Advanced Burp Suite: Create Custom Extensions

Min. Attendees
Max. Attendees
Remote or onsite
Laptop with Burp Community or Pro and Python installed.


Assessing modern web applications can be a challenge. Burp Suite, the industry standard assessment tool, offers integrated extensions that facilitate the assessment process. This hands-on workshop will teach how to write a custom Burp Suite extension in Python.

Target Audience

This workshop was specifically created for participants with a technical background, like penetration tester or developers, who would like to take their testing technique a step further and add custom automation to it. Basic experiences with Burp Suite and Python is recommended to follow the course.


The modern web application landscape continuously offers more technologies and possibilities to realise a multitude of tasks, applications and workflows. Therefore, being able to adapt to changing demands is a valuable skill. To fulfil this Burp Suite, the industry standard in web application penetration testing, brings a variety of extensions provided for many common use cases. Burp Suite also offers the possibility to create and customise extensions for specific needs, especially for automated scan functionalities. The workshop will start off with common use cases, in which extensions can help to fulfil a specific task and from there on continues to writing, configurating and testing a custom extension. This includes the use of Burp's APIs, building the necessary code structure as well as testing the code to ensure stability and proper integration with automated scan functionalities. After the workshop the attendees will be capable to create an extension on the fly for any specific need in the future.


  • Introduction/Goals
  • Overview of Burp Workflows
  • Structure of Extensions
  • Extension Creation
  • Extension Testing
  • Conclusion

Contact for Trainings

Talk to Our Experts
André Tschapeller
Senior Security Consultant
André is passionate about creative attack paths and using systems in unintended ways, which he tries to include in assessments for our clients. He is part of our Offensive Security Team and mainly involved in web application security.