Introduction

When you don’t have Internet connection during a web application pentest and you still want to install some BApps in the Burp Suite, you have to download them manually from the BApp Store. If you use a lot extensions, this can be a tedious task. It’s possible to download all BApps using a little script to simplify this task.

Script

The following script can be used to download all Burp Suite BApps from the BApp Store:

#!/usr/bin/env bash

mkdir bapps
curl -s https://portswigger.net/bappstore | awk -F '["<>/]' '/bapp-label heading-4/{ print $7,$9 }' | while read id name
do
  echo "Downloading $name..."
  curl -s -L "https://portswigger-cdn.net/bappstore/bapps/download/$id" -o "bapps/${name//[^a-z0-9A-Z]/_}.bapp"
done

This script can also be found in my Scripts repository on GitHub: download-burpsuite-bapps.

When executed, the output looks like this:

$ download-burpsuite-bapps
Downloading .NET Beautifier...
Downloading 403 Bypasser...
Downloading 5GC API Parser...
Downloading Active Scan&#x2B;&#x2B;...
Downloading Add &amp; Track Custom Issues...
Downloading Add Custom Header...
Downloading Add to SiteMap&#x2B;...
[...]

Depending on the Internet connection, it takes some minutes do download all extensions.

The script creates a new directory bapps containing all extensions:

$ ls bapps/ 
403_Bypasser.bapp
5GC_API_Parser.bapp
Active_Scan__x2B___x2B_.bapp
Add__amp__Track_Custom_Issues.bapp
Add_Custom_Header.bapp
Additional_CSRF_Checks.bapp
Additional_Scanner_Checks.bapp
Add_to_SiteMap__x2B_.bapp
Add_to_TLS_Pass_Through.bapp
Adhoc_Payload_Processors.bapp
AES_Killer__decrypt_AES_traffic_on_the_fly.bapp
AES_Payloads.bapp
Agartha___LFI__RCE__SQLi__Auth__HTTP_to_JS.bapp
Anonymous_Cloud__Configuration_and_Subdomain_Takeover_Scanner.bapp
Anti_CSRF_Token_From_Referer.bapp
[...]

These bapp files can then be installed in Burp manually (ExtensionsBAp StoreManual install).

References