BiTree
  • Search For Lessons
  • Curriculum
  • Pricing
  • For Educators
  • Become a Tutor
  • About
  • Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
BiTree

Live coding lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Search For Lessons
  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Become a Tutor
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 BiTree. All rights reserved.
Curriculum/Cybersecurity/Burp Suite: Web Application Testing/Burp Extensions and the BApp Store
45 minAdvanced

Burp Extensions and the BApp Store

After this lesson, you will be able to: Install and use essential Burp extensions from the BApp Store, and write a basic Python extension with the Burp API (the Montoya API in modern Burp).

Extensions add power to Burp. This lesson covers the essential extensions every professional installs, what each does, and how to write a simple extension yourself so you understand the mechanism, including a note on the modern Montoya API.

Prerequisites:Burp Scanner (Professional)

💡 Authorization first

Only perform these techniques in authorized lab environments. Never test systems you do not own or have explicit written permission to test. Every lab in this subtrack uses the PortSwigger Web Security Academy, which is built specifically for legal Burp Suite practice.

What extensions are

Extensions are Java or Python code that adds functionality to Burp, and the BApp Store holds hundreds of community-contributed ones. They can add scan checks, new tabs, request transformations, and automation. Installing a handful of well-chosen extensions turns Burp from a strong tool into a tailored testing platform.

Essential extensions

JWT Editor (JWT attacks: key confusion, alg manipulation). Turbo Intruder (high-speed fuzzing). Active Scan++ (extra active-scan checks). Param Miner (discovers hidden parameters). Hackvertor (encoding transformations inside requests). Logger++ (advanced logging and filtering). SQLiPy (SQLMap integration). Autorize (automated authorization testing, the best tool for IDOR at scale). Reflected Parameters (highlights reflected inputs). CSRF Scanner (finds CSRF). Install these and you cover most professional workflows.

A basic extension: add a header to every request

Conceptually, an extension registers a handler that Burp calls for each request. Modern Burp uses the Montoya API.

tsx
// Montoya API (Burp 2023+), Java sketch:
// implement BurpExtension, register an HttpHandler that adds a header.
public class AddHeader implements BurpExtension {
  public void initialize(MontoyaApi api) {
    api.http().registerHttpHandler(new HttpHandler() {
      public RequestToBeSentAction handleHttpRequestToBeSent(HttpRequestToBeSent req) {
        return RequestToBeSentAction.continueWith(
          req.withAddedHeader("X-Test", "BiTree"));
      }
      public ResponseReceivedAction handleHttpResponseReceived(HttpResponseReceived resp) {
        return ResponseReceivedAction.continueWith(resp);
      }
    });
  }
}
// The point: an extension hooks Burp's request/response pipeline. You do not
// need to ship this; understanding the hook is what matters.

The Montoya API

Burp Suite 2023 and later use the Montoya API, which replaced the older Extender API. It is a cleaner, type-safe Java API for building extensions; the old API is deprecated. If you follow a tutorial that uses the legacy API (IBurpExtender), know it still loads but new extensions should target Montoya. Python extensions run via Jython against the older API; serious extension development today is Java with Montoya.

Quick Check

Which extension is the best choice for testing access control (IDOR) across many endpoints automatically?

Pick one.

Common mistakes only experienced testers catch

Installing dozens of extensions and slowing Burp to a crawl; install what you use. Following a legacy-API tutorial without realizing Montoya is the modern path. Forgetting Autorize for authorization testing and doing IDOR by hand at scale. Trusting an extension's output without verification. Not keeping extensions updated. Writing a complex extension when a one-liner in Repeater or a match-and-replace rule would do.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
Back to Burp Suite: Web Application Testing
Testing for Business Logic Flaws→