7 Hidden Burp Suite Features That Save Hours of Manual Testing (2026)

Mr Elite 20 min read
7 Hidden Burp Suite Features That Save Hours of Manual Testing (2026)
You’ve been using Burp Suite for a year. You know Proxy, Repeater, and Intruder. You feel reasonably competent. Then you watch a senior bug bounty hunter do a session review and they’re doing things you’ve never seen — requests filtering themselves based on response content, headers injecting automatically into every request, a login macro re-authenticating silently in the background while Intruder runs overnight.

That gap between “knows Burp” and “uses Burp at full capacity” is exactly where most hunters stay permanently. Nobody teaches the 7 Burp Suite Hidden Features that experienced testers use every session. The tutorials cover the three obvious tabs and stop. The rest gets learned by accident or not at all.

I’ve been testing web applications with Burp professionally for years. These seven Burp suite hidden features cut hours from every assessment. Some are built-in, some are extensions. All of them are free. All of them work in Community Edition.

🎯 What You’ll Have After This

Burp Macros configured for automatic re-authentication — run Intruder overnight without session expiry killing your attack
Logger++ capturing traffic that Proxy History misses — including requests from extensions and Scanner
Match & Replace rules injecting bypass headers into every request automatically
Bambdas filtering thousands of requests to the exact ones that matter in seconds
Param Miner finding hidden parameters the application doesn’t document but does process
Organizer replacing your messy external notes file with tracked, exportable findings

⏱️ 20 min read · immediately applicable to your next session

📋 7 Burp Suite Hidden Features – Contents

  1. Feature 1 — Burp Macros: Automated Re-Authentication
  2. Feature 2 — Logger++: Traffic You’re Currently Missing
  3. Feature 3 — Match & Replace: Bulk Header Injection
  4. Feature 4 — Bambdas: JVM-Powered Request Filtering
  5. Feature 5 — Param Miner: Hidden Parameter Discovery
  6. Feature 6 — Organizer: Stop Losing Findings
  7. Feature 7 — Target Scope: Cut 80% of the Noise

Feature 1 — Burp Macros: Automated Re-Authentication

Here’s the problem Macros solves. You’re running an Intruder attack against an authenticated endpoint. Two hours in, the session expires. Intruder keeps firing requests, but they’re all hitting the login redirect now. You wasted two hours of attack time against the wrong endpoint, and you didn’t notice because Intruder doesn’t care about 302 responses — it just reports them as “success.”

Macros record a login sequence and replay it automatically when Burp detects session expiry. Set one up once and you never babysit a session again. This is the feature that makes overnight Intruder runs viable.

BURP MACROS — SETUP WALKTHROUGH
# Step 1: Record the macro
Project Options → Sessions → Macros → Add
Select the login POST request from Proxy History → OK
Macro recorded: POST /login with username=admin&password=X
# Step 2: Create Session Handling Rule
Sessions → Session Handling Rules → Add
Rule Actions → Add → Run a macro → select your macro
Scope → Tools: ☑ Intruder ☑ Scanner ☑ Repeater
Scope → URL Scope: Use suite scope
# Step 3: Test the macro works
Open Macro Editor → Test macro → verify login response = 200
# Add a check — macro should update a session cookie from the response
Macro Editor → Configure item → Cookie/Parameter handling
Extract session_id from login response → use in subsequent requests

The macro doesn’t just log you in — it updates the session cookie from the login response and passes it through to subsequent requests. Get this configured correctly once and your authenticated testing sessions run without interruption regardless of how short the session timeout is.

Feature 2 — Logger++: The Traffic You’re Currently Missing

Proxy History only shows requests that go through Burp’s proxy listener. Logger++ captures everything Burp processes — including requests from extensions, the Scanner, Intruder payloads, and any tool using Burp’s upstream proxy. The traffic you’re missing right now is the traffic that comes from extensions making their own requests in the background.

The other thing Logger++ does that Proxy History doesn’t: it lets you search across all captured traffic using an advanced filter with regex, response keyword matching, and status code conditions simultaneously. Finding the one request in 50,000 that has an interesting response takes seconds instead of manual scrolling.

LOGGER++ — SETUP AND ADVANCED FILTERS
# Install Logger++
Extender → BApp Store → search “Logger++” → Install
New tab “Logger” appears → all Burp traffic captured here
# Useful filter examples
# Show only 200 responses with “password” in response body
Response.status == 200 && Response.body contains “password”
# Show requests with non-standard Content-Type headers
Request.headers contains “application/x-www-form-urlencoded”
# Show responses with large body (potential data leak)
Response.body.length > 50000
# Export filtered results for reporting
Logger++ → Log Table → right-click → Export as CSV

securityelites.com
Logger++ vs Proxy History — What Each Captures
Proxy History — Misses
❌ Extension-generated requests
❌ Intruder requests (only results)
❌ Scanner requests
❌ Collaborator interactions
❌ Out-of-scope requests
❌ Burp-internal requests

Logger++ — Captures
✅ Everything Proxy History shows
✅ Extension-generated requests
✅ All Intruder payloads
✅ All Scanner requests
✅ Configurable scope filtering
✅ Regex-searchable across all fields

📸 Logger++ captures the traffic Proxy History misses — most importantly, requests generated by Burp extensions running in the background. During a complex assessment using multiple extensions simultaneously, Logger++ often shows 3–5× more requests than Proxy History alone. The advanced filter bar lets you search any field with regex or boolean conditions, making it possible to find a specific type of response in a 100,000-request capture in seconds.

Feature 3 — Match & Replace: Bulk Header Injection

Every time you test a WAF bypass or an IP-based access control, you’re probably adding X-Forwarded-For headers manually in Repeater. Once per request. Which means you’re doing it hundreds of times per session. Match & Replace injects that header into every request Burp processes automatically — set it once, test all day.

The same feature handles any systematic modification you need across all traffic: stripping security headers to test CSP bypass, replacing User-Agent strings for access control testing, adding custom authentication tokens to every request. Stack multiple rules and Burp transforms every request before it leaves your machine.

MATCH & REPLACE — PRACTICAL RULES FOR TESTING
# Navigate to: Proxy → Options → Match and Replace
# Rule 1: Auto-inject X-Forwarded-For
Type: Request Header | Match: (blank) | Replace: X-Forwarded-For: 127.0.0.1
# Rule 2: Remove X-Frame-Options to enable clickjacking testing
Type: Response Header | Match: X-Frame-Options.* | Replace: (blank)
# Rule 3: Change admin=false to admin=true in all responses
Type: Response Body | Match: “admin”:false | Replace: “admin”:true
# Tests whether client-side role flag drives UI permissions
# Rule 4: Inject debug header to trigger verbose errors
Type: Request Header | Match: (blank) | Replace: X-Debug: true
# Enable/disable rules with checkbox — keep your library and toggle as needed

🛠️ EXERCISE 1 — BROWSER (15 MIN · NO INSTALL)
Explore Burp Suite’s Hidden Features in the BApp Store

⏱️ 15 minutes · Burp Suite Community Edition open

Before you configure anything, find what’s available. Most hunters never open the BApp Store past the first page — the highest-impact extensions are buried on page 3.

Step 1: Open BApp Store
Extender → BApp Store → browse all extensions

Step 2: Find and note these extensions (install if you have Burp open)
Logger++ — traffic capture and advanced filtering
Param Miner — hidden parameter discovery
Autorize — access control testing automation
Turbo Intruder — high-speed Intruder replacement (Community throttle bypass)
JS Miner — extract secrets and endpoints from JavaScript files
Active Scan++ — extends Scanner with additional check types

Step 3: For each extension you find, answer:
What specific problem does it solve?
Which testing scenario would I use it in?
Is it Community or Pro only?

Step 4: Check your current Burp version
Help → About Burp Suite
If you’re below 2023.10, update — Bambdas require 2023.10+

Step 5: Find the Match & Replace rules location
Proxy → Options → scroll to Match and Replace
How many default rules does Burp have pre-configured?
What do they do?

✅ You just mapped Burp’s real capability footprint — not the three-tab version the tutorials show. The six extensions on that list are what serious hunters use every session. Autorize alone has found me access control bugs in every application I’ve run it against. Turbo Intruder bypasses the Community throttle by replacing Intruder entirely with a Python-scripted HTTP engine — it’s the Community Edition workaround that pros actually use.

📸 Screenshot the BApp Store with Logger++ and Param Miner visible. Share in #burp-suite-tips

Feature 4 — Bambdas: JVM-Powered Request Filtering

Regular Proxy History filters are binary — show or hide by status code, method, extension. Bambdas give you a full Java lambda to express any condition. The response body is longer than 10KB AND contains the string “password” AND the request path starts with “/api/”? That’s three lines of Bambda. The equivalent manual filter doesn’t exist.

I started using Bambdas the first week they were released and immediately found a finding I’d missed manually — a response that contained a base64-encoded JWT in an unusual field, which I only spotted because I wrote a Bambda to flag any response containing a three-segment dot-separated string in the body. Five minutes of Bambda writing surfaced a credential leak that a full manual review missed.

BAMBDA EXAMPLES — PRACTICAL FILTERS
# Access Bambdas: Proxy History → Filter bar → Bambda
# Find responses containing potential JWT tokens
return requestResponse.response().bodyToString().matches(“.*[A-Za-z0-9+/]{20,}\\.[A-Za-z0-9+/]{20,}\\.[A-Za-z0-9+/]{20,}.*”);
# Show only large responses (possible data dumps)
return requestResponse.response().body().length() > 100000;
# Show 200 responses to POST requests on /api/ paths
return requestResponse.request().method().equals(“POST”) &&
requestResponse.request().path().startsWith(“/api/”) &&
requestResponse.response().statusCode() == 200;
# Find responses with stack traces (verbose error disclosure)
return requestResponse.response().bodyToString().contains(“Exception”) ||
requestResponse.response().bodyToString().contains(“stack trace”) ||
requestResponse.response().bodyToString().contains(“Traceback”);

Feature 5 — Param Miner: Hidden Parameter Discovery

Every application has parameters it processes but doesn’t advertise. Debug flags. Admin overrides. Feature toggles left in from development. Param Miner finds them by sending your request with hundreds of additional parameter names and comparing responses — anything that differs from the baseline response indicates the application processed the parameter.

The best Param Miner find I’ve had was a hidden debug=true parameter that switched an API endpoint from returning sanitised output to returning raw database rows including fields the application was supposed to hide. The endpoint was in scope, the parameter wasn’t documented anywhere, and automated scanners passed it completely. Param Miner flagged it in four minutes.

PARAM MINER — HOW TO RUN IT
# After installing from BApp Store
Proxy History → right-click any interesting request
Extensions → Param Miner → Guess params
# Configuration options
☑ Add ‘fcbz’ cachebuster → prevents caching from masking results
☑ Guess headers → finds hidden request headers
☑ Guess cookies → finds hidden cookie parameters
☑ Bruteforce words → tests common param names
# Results appear in Extensions → Param Miner → Output tab
Interesting parameter found: debug=true (response diff: +2847 bytes)
Hidden header found: X-Internal-User changes response structure
# Verify manually — send to Repeater and confirm the diff
Right-click result → Send to Repeater → compare baseline vs parameter present

securityelites.com
Burp Suite — 7 Hidden Features Location Map
1. Macros
Project Options → Sessions → Macros
2. Logger++
Extender → BApp Store → install → Logger tab
3. Match & Replace
Proxy → Options → Match and Replace
4. Bambdas
Proxy History → Filter bar → Bambda (v2023.10+)
5. Param Miner
Extender → BApp Store → install → right-click request
6. Organizer
Organizer tab (v2022.8+) → right-click → Send to Organizer
7. Target Scope
Target → Scope → Advanced scope control → Drop out-of-scope

📸 Location map for all 7 hidden Burp Suite features. Every one of these is accessible in Burp Suite Community Edition. The two extensions (Logger++ and Param Miner) take 60 seconds to install from the BApp Store. Macros, Match & Replace, Bambdas, Organizer, and Target Scope are built-in — no installation needed. The only prerequisite for Bambdas is Burp Suite 2023.10 or later.

Feature 6 — Organizer: Stop Losing Findings

Every tester has done this: found something interesting three hours into a session, made a mental note, kept testing, and by the end had a Proxy History with 80,000 requests and zero memory of which one had the suspicious response. Organizer solves this. Right-click any request and send it there. Add a note. Mark a severity. Your findings are tracked in the project file and never lost.

I switched to Organizer the week it shipped and stopped keeping a separate notes file entirely. The finding stays attached to the actual request, the request is in the project, the project is the report. When you export at the end of the session you have every interesting request with your notes already attached.

ORGANIZER — WORKFLOW
# Sending to Organizer
Any request in Proxy History, Repeater, Logger++ → right-click
→ “Send to Organizer”
# Organizer tab workflow
Select entry → Notes field → add finding description
Severity dropdown → Info / Low / Medium / High / Critical
Status → Needs investigation / Confirmed / False positive
# At end of session
Organizer → right-click → Export to file
All annotated requests exported with your notes intact

Feature 7 — Target Scope: Cut 80% of the Noise

A modern web application makes requests to Google Analytics, Facebook Pixel, Cloudflare, CDN endpoints, and a dozen other third-party services on every page load. None of those are in scope. All of them flood your Proxy History, slow down your Logger++, and make finding interesting requests significantly harder.

A properly configured Target Scope drops out-of-scope traffic before it reaches Proxy History. What remains is only the application you’re testing. On a complex application this is the difference between a 50,000-request history and a 6,000-request history — same session, same testing, dramatically cleaner working environment.

TARGET SCOPE — CONFIGURATION
# Step 1: Set scope
Target → Site Map → right-click target domain → Add to scope
# Or: Target → Scope → Use advanced scope control
Add include rule: Protocol=https, Host=*.targetdomain.com, Port=443
# Step 2: Drop out-of-scope requests
Proxy → Options → Miscellaneous
☑ Drop all out-of-scope requests
# Step 3: Filter Proxy History to scope only
Proxy History → Filter bar → ☑ Show only in-scope items
# Result: Proxy History shows only target application traffic
Before scope filter: 48,392 requests
After scope filter: 5,847 requests ← what you’re actually testing

securityelites.com
Burp Organizer Tab — Findings Tracked In-Session
#RequestSeverityNotesStatus
1POST /api/v2/usersCriticalIDOR — user_id param, tested IDs 1-10, all return full PIIConfirmed
2GET /api/exportMediumNo rate limiting — Param Miner found debug=true returns raw DBInvestigating
3POST /loginInfoError message reveals email existence — low impactFalse Positive
4GET /admin/configCriticalAccessible without auth — found via Param Miner header guessConfirmed
📸 Burp Suite Organizer tab showing four tracked findings mid-assessment. Each entry has the request, severity, your notes, and status — all inside the project file. The two Critical findings (rows 1 and 4) came from IDOR testing and a Param Miner hidden header discovery respectively. Without Organizer, both of these would be somewhere in 40,000 Proxy History entries with no notes attached. With Organizer, they’re documented findings ready to go straight into the report.

🧠 EXERCISE 2 — THINK LIKE A HACKER (15 MIN · NO TOOLS)
Why Each Hidden Feature Changes What You Find

⏱️ 15 minutes · No tools required — pure analysis

The features aren’t just productivity tools — each one closes a specific gap that lets findings slip through without them. Work through why.

SCENARIO 1 — The Overnight Intruder Attack
You launch a 10,000-payload Intruder attack at 11pm and check results at 8am.
Without Macros: 9,600 requests hit the login redirect. 400 meaningful results.
With Macros: All 10,000 requests hit the authenticated endpoint.

Question: What type of vulnerability would this session expiry failure hide?
Which OWASP category does session management testing fall under?

SCENARIO 2 — The Extension That Makes Its Own Requests
You run a GraphQL schema enumeration extension.
Without Logger++: Extension requests don’t appear in Proxy History.
The extension discovers 3 undocumented mutations — none captured.
With Logger++: All extension requests captured and filterable.

Question: What other types of requests does Proxy History miss?
Name 3 scenarios where Logger++ would find something Proxy History wouldn’t.

SCENARIO 3 — The Hidden Debug Parameter
An application’s /api/v2/users endpoint returns a sanitised user list.
Without Param Miner: You test the documented parameters. Nothing interesting.
With Param Miner: debug=true parameter discovered → raw database output returned.

Question: How would you rate this finding? What’s the impact?
What remediation would you recommend?

SCENARIO 4 — The 50,000-Request Session
You’ve been testing for 4 hours. Proxy History has 52,000 entries.
You remember seeing something interesting around hour 2 but can’t find it.
With Organizer configured from the start: The request is in Organizer with your note.
Without Organizer: Manual search through 52,000 requests.

Question: What’s the cost of losing that finding?
Design a personal Organizer workflow for your next session.

✅ Each feature patches a specific gap in your testing coverage — macros close the session expiry gap, Logger++ closes the extension traffic gap, Param Miner closes the undocumented parameter gap, Organizer closes the lost-finding gap. The hunters landing consistent Critical findings aren’t smarter — they’ve closed all four gaps and test with fewer blind spots. That’s the real value of these seven features: not speed, coverage.

📸 Write down your answer to SCENARIO 3 and share in #bug-bounty. Tag #BurpSuiteHiddenFeatures

Putting All 7 Together — The Start-of-Session Checklist

The reason most hunters never discover these features is that there’s no obvious moment when you’d look for them. Macros aren’t visible unless you run into a session expiry problem. Bambdas don’t exist until you need to filter something complex. Organizer seems optional until you lose a finding.

The solution is a five-minute start-of-session setup that activates all seven before you write a single request. Once this is habit, these features are just part of how Burp works — not something you remember to configure when you run into a problem.

BURP SESSION SETUP CHECKLIST — RUN BEFORE EVERY ASSESSMENT
# 1. Target Scope (60 seconds)
Target → Scope → set include rules → enable Drop out-of-scope
# 2. Match & Replace rules (30 seconds)
Proxy → Options → Match and Replace → enable your saved rules
# 3. Logger++ filter (30 seconds)
Logger tab → set default filter for session (status, path prefix)
# 4. Macro (if target has authentication)
Log in manually → Project Options → Macros → record login → set rule
# Skip if testing unauthenticated scope only
# 5. Organizer — open and ready
Click Organizer tab → confirms it’s active in this project
# During testing — run these as you go
Interesting request found → Cmd+Shift+O → Send to Organizer → add note
Large traffic capture → Bambda filter to find the signal in the noise
Unusual endpoint → right-click → Extensions → Param Miner → Guess params

🛠️ EXERCISE 3 — BROWSER ADVANCED (15 MIN · NO INSTALL)
Validate Your Burp Version and Plan Your Extension Stack

⏱️ 15 minutes · Burp Suite open

Bambdas require 2023.10+. Three of the extensions need the BApp Store. Run through this checklist so your next session starts fully equipped.

Step 1: Check Burp version
Help → About Burp Suite
Note your version. If below 2023.10, update now:
Download from: portswigger.net/burp/releases

Step 2: Install the three essential extensions
Extender → BApp Store:
Install: Logger++
Install: Param Miner
Install: Turbo Intruder (Community throttle bypass)

Step 3: Test Logger++ is capturing
Enable Intercept → browse any site in Firefox
Check Logger tab → requests should appear there AND in Proxy History

Step 4: Create one Match & Replace rule
Proxy → Options → Match and Replace → Add
Type: Request Header
Match: (leave blank)
Replace: X-Forwarded-For: 127.0.0.1
Test: browse a page and check the request in Proxy — header is present

Step 5: Write your first Bambda
Proxy History → Filter bar → Bambda
Enter: return requestResponse.response().statusCode() == 200 &&
requestResponse.request().path().contains(“/api/”);
Apply — does the filter work?

Step 6: Send one request to Organizer
Any request in Proxy History → right-click → Send to Organizer
Add a test note → verify it appears in Organizer tab

✅ You just validated your Burp setup against all 7 features. Every assessment you run from here starts with these active. The 5-minute setup investment at the start of a session saves 2–3 hours of manual work across the day — and more importantly, it closes the coverage gaps that let high-severity findings slip through undetected. The best finding you ever make might be the one Param Miner surfaces on an endpoint you’d have manually tested and moved on from.

📸 Screenshot your Burp with Logger++ tab and at least one Match & Replace rule active. Share in #burp-suite-tips

✅ 7 Hidden Features — Now Part of Your Burp Workflow

Macros, Logger++, Match & Replace, Bambdas, Param Miner, Organizer, and Target Scope. All seven work in Community Edition. All seven are active by default in my sessions. The gap between hunters who find Criticals consistently and hunters who find Mediums is often not skill — it’s coverage. These seven features close the coverage gaps.


🧠 Quick Check

You’re running an authenticated Intruder attack and need to test 5,000 payloads. You know the session expires after 15 minutes. Which Burp feature prevents session expiry from invalidating your attack?



❓ Frequently Asked Questions

What Burp Suite features do most ethical hackers not use?
The most underused features are: Macros (automate re-authentication), Logger++ (captures traffic Proxy History misses), Bambdas (JVM-powered filtering from v2023.10), Param Miner (discovers hidden parameters), Organizer (tracks findings in the project file), Match & Replace (bulk header injection), and proper Target Scope configuration. All work in Community Edition.
Does Burp Suite Community Edition have all these features?
Yes. All 7 features covered here are available in Community Edition. Logger++, Param Miner, and Turbo Intruder are free BApp Store extensions. Macros, Match & Replace, Organizer, and Target Scope are built-in. Bambdas require v2023.10+, available in both editions. The main Community limitations are throttled Intruder and no automated Active Scanner — none of the 7 features here are affected by those limitations.
How do Burp Macros work for authenticated testing?
Macros record a login request sequence and replay it via a Session Handling Rule when Burp detects session expiry. The macro extracts the new session cookie from the login response and passes it to subsequent requests. Set it up once per target and your authenticated testing sessions run uninterrupted regardless of session timeout duration.
What is Param Miner and why is it important for bug bounty?
Param Miner guesses hidden HTTP parameters by sending requests with additional parameter names and detecting response differences. Hidden parameters sometimes bypass access controls, enable debug output, or unlock undocumented functionality. These findings are missed by automated scanners and manual testing alike — Param Miner is the only tool that systematically discovers them.
What is the Burp Organizer tab?
Organizer (added in v2022.8) is a built-in findings tracker. Right-click any request → Send to Organizer, then add severity, notes, and status. It replaces external notes files and keeps findings attached to the actual requests in the project file. Everything exports with the project for reporting. Essential for any session longer than two hours.
What are Burp Bambdas?
Bambdas are Java lambda expressions for filtering requests and responses in Burp, introduced in v2023.10. Unlike standard filters, Bambdas accept any JVM code — check response length, parse body content, compare parameter values. Available in both Community and Professional. The fastest way to find a specific request pattern in a large traffic capture without manual scrolling.
← Previous

DVWA vs WebGoat vs Juice Shop 2026

Next →

Nmap vs Masscan vs Rustscan 2026

📚 Further Reading

  • Burp Suite Community vs Professional 2026 — Exactly what you get by upgrading — and whether the £449/year is worth it for your use case. Spoiler: Turbo Intruder makes Community viable for most bug bounty work.
  • GraphQL Bug Bounty 2026 — GraphQL-specific Burp workflow including Param Miner on GraphQL parameters and Logger++ filtering for introspection responses — applies every technique from this page to a specific target type.
  • Burp Suite Kali Linux Tutorial — Day 12 — The foundational Burp setup guide covering Proxy, Repeater, and Intruder — the baseline you need before these advanced features make sense.
  • PortSwigger Organizer Documentation — Official reference for every Organizer feature including export formats, keyboard shortcuts, and integration with the scanner workflow.
  • PortSwigger Web Security Academy Labs — The practice environment where Macros and Param Miner pay off most — authenticated labs where session management matters and hidden parameters appear regularly.
ME
Mr Elite
Owner, SecurityElites.com
The Bambda that found me a JWT in an unusual field took four minutes to write and found a credential leak a full manual review missed. That’s the one that convinced me these aren’t productivity features — they’re coverage features. The Criticals I’ve found with Param Miner weren’t smarter finds. They were finds that would have stayed hidden forever on an endpoint I’d manually tested and moved on from. If you’re running any serious web application assessment without these seven active from the start of the session, you’re leaving a portion of your attack surface untested. That’s the honest framing.

burp bambdas filter burp logger++ extension burp match replace rules burp organizer tab burp suite macros tutorial burp suite productivity ethical hacking burp suite tips tricks 2026
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free

1 Comment

  1. Pingback: 7 Hidden Burp Suite Features That Save Hours of Manual Testing (2026) - Trend Yapay Zeka

Leave a Comment

Your email address will not be published. Required fields are marked *