Burp Suite is an integrated platform for attacking web applications. It contains a number of tools, and for these tools to design a number of interfaces to accelerate the process of attacking the application process. All of the tools share a powerful extensible framework for handling and displaying HTTP messages, persistence, authentication, proxies, logs, and alerts.

Whether it is free or paid version of the version, Burp Suite  provides a certain number of plug-ins, these plug-ins greatly facilitate the penetration of our usual work. BAPP Store in the development of a lot of good plug-in code can be downloaded from the installation, in the specified directory below the corresponding python code or jar package exists, these are very good learning code, recommend a few relatively easy to use Of the plug-ins:

  1. AuthMatrix

    AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are displayed through the UI in a similar format to that of an access control matrix commonly built in various threat modeling methodologies.
    Once the tables have been assembled, testers can use the simple click-to-run interface to efficiently run all combinations of roles and requests. Testers can then confirm their results with an easy to read, color-coded interface indicating any authorization vulnerabilities detected in the system. Additionally, the extension provides the ability to save and load target configurations for simple regression testing.

  2. J2EEScan



    The goal of this extension is to improve the test coverage during web application penetration tests on J2EE applications. It adds some new test cases and new strategies to discover different kind of J2EE vulnerabilities

  3. activeScan ++
    The plug-in is mainly in the active scanning and passive scanning, in order to enhance scanning vulnerability effect. Added some of the automation scan itself does not have the vulnerability check.
  4. BypassWAF

    We sometimes encounter WAF (Application Layer Firewall) in the penetration test, which is often a headache. Burp Suite is a big-time web application penetration testing integration platform, and this plug-in can help you bypass some of the WAF.
    Future Features:
    Automatic HPP attack testing in GET / POST
    Automatic HTTP Request Smuggling attack

  5. BurpKit

    The plug-in BurpKit provides a two-way JavaScript bridge API that allows users to quickly create BurpSuite plug-ins that can interact directly with the DOM at the same time, as well as Burp’s extension API. This allows developers of BurpSuite plug-ins to run their web applications directly at the DOM itself, while leveraging other BurpSuite features while detecting their own logic.

    Project Home: https://github.com/allfro/BurpKit/releases

  6. CSRF Scanner

    CSRF Scanner is a CSRF vulnerability testing tool that proactively scans CSRF vulnerabilities, primarily to enhance CSRPS scanning in burpsuite.
    You can select “CSRF Scanner” from the left side of the “Bapp Store” interface, navigate to the right click “install” to install.

  7. Java-Deserialization-Scanner



    Java-Deserialization-Scanner is a BurpSuite plug-in, used to automate the discovery of Java deserialization vulnerability.

  8. CSP-Bypass

    CSP-Bypass is a Burp plug-in written in Python that uses known methods to try to check the security of the site’s CSP and whether it can be bypassed.
    Project Home: https://github.com/moloch-/CSP-Bypass