星][14d] [Java] lilifengcode/burpsuite-plugins-usage Burpsuite-Plugins-Usage
• [164星][7m] [Java] netspi/javaserialkiller Burp extension to perform Java Deserialization Attacks
• [164星][3m] [Py] regala/burp-scope-monitor Burp Suite Extension to monitor new scope
• [160星][1y] [Py] bayotop/off-by-slash Bupr扩展, 检测利用Nginx错误配置导致的重名遍历(alias traversal)
• [151星][6m] [Java] netsoss/headless-burp Automate security tests using Burp Suite.
• [138星][2y] [Java] netspi/wsdler WSDL Parser extension for Burp
• [131星][9m] [Go] empijei/wapty Go语言编写的Burp的替代品。（已不再维护）
• [124星][4y] [Py] moloch--/csp-bypass A Burp Plugin for Detecting Weaknesses in Content Security Policies
• [119星][7y] [Py] meatballs1/burp-extensions Burp Suite Extensions
• [112星][13d] [Java] x-ai/burpunlimitedre This project !replace! BurpUnlimited of depend (BurpSutie version 1.7.27). It is NOT intended to replace them!
• [105星][4m] [Java] netspi/burp-extensions Central Repo for Burp extensions
• [104星][2y] [Java] clr2of8/gathercontacts A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results
• [103星][9m] [Py] kibodwapon/noeye A blind mode exploit framework (a dns server and a web app) that like wvs's AcuMonitor Service or burpsuite's collabrator or cloudeye
• [103星][4y] [Java] summitt/burp-ysoserial YSOSERIAL Integration with burp suite
• [90星][3y] [Java] dobin/burpsentinel GUI Burp Plugin to ease discovering of security holes in web applications
• [89星][9m] [Py] lopseg/jsdir a Burp Suite extension that extracts hidden paths from js files and beautifies it for further reading.
• [88星][1y] [Py] nccgroup/blackboxprotobuf Blackbox protobuf is a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.
• [88星][2y] [Java] silentsignal/burp-image-size Image size issues plugin for Burp Suite
• [86星][20d] [Py] leoid/matchandreplace Match and Replace script used to automatically generate JSON option file to BurpSuite
• [85星][1m] [Go] root4loot/rescope defining scopes for Burp Suite and OWASP ZAP.
• [84星][3m] [Java] jgillam/burp-paramalyzer Burp extension for parameter analysis of large-scale web application penetration tests.
• [84星][2y] [Java] yandex/burp-molly-pack Security checks pack for Burp Suite
• [73星][6y] [Java] irsdl/burpsuitejsbeautifier Burp Suite JS Beautifier
• [73星][2y] [Java] spiderlabs/burplay a Burp Extension allowing for replaying any number of requests using same modifications definition. Its main purpose is to aid in searching for Privilege Escalation issues.
• [70星][30d] [Py] ziirish/burp-ui a web-ui for burp backup written in python with Flask and jQuery/Bootstrap
• [69星][5m] [Java] aress31/swurg Parse OpenAPI documents into Burp Suite for automating OpenAPI-based APIs security assessments
• [65星][2y] [Py] markclayton/bumpster The Unofficial Burp Extension for DNSDumpster.com
• [58星][1y] [Java] portswigger/replicator Burp extension to help developers replicate findings from pen tests
• [58星][6y] [Java] spiderlabs/burpnotesextension a plugin for Burp Suite that adds a Notes tab. The tool aims to better organize external files that are created during penetration testing.
• [48星][2y] [java] anbai-inc/burpstart Burp 启动加载器
• [48星][2y] [Java] inode-/attackselector Burp Suite Attack Selector Plugin
• [47星][3m] [Py] hvqzao/report-ng Generate MS Word template-based reports with HP WebInspect / Burp Suite Pro input, own custom data and knowledge base.
• [46星][1y] [Py] br3akp0int/gqlparser A repository for GraphQL Extension for Burp Suite
• [46星][1y] [Java] secdec/attack-surface-detector-burp The Attack Surface Detector uses static code analyses to identify web app endpoints by parsing routes and identifying parameters
• [45星][1y] [Go] joanbono/gurp Burp Commander written in Go
• [41星][1y] [Py] zynga/hiccup [DEPRECATED] Hiccup is a framework that allows the Burp Suite (a web application security testing tool,
• [41星][1y] [Java] tijme/similar-request-excluder A Burp Suite extension that automatically marks similar requests as 'out-of-scope'.
• [41星][12m] [PHP] spiderlabs/upnp-request-generator A tool to parse UPnP descriptor XML files and generate SOAP control requests for use with Burp Suite or netcat
• [39星][10m] [Dockerfile] marco-lancini/docker_burp Burp Pro as a Docker Container
• [39星][4m] [Py] zephrfish/burpfeed Hacked together script for feeding urls into Burp's Sitemap
• [36星][2m] [Py] 0ang3el/unsafe-jax-rs-burp Burp Suite extension for JAX-RS
• [36星][8y] [Py] gdssecurity/burpee Python object interface to requests/responses recorded by Burp Suite
• [36星][1y] [Java] ikkisoft/blazer Burp Suite AMF Extension
• [35星][2y] [Java] bit4woo/resign A burp extender that recalculate signature value automatically after you modified request parameter value.
• [34星][2y] [Py] penafieljlm/burp-tracer BurpSuite 扩展。获取当前的站点地图，提取每个请求参数，并搜索存在请求参数值的回复
• [33星][4y] [Py] peacand/burp-pytemplate Burp extension to quickly and easily develop Python complex exploits based on Burp proxy requests.
• [33星][2m] [Java] rub-nds/tls-attacker-burpextension assist in the evaluation of TLS Server configurations with Burp Suite.
• [33星][3y] [Go] tomsteele/burpstaticscan Use burp's JS static code analysis on code from your local system.
• [32星][5y] [Java] malerisch/burp-csj BurpCSJ extension for Burp Pro - Crawljax Selenium JUnit integration
• [30星][2y] [Py] aurainfosec/burp-multi-browser-highlighting Highlight Burp proxy requests made by different browsers
• [30星][4y] [Py] carstein/burp-extensions Automatically exported from code.google.com/p/burp-extensions
• [30星][7y] [Py] meatballs1/burp_jsbeautifier js-beautifier extension for Burp Suite
• [29星][5y] [Java] burp-hash/burp-hash a Burp Suite plugin.
• [29星][9m] [Java] hvqzao/burp-flow Extension providing view with filtering capabilities for both complete and incomplete requests from all burp tools.
• [29星][13d] [Java] silentsignal/burp-requests Copy as requests plugin for Burp Suite
• [29星][4y] [Py] smeegesec/burp-importer Burp Suite Importer - Connect to multiple web servers while populating the sitemap.
• [25星][2y] [Py] portswigger/burp-smart-buster A Burp Suite content discovery plugin that add the smart into the Buster!
• [23星][2y] [Py] aur3lius-dev/spydir BurpSuite extension to assist with Automated Forced Browsing/Endpoint Enumeration
• [23星][6m] [Py] elespike/burp-cph Custom Parameter Handler extension for Burp Suite.
• [23星][2y] [Java] silentsignal/burp-uuid UUID issues for Burp Suite
• [23星][2y] [Ruby] zidekmat/graphql_beautifier Burp Suite extension to help make Graphql request more readable
• [22星][3m] [Java] ettic-team/endpointfinder-burp burp plugin to find endpoint
• [22星][4y] [Swift] melvinsh/burptoggle Status bar application for OS X to toggle the state of the system HTTP/HTTPS proxy.
• [21星][5y] [Java] khai-tran/burpjdser a Burp plugin that will deserialze/serialize Java request and response to and from XML with the use of Xtream library
• [21星][3y] [Ruby] kingsabri/burp_suite_extension_ruby BurpSuite Extension Ruby Template to speed up building a Burp Extension using Ruby
• [20星][3y] [Py] securitymb/burp-exceptions Simple trick to increase readability of exceptions raised by Burp extensions written in Python
• [20星][30d] [Py] yeswehack/yesweburp YesWeHack Api Extension for Burp
• [19星][9m] [Java] hvqzao/burp-wildcard Burp extension intended to compact Burp extension tabs by hijacking them to own tab.
• [19星][4m] [Java] silentsignal/burp-json-jtree JSON JTree viewer for Burp Suite
• [18星][7y] [Java] omercnet/burpjdser-ng BurpJDSer-ng
• [18星][3m] [Py] xscorp/burpee A python module that accepts an HTTP request file and returns a dictionary of headers and post data
• [17星][2y] [Visual Basic .NET] xcanwin/xburpcrack This is a tool to bypass the cracked version of the burpsuite_pro(Larry_Lau) certification deadline through time reversal.
• [16星][4y] [Java] shengqi158/rsa-crypto-burp-extention burp 插件 用于RSA 数据包加解密
• [15星][2y] [Java] netspi/jsonbeautifier JSON Beautifier for Burp written in Java
• [15星][29d] [Java] augustd/burp-suite-jsonpath JSONPath extension for BurpSuite
• [15星][14d] [Java] m4ll0k/burpsuite-random_useragent Burp Suite extension for generate a random user-agents
• [14星][5y] [Java] federicodotta/burpjdser-ng-edited Burp Suite plugin that allow to deserialize Java objects and convert them in an XML format. Unpack also gzip responses. Based on BurpJDSer-ng of omercnet.
• [14星][2y] [Java] c0ny1/burp-cookie-porter 一个可快速“搬运”cookie的Burp Suite插件
• [14星][1m] [Java] qdghj/burp_data_collector A Burp plugin that collects Burp request parameters, directories, paths and file names into the database for sorting
• [13星][2m] [Java] ankokuty/belle Belle (Burp Suite 非公式日本語化ツール)
• [13星][6y] [Java] ioactive/burpjdser-ng Allows you to deserialize java objects to XML and lets you dynamically load classes/jars as needed
• [13星][9m] [Py] modzero/burp-responseclusterer Burp plugin that clusters responses to show an overview of received responses
• [13星][8m] [Py] solomonsklash/sri-check A Burp Suite extension for identifying missing Subresource Integrity attributes.
• [12星][1m] [Java] augustd/burp-suite-utils Utilities for creating Burp Suite Extensions.
• [12星][2y] [Java] hvqzao/burp-token-rewrite Burp extension for automated handling of CSRF tokens
• [12星][7y] [Py] infodel/burp.extension-googlehack Burp Suite Extension providing Google Hacking Interface
• [12星][1y] [Java] moeinfatehi/admin-panel_finder A burp suite extension that enumerates infrastructure and application admin interfaces (OTG-CONFIG-005)
• [11星][6y] [Py] faffi/curlit Burp plugin to turn requests into curl commands
• [11星][9y] [Java] gdssecurity/deflate-burp-plugin The Deflate Burp Plugin is a plug-in for Burp Proxy (it implements the IBurpExtender interface) that decompresses HTTP response content in the ZLIB (RFC1950) and DEFLATE (RFC1951) compression formats.
• [11星][2y] [Java] gozo-mt/burplist A jython wordlist creator in-line with Burp-suite
• [11星][3y] [Java] h3xstream/burp-image-metadata Burp and ZAP plugin that display image metadata (JPEG Exif or PNG text chunk).
• [11星][6y] [Py] smeegesec/wsdlwizard WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
• [11星][4y] [Java] monikamorrow/burp-suite-extension-examples Burp Suite starter example projects.
• [10星][2y] [HTML] adriancitu/burp-tabnabbing-extension Burp Suite Professional extension in Java for Tabnabbing attack
• [10星][2m] [Py] defectdojo/burp-plugin A Burp plugin to export findings to DefectDojo
• [10星][2y] [Java] xxux11/burpheartbleedextension Burp Heartbleed Extension
• [10星][5m] [Java] wrvenkat/burp-multistep-csrf-poc Burp extension to generate multi-step CSRF POC.
• [9星][5y] [Java] allfro/dotnetbeautifier A BurpSuite extension for beautifying .NET message parameters and hiding some of the extra clutter that comes with .NET web apps (i.e. __VIEWSTATE).
• [9星][4y] [Java] augustd/burp-suite-gwt-scan Burp Suite plugin identifies insertion points for GWT (Google Web Toolkit) requests
• [9星][13d] [Java] aoncyberlabs/fastinfoset-burp-plugin Burp plugin to convert fast infoset (FI) to/from the text-based XML document format allowing easy editing
• [8星][2y] [Java] rammarj/csrf-poc-creator A Burp Suite extension for CSRF proof of concepts.
• [8星][14d] [Java] silentsignal/burp-cfurl-cache CFURL Cache inspector for Burp Suite
• [8星][3m] [Py] fsecurelabs/timeinator Timeinator is an extension for Burp Suite that can be used to perform timing attacks over an unreliable network such as the internet.
• [7星][5m] [Java] dibsy/staticanalyzer StaticAnalyzer is a burp plugin that can be used to perform static analysis of the response information from server during run time. It will search for specific words in the response that is mentioned in the vectors.txt
• [7星][3y] [Ruby] dradis/burp-dradis Dradis Framework extension for Burp Suite
• [7星][1y] [Java] fruh/extendedmacro ExtendedMacro - BurpSuite plugin providing extended macro functionality
• [7星][2y] [Java] jgillam/serphper Serialized PHP toolkit for Burp Suite
• [7星][2y] [Java] yehgdotnet/burp-extention-bing-translator Burp Plugin - Bing Translator
• [7星][1y] chef-koch/windows-redstone-4-1803-data-analysis Explains the telemetry, opt-out methods and provides some Whireshark/Burp dumps in order to see what MS really transmit
• [7星][9m] [Java] denniskniep/gqlraider GQL Burp Extension
• [7星][22d] [Java] bytebutcher/burp-send-to Adds a customizable "Send to..."-context-menu to your BurpSuite.
• [6星][5m] [Java] aress31/copy-as-powershell-requests Copy as PowerShell request(s) plugin for Burp Suite (approved by PortSwigger for inclusion in their official BApp Store).
• [6星][2m] [Java] aress31/googleauthenticator Burp Suite plugin that dynamically generates Google 2FA codes for use in session handling rules (approved by PortSwigger for inclusion in their official BApp Store).
• [6星][5m] [Py] maxence-schmitt/officeopenxmleditor Burp extension that add a tab to edit Office Open XML document (xlsx,docx,pptx)
• [6星][2y] [Java] silentsignal/burp-commentator Generates comments for selected request(s) based on regular expressions
• [6星][2y] [Java] silentsignal/burp-uniqueness Uniqueness plugin for Burp Suite
• [6星][12m] raspberrypilearning/burping-jelly-baby Make a Jelly Baby burp by pressing it!
• [6星][3m] [Java] neal1991/r-forwarder-burp The burp extension to forward the request
• [5星][4y] [Py] cyberdefenseinstitute/burp-msgpack MessagePack converter
• [5星][7y] [Py] mwielgoszewski/jython-burp-extensions Jython burp extensioins
• [5星][2m] [Ruby] dradis/dradis-burp Burp Suite plugin for the Dradis Framework
• [4星][2y] [Java] dannegrea/tokenjar Burp Suite extension. Useful for managing tokens like anti-CSRF, CSurf, Session values. Can be used to set params that require random numbers or params that are computed based on application response.
• [4星][7y] [Py] dnet/burp-gwt-wrapper Burp Suite GWT wrapper
• [4星][2y] [Ruby] geoffwalton/burp-command
• [4星][14d] [Py] niemand-sec/burp-scan-them-all Small script for automatizing Burp with Carbonator and slack
• [4星][2y] [Java] silentsignal/burp-git-version
• [4星][5m] [Java] augustd/burp-suite-swaggy Burp Suite extension for parsing Swagger web service definition files
• [4星][3y] [Java] jksecurity/burp_savetofile BurpSuite plugin to save just the body of a request or response to a file
• [4星][8m] [Java] virusdefender/burptime Burp Show Response Time
• [4星][2m] [Java] gdgd009xcd/automacrobuilder multi step request sequencer AutoMacroBuilder for burpsuite
• [3星][9m] [Batchfile] jas502n/burpsuite_pro_v1.7.11-crack BurpSuite_pro_v1.7.11-Crack 破解版 抓包神器
• [3星][4y] [Py] mwielgoszewski/burp-jython-tab
• [3星][20d] [Java] raise-isayan/bigipdiscover It becomes the extension of Burp suite. The cookie set by the BipIP server may include a private IP, which is an extension to detect that IP
• [3星][2y] [Py] snoopysecurity/noopener-burp-extension Find Target="_blank" values within web pages that are set without 'noopener' and 'noreferrer' attributes
• [3星][4y] [Py] vergl4s/signatures Length extension attacks in Burp Suite
• [3星][3y] [Java] cnotin/burp-scan-manual-insertion-point Burp Suite Pro extension
• [3星][11d] [Py] akabe1/upnp-bhunter Burp Suite Extension useful to inspect UPnP security
• [3星][8m] [Py] solomonsklash/cookie-decrypter A Burp Suite Professional extension for decrypting/decoding various types of cookies.
• [2星][1y] [Py] bao7uo/burpelfish BurpelFish - Adds Google Translate to Burp's Context Menu. "Babel Fish" language translation for app-sec testing in other languages.
• [2星][2y] [Java] cornerpirate/demoextender Code used for a tutorial to get Netbeans GUI editor to work with a Burp Suite Extender
• [2星][4y] [Py] d453d2/burp-jython-console Burp Suite extension to enable a Jython console - origin (
• [2星][2y] [Py] dnet/burp-scripts Scripts I wrote to extend Burp Suite functionality
• [2星][7y] [Py] meatballs1/burp_wicket_handler
• [2星][3y] [Java] silentsignal/burp-json-array JSON Array issues plugin for Burp Suite
• [2星][2y] stayliv3/burpsuite-magic 收集burpsuite插件，并对每个插件编写使用说明手册。
• [2星][3y] [Ruby] thec00n/uploader Burp extension to test for directory traversal attacks in insecure file uploads
• [2星][8y] [Java] thecao365/burp-suite-beautifier-extension burp-suite-beautifier-extension
• [2星][3m] [Java] peachtech/peachapisec-burp Peach API Security Burp Integration
• [2星][3m] [Java] parsiya/burp-sample-extension-java Sample Burp Extension in Java
• [1星][3y] [Java] chris-atredis/burpchat burpChat is a BurpSuite plugin that enables collaborative BurpSuite usage using XMPP/Jabber.
• [1星][3m] [Java] infobyte/faraday_burp Faraday Burp Extension
• [1星][11m] [Java] jonluca/burp-copy-as-node Burp extension to copy a request as a node.js requests function
• [1星][2y] [Java] sampsonc/perfmon Performance metrics for Burp Suite
• [1星][3y] [Java] tagomaru/burp-extension-sync-parameter an extension to Burp Suite that provides a sync function for CSRF token parameter.
• [1星][5m] [Py] bomsi/blockerlite Simple Burp extension to drop blacklisted hosts
• [1星][4y] [Py] hvqzao/burp-csrf-handling CSRF tokens handling Burp extension
• [1星][3m] [Java] sunny0day/burp-auto-drop Burp extension to automatically drop requests that match a certain regex.
• [0星][4y] fbogner/burp.app A small AppleScript wrapper application around Burp.jar to make it more OS X like
• [0星][1y] jgamblin/burptest
• [0星][2y] kkirsche/burp_suite_lists Lists to use with Burp Suite
• [0星][2y] [Java] silentsignal/burp-asn1 ASN.1 toolbox for Burp Suite
• [0星][9m] [Java] celsogbezerra/copy-as-javascript-request Copy as JavaScript Request plugin for Burp Suite
• [0星][1y] [Py] nagakm/throttler This extension is for Burpsuite
• [0星][2y] [Py] nagakm/throttler This extension is for Burpsuite

---

文档

• [736星][2y] [JS] xl7dev/burpsuite BurpSuite using the document and some extensions
• [299星][1y] [Shell] yw9381/burp_suite_doc_zh_cn 这是基于Burp Suite官方文档翻译而来的中文版文档
• [12星][3m] boreas514/burp-suite-2.0-chinese-document 中文版burp2.0官方文档

文章

---

新添加

• 2020.01 [portswigger] Burp Suite roadmap for 2020 | Blog - PortSwigger
• 2019.12 [aliyun] 如何利用xray、burp、lsc构成自动化挖src平台
• 2019.11 [parsiya] Swing in Python Burp Extensions - Part 3 - Tips and Tricks
• 2019.11 [parsiya] Swing in Python Burp Extensions - Part 2 - NetBeans and TableModels
• 2019.11 [parsiya] Swing in Python Burp Extensions - Part 1
• 2019.10 [parsiya] Quality of Life Tips and Tricks - Burp Suite
• 2019.10 [freebuf] 使用Burp拦截Flutter App与其后端的通信
• 2019.09 [BrokenSecurity] 033 part of Ethical Hacking - Editing packets in Burpsuite
• 2019.09 [BrokenSecurity] 032 part of Ethical Hacking - Burpsuite configuration
• 2019.09 [radekk] Firefox and Burp Suite — the most secure configuration
• 2019.07 [0x00sec] Doubt with header. Burp & Tamper
• 2019.06 [sirpwnalot] Hunting for Privilege Escalation with Burp Suite
• 2019.06 [appsecconsulting] Ten Useful Burp Suite Pro Extensions for Web Application Testing
• 2019.05 [d3adend] Argument Injection Hammer Burp Suite Extension
• 2019.05 [infosecaddicts] Burp Suite
• 2019.04 [parsiya] Disabling Burp's Update Screen - Part 1 - Analysis and Failures
• 2019.02 [infosecinstitute] Quick and Dirty BurpSuite Tutorial (2019 Update)
• 2019.02 [pentestpartners] Burp HMAC header extensions, a how-to
• 2018.12 [parsiya] Cryptography in Python Burp Extensions
• 2018.12 [parsiya] Python Utility Modules for Burp Extensions
• 2018.12 [parsiya] 使用Burp的网站地图比较功能, 检测强制浏览/访问控制/直接对象引用等问题
• 2018.12 [parsiya] Tiredful API - Part 2 - Comparing Site Maps with Burp
• 2018.11 [wallarm] FAST or Burp or both?
• 2018.11 [arbazhussain] Broken Link Hijacking Burp Plugin
• 2018.11 [jerrygamblin] Automatically Create Github Issues From Burp 2.0
• 2018.08 [portswigger] Burp Suite Enterprise Edition beta now available | Blog
• 2018.08 [portswigger] Burp's new crawler | Blog
• 2018.07 [cqureacademy] How To Burp With Confidence – Our 5 Favorite Features
• 2018.07 [freebuf] 使用VirtualBox，INetSim和Burp建立自己的恶意软件分析实验环境
• 2018.07 [web] Support for XXE attacks in SAML in our Burp Suite extension
• 2018.06 [finnwea] An efficiency improvement for Burp Suite
• 2018.06 [finnwea] An efficiency improvement for Burp Suite
• 2018.05 [hackerone] New Hacker101 Content: Threat modeling, Burp basics, and more
• 2018.04 [dustri] Confusing Burp's display with fake encoding
• 2018.03 [secureideas] Burp Suite continuing the Saga
• 2018.03 [blackhillsinfosec] Gathering Usernames from Google LinkedIn Results Using Burp Suite Pro
• 2018.02 [hackingarticles] Advance Web Application Testing using Burpsuite
• 2018.02 [HackerSploit] Web App Penetration Testing - #1 - Setting Up Burp Suite
• 2018.02 [hackingarticles] Engagement Tools Tutorial in Burp suite
• 2018.01 [360] 恶意软件逆向：burpsuite 序列号器后门分析
• 2018.01 [hackingarticles] WordPress Exploitation using Burpsuite (Burp_wp Plugin)
• 2018.01 [blackhillsinfosec] Analyzing Extension Effectiveness with Burp
• 2018.01 [4hou] 实战教程：用Burpsuite测试移动应用程序
• 2017.12 [freebuf] 经验分享 | Burpsuite插件的使用
• 2017.12 [picturoku] Burp... (excuse me) ...suite
• 2017.12 [freebuf] 新手福利 | Burpsuite你可能不知道的技巧
• 2017.12 [aliyun] 使用OWASP Zap度过没有Burp的过渡期
• 2017.12 [freebuf] 利用Burp Suite挖掘暗网服务的真实IP
• 2017.11 [n00py] Exploiting blind Java deserialization with Burp and Ysoserial
• 2017.10 [freebuf] 利用Burp Suite对OWASP Juice Shop进行渗透测试
• 2017.10 [gdssecurity] Pentesting Fast Infoset based web applications with Burp
• 2017.10 [d0znpp] The best Burp plugin I’ve ever seen
• 2017.10 [n00py] How to Burp Good
• 2017.09 [niemand] Automatizing Burp + Carbonator + Slack
• 2017.09 [trustwave] burplay介绍
• 2017.09 [initblog] Hacking a Pizza Order with Burp Suite
• 2017.09 [freebuf] 如何在特定的渗透测试中使用正确的Burp扩展插件
• 2017.08 [portswigger] 如何为特定的渗透测试环境定制 Burp 扩展
• 2017.08 [cybrary] Your Complete Guide to Burp Suite
• 2017.07 [hackerone] Hey Hackers: We’ve got your free Burp Suite Professional license right here
• 2017.07 [aliyun] Burpsuite handshake alert: unrecognized_name解决办法
• 2017.07 [4hou] 用VirtualBox、INetSim和Burp配置一个恶意软件分析实验室
• 2017.06 [portswigger] Behind enemy lines: bug hunting with Burp Infiltrator | Blog
• 2017.06 [christophetd] 使用 VirtualBox，INetSim和 Burp 搭建自己的恶意软件分析实验室
• 2017.05 [360] Burp Suite Mobile Assistant
• 2017.05 [netspi] Beautifying JSON in Burp
• 2017.04 [aliyun] Burp Suite收集到的录像、文档以及视频资料
• 2017.02 [zsec] Learning the Ropes 101: Burp Suite Intro
• 2017.02 [netspi] Attacking JavaScript Web Service Proxies with Burp
• 2017.02 [polaris] BurpSuite和Fiddler串联使用解决App测试漏包和速度慢的问题
• 2017.01 [securityinnovation] Solve the Software Security Authorization Testing Riddle with AuthMatrix for Burp Suite
• 2016.12 [polaris] BurpSuite插件分享：图形化重算sign和参数加解密插件
• 2016.12 [rapid7] Burp Series: Intercepting and modifying made easy
• 2016.12 [polaris] BurpSuite 实战指南
• 2016.12 [360] BurpSuite 实战指南（附下载地址）
• 2016.11 [freebuf] 渗透测试神器Burp Suite v1.7.08发布（含下载）
• 2016.10 [averagesecurityguy] Recon-ng + Google Dorks + Burp = ...
• 2016.10 [hackingarticles] SMS Bombing on Mobile using Burpsuite
• 2016.09 [hackingarticles] Hijacking Gmail Message on Air using Burpsuite
• 2016.09 [securify] Burp Suite security automation with Selenium and Jenkins
• 2016.09 [securityblog] Simple python script to make multiple raw requests from Burp
• 2016.07 [portswigger] Introducing Burp Infiltrator | Blog
• 2016.06 [insinuator] SAMLReQuest Burpsuite Extention
• 2016.05 [jerrygamblin] BurpBrowser
• 2016.05 [silentsignal] Detecting ImageTragick with Burp Suite Pro
• 2016.04 [portswigger] Introducing Burp Projects | Blog
• 2016.04 [breakpoint] Web Hacking with Burp Suite 101
• 2016.04 [hack] Advanced Burp Suite
• 2016.03 [freebuf] Burp Suite新手指南
• 2016.03 [portswigger] Using Burp Suite to audit and exploit an eCommerce application | Blog
• 2016.03 [freebuf] 渗透测试神器Burpsuite Pro v1.6.38（含下载）
• 2016.03 [360] 使用burp进行java反序列化攻击
• 2016.03 [netspi] Java Deserialization Attacks with Burp
• 2016.02 [] 对burpsuite_pro逆向的一点心得
• 2016.02 [THER] Learn Burp Suite, the Nr. 1 Web Hacking Tool - 00 - Intro
• 2016.02 [THER] Learn Burp Suite, the Nr. 1 Web Hacking Tool - 08 - Congrats
• 2016.02 [THER] Learn Burp Suite, the Nr. 1 Web Hacking Tool - 02 - General Concept
• 2016.02 [THER] Learn Burp Suite, the Nr. 1 Web Hacking Tool - 01 - Environment Setup
• 2016.02 [gracefulsecurity] Introduction to Burp Suite Pro
• 2016.02 [bishopfox] Burp, Collaborate, and Listen: A Pentester Reviews the Latest Burp Suite Addition
• 2016.02 [xxlegend] 如何让Burpsuite监听微信公众号
• 2016.01 [hack] Burp Suite For Beginners
• 2016.01 [blackhillsinfosec] Pentesting ASP.NET Cookieless Sessions with Burp
• 2015.12 [portswigger] Burp Clickbandit: A JavaScript based clickjacking PoC generator | Blog
• 2015.11 [gracefulsecurity] Burp Suite Extensions: Installing Jython and adding an Extension
• 2015.09 [freebuf] 渗透测试神器Burpsuite Pro v1.6.24（含下载）
• 2015.09 [freebuf] BurpSuite下一代渗透检测工具：BurpKit
• 2015.08 [portcullis] Burp Extension
• 2015.07 [secist] 使用burp进行java反序列化攻击
• 2015.07 [compass] SAML Burp Extension
• 2015.07 [nvisium] Intro to BurpSuite, Part VI: Burpsuite Sequencer
• 2015.07 [] 小技巧：Burp Suite 插件库 BApp Store
• 2015.06 [gracefulsecurity] Burp Suite Keyboard Shortcuts!
• 2015.06 [acunetix] Pre-seeding a crawl using output from Fiddler, Burp, Selenium and HAR files
• 2015.05 [idontplaydarts] Detecting low entropy tokens with massive bloom filters in Burp
• 2015.04 [mediaservice] Pentesting with Serialized Java Objects and Burp Suite
• 2014.12 [insinuator] Getting 20k Inline-QR-Codes out of Burp
• 2014.11 [liftsecurity] Static Analysis and Burp Suite
• 2014.10 [buer] Detecting Burp Suite – Part 2 of 3: Callback Exposure
• 2014.09 [compass] BurpSentinel on Darknet
• 2014.08 [nvisium] Intro to BurpSuite V: Extracting Intrusions
• 2014.08 [milo2012] Extended functionality for Burp Plugin – Carbonator
• 2014.07 [portswigger] Burp gets new JavaScript analysis capabilities | Blog
• 2014.07 [nvisium] Intro to BurpSuite Part IV: Being Intrusive
• 2014.07 [liftsecurity] Introducing Burpbuddy
• 2014.07 [buer] Detecting Burp Suite – Part 1 of 3: Info Leak
• 2014.06 [parsiya] Piping SSL/TLS Traffic from SoapUI to Burp
• 2014.05 [sans] Assessing SOAP APIs with Burp
• 2014.05 [nvisium] Intro to BurpSuite: Part III - It's all about Repetition!
• 2014.04 [freebuf] 国产BurpSuite 插件 Assassin V1.0发布
• 2014.03 [nvisium] Burp App Store
• 2014.02 [nvisium] Intro to Burp Part II: Sighting in your Burp Scope
• 2014.01 [sethsec] Re-launch - A focus on Web Application Pen Testing, Burp Extensions, etc
• 2013.12 [appsecconsulting] So You Want to Build a Burp Plugin?
• 2013.06 [sec] How to rapidly build a Burp session handling extension using JavaScript
• 2013.06 [freebuf] BurpSuite系列使用视频教程（下载）
• 2013.05 [] Burp通过注射点dump数据库
• 2013.05 [trustwave] Introducing the Burp Notes Extension
• 2013.03 [security] Penetration Test pWnOS v2.0 with BurpSuite
• 2013.03 [freebuf] 使用Burp攻击Web Services
• 2013.03 [netspi] Hacking Web Services with Burp
• 2013.01 [websecurify] Reading Burp Files From Websecurify Suite
• 2013.01 [netspi] Tool release: AMF Deserialize Burp plugin
• 2012.12 [pentestlab] Local File Inclusion Exploitation With Burp
• 2012.12 [portswigger] Sample Burp Suite extension: custom editor tab | Blog
• 2012.12 [portswigger] Writing your first Burp Suite extension | Blog
• 2012.12 [portswigger] New Burp Suite Extensibility | Blog
• 2012.11 [perezbox] Spoofing an Admin’s Cookies Using Burp
• 2012.11 [freebuf] Burp Suite免费版本（Free Edition）v1.5发布
• 2012.10 [] 利用burpsuite获得免费空间
• 2012.10 [netspi] Pentesting Java Thick Applications with Burp JDSer
• 2012.09 [] 用Burp_suite快速处理上传截断
• 2012.09 [] 使用burp suite探测Web目录
• 2012.05 [freebuf] Burpsuite系列视频教程不加密版第一部分公布下载
• 2011.12 [milo2012] OWASP Ajax Crawling Tool (Good Companion Tool to Burpsuite)
• 2011.12 [insinuator] Use Python for Burp plugins with pyBurp
• 2011.10 [portswigger] Breaking encrypted data using Burp | Blog
• 2011.06 [cyberis] 'Invisible Intercept' Function of Burp

原文:https://github.com/alphaSeclab/awesome-burp-suite