BChecks for Burp Suite Professional and Burp Suite Enterprise Edition, developed by PortSwigger and the community with 🧡
Burp Suite Professional: To view the documentation, go to Extensions > BChecks and click the ? icon in the top-right corner of the window.
Burp Suite Enterprise Edition: To learn more about BChecks, see Adding BChecks to Burp Suite Enterprise Edition.
To see all of our documentation on BChecks for both Burp Suite Professional and Burp Suite Enterprise Edition, see BCheck definitions.
Burp Suite Shorts | BCheck v2-beta language
Introducing custom scan checks to Burp Suite Enterprise Edition
Supporting Sprocket Security's offensive security testing with BChecks
The top 10 community-created BChecks, so far...
BChecks: Houston, we have a solution!
BChecks are a community-driven effort and as such we encourage you to share your own BChecks and improve upon the existing ones.
To learn about the process of contributing to the repository, see Contributing.
We've put together some example BChecks, to help you get started:
- Blind SSRF via out-of-band detection
- Exposed git directory
- Leaked AWS Tokens
- Log4Shell via out-of-band detection
- Server Side Prototype Pollution
- Suspicious Input Transformation
The following BChecks look for specific vulnerabilities which have a CVE:
These BChecks look for specific vulnerability classes as opposed to discrete vulnerabilities:
You can see other BChecks that have been created by the community, doing wonderful things that we didn't imagine:
You can see archived BChecks that have been preserved for users with older versions of Burp Suite:
BChecks are written and maintained by third-party users of Burp. We review the pull requests for new community-created scripts before they are added to this repository. However, PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.