Burp Suite, the leading toolkit for web application security testing

Burp Suite Professional - Release Notes

Tuesday, October 6, 2015


This release adds the ability to annotate the active scan queue with comments and highlights, as is already possible in the Proxy history and Target site map:

Recently, we removed the ability to delete items from the active scan queue. This was done in preparation for some planned new capabilities that will enable the Scanner to retrospectively report issues for scan queue items that have finished scanning. For this capability to work, we needed to retain the full scan queue history. Some users have complained that they were using the deletion of items as part of their testing workflow. To address this issue, we have added the ability to apply comments and highlights to scan queue items. This provides an improved alternative to the previous workflow that these users were following.

A number of other changes have been made:
  • The performance of the Target site map when selecting tree branches containing very large numbers of scan issues has been dramatically improved.
  • The process of configuring Burp to use a PKCS#11 certificate has been improved. You can now manually select the required card slot during installation, swap cards at runtime, and reload configuration from state files more easily.
  • There is a new Scanner option to create an insertion point for the entire request body, for relevant content types. This currently applies to requests with XML or JSON content in the request body. This insertion point is enabled by default, and should allow detection of some additional edge-case vulnerabilities (e.g. server-side JavaScript injection where an entire request body containing JSON is passed to the JavaScript eval function).
  • The Scanner insertion point type that was previously called "REST-style URL parameters" has been replaced with two insertion point types, covering URL path folders and the final URL filename. The filename insertion point is enabled by default, while folder insertion points are still disabled. This change should improve Burp's detection of some issues in its default configuration, such as XSS through reflection of the full URL path excluding the query string.
  • A bug that caused occasional corruption of saved state files and prevented them from correctly reloading has been fixed.
  • Scanner issues that are reported by Burp extensions are now identified as such within the UI and scan reports. This was primarily done to reduce the number of support tickets relating to defects in the wording of extension-generated issues.
  • The temporary directories created by Burp should now not be world-readable on any platforms, to prevent direct access to Burp's temporary files from other users on a multi-user machine. Note that by default such users can in any case access a large quantity of sensitive data, and interfere with Burp's operation, via the default Proxy listener on Users are encouraged not to use Burp on a machine that is shared with untrusted users.
Burp Suite Professional:
MD5: 2e9dbfa9b582cab1684ae2750eb95c8e
SHA256: 2ce0e85e30a39c9d3e1a1dac363dd57af69f50a4d8c81c9dc870b7852c32edaa

Burp Suite Free Edition:
MD5: 058b1ce8993318498f8e25ee6d09853c
SHA256: a3cedb8a2223287328273d7a2b928adde69e33f08ade6934b0a968bfb05bfd8e

Friday, September 11, 2015


This release adds the ability to detect completely blind SQL injection by triggering interactions with Burp Collaborator.

Previously, Burp Scanner has used various evidence to detect SQL injection, including:
  • Error messages
  • Differential responses through injected Boolean conditions
  • Time delays
Each of these techniques involves sending payloads designed to trigger some kind of difference in the application's immediate response, whether in its actual contents or the time taken to receive it. In some situations, SQL injection conditions can exist that just cannot be found in this way, because there is no way to induce any difference in the application's immediate response.

Enter Burp Collaborator. Burp Scanner now sends payloads like:

'||(select extractvalue(xmltype(
'<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ 
<!ENTITY % glrvh SYSTEM "http://fcvlarzebywms16gggoy7tvo.burpcollaborator.net/">%glrvh;]>'
),'/l') from dual)||'

';exec master.dbo.xp_dirtree

'+(select load_file(

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

The above payloads work, respectively, on Oracle, Microsoft SQL Server, and MySQL (running on Windows). Each payload breaks out of the existing SQL query context and uses a database-specific technique to induce the database to perform some kind of network interaction with Burp Collaborator, through either a web URL or a UNC file path.

As things stand, having searched high and low, we have yet to find a similar technique that works against MySQL running on Linux. We would be highly appreciative if anyone can come up with a generic and feasible payload that safely induces MySQL on Linux to interact with an arbitrary external domain, without causing damage to any target systems or data. The first person to email us a qualifying payload will be quite literally showered in Burp Suite swag, including a highly-coveted T-shirt.

MD5: 53ca7d4a8ec8df95f81da624154916a7
SHA256: a242b4e0b611e3ef4302af42d36fd2be52479d98b595ecb67b1c143915dc312d

Wednesday, September 2, 2015


This release adds the ability to detect blind server-side XML/SOAP injection by triggering interactions with Burp Collaborator.

Previously, Burp Scanner has detected XML/SOAP injection by submitting some XML-breaking syntax like:


and analyzing responses for any resulting error messages.

Burp now sends payloads like:

<nzf xmlns="http://a.b/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://a.b/ http://kuiqswhjt3era6olyl63pyd.burpcollaborator.net/nzf.xsd">

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

Note that this type of technique is effective even when the original parameter value does not contain XML, and there is no indication within the request or response that XML/SOAP is being used on the server side.

The new scan check uses both schema location and XInclude to cause the server-side XML parser to interact with the Collaborator server.

In addition, when the original parameter value does contain XML being submitted by the client, Burp now also uses the schema location and XInclude techniques to try to induce external service interactions. (We believe that Burp is now aware of all available tricks for inducing a server-side XML parser to interact with an external network service. But we would be very happy to hear of any others that people know about.)

MD5: aa39f49f7622a4686b2499a43b4ba602
SHA256: 755085c6a2da1947be634a10026c58bd60d3d6cdf41c6bb9f79b434993834962

Friday, August 21, 2015


This release adds a new scan check for external service interaction and out-of-band resource load via injected XML stylesheet tags. Burp now sends payloads like:

<?xml version='1.0'?><?xml-stylesheet type="text/xml" href="http://tqnm38srfkzw67vux9rred.burpcollaborator.net"?>

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

The release also fixes some issues:
  • A bug that caused the file path traversal scan check to produce false negatives in some edge cases has been fixed.
  • A bug that could cause the list of loaded extensions to become corrupted or deadlocked when restarting Burp with a large number of extensions configured has been fixed.
  • A bug that caused some items in the site map to be incorrectly placed after restoring state has been fixed.
  • A bug that caused changes made to the cookie jar configuration to be not applied until the next restart has been fixed.
Burp Suite Professional:
MD5: 9ce0a628ea620e5ce53edccbd081c227
SHA256: 4540b47156f2a2df3cb3193b3b8bbe0773442bfd7b71b8800ded369911f0e0a7

Burp Suite Free Edition:
MD5: 7d2b2060e3aa52568b7cd6b19efebcd0
SHA256: 2e88bbef868e3cb8d3bac9f62f7d91d3245162ecc92985305a2c72aeeb60b851

Wednesday, August 5, 2015


This release adds a new Scanner check for server-side template injection.

Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates leads to a vulnerability that is:
  • frequently critical, allowing full arbitrary code execution on the server; and
  • easily mistaken for cross-site scripting, which is usually a much less serious issue. 
The vulnerability is generic in nature, potentially affecting any web application that uses a template engine in an unsafe way. This can arise both through developer error, and through the intentional exposure of templates in an attempt to offer rich functionality, as is commonly done by wikis, blogs, marketing applications, and content management systems. Many template engines offer a "sandboxed" mode for this purpose, but it is frequently possible to escape from this.

In the course of researching this vulnerability and developing the new Scanner check, we have identified numerous zero-day instances of the vulnerability in real-world, widely-used applications. The exact frequency of the vulnerability is unknown, but we have repeatedly stumbled upon it on penetration testing engagements and have easily located several targets for demonstration. Today, James Kettle from the Burp Suite team has presented the results of this research at the Black Hat security conference.

For full technical details of how this vulnerability can be found and exploited, see our server-side template injection blog post.

The release also adds two other new features:
  • A new Scanner check for server-side Expression Language injection. From the client-side perspective, server-side Expression Language injection can look similar to server-side template injection. Burp should correctly distinguish between these different vulnerabilities.
  • A new Intruder payload list for common server-side variables. This list was compiled through analysis of a large quantity of real-world application source code posted on GitHub. As described in the blog post, full exploitation of server-side template injection may involve using brute force to guess the names of variables in use within the template code. The new payload list is useful for this purpose, as well as various others.
MD5: 9a76845b7f399dfd60094cee800b0194
SHA256: 7f340e07fd0c136228176d42df05a469e29b10541c377cc01808a1a4904d2b2f

Wednesday, July 29, 2015


This release adds a new scan check for external service interaction and out-of-band resource load via injected XML doctype tags containing entity parameters. Burp now sends payloads like:

<?xml version='1.0' standalone='no'?><!DOCTYPE foo [<!ENTITY % f5a30 SYSTEM "http://u1w9aaozql7z31394loost.burpcollaborator.net">%f5a30; ]>

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

The release also fixes some issues:
  • Some bugs affecting the saving and restoring of Burp state files.
  • A bug in the Collaborator server where the auto-generated self-signed certificate does not use a wildcard prefix in the CN. This issue only affects private Collaborator server deployments where a custom SSL certificate has not been configured.
MD5: 8ca11187e3966ac5eab42437aa2c9d78
SHA256: 56788de44626ee70decb858d910ce7faedef00a784ecfdd7a6d1723c932ff8e0

Thursday, July 16, 2015


This release adds a new scan check for external service interaction and out-of-band resource load via injected XML doctype tags. Burp now sends payloads like:

<!DOCTYPE foo PUBLIC "-//B/A/EN" "http://chx3bggs599lgla2n3wqnj2e35.burpcollaborator.net">

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

MD5: 65810fedf540ee6fa2d868fa14e6c68f
SHA256: fba2aec68822ec0a90da46e4aa1a67e0f75c3f103d1ecfedb247d2c25b14116d

Tuesday, July 7, 2015


In this release, the description and remediation text for all Scanner issues has been rewritten to bring things up to date.

Additionally, the definitions for all available issues can now be viewed within the Burp UI, at Scanner / Issue definitions:

Where applicable, issues also include a list of references to online resources relating to the vulnerability.

This should hopefully provide a useful learning resource for people setting out in web security testing who want to read up about different vulnerabilities.

It will also help people who create integrations between Burp and other security tools. The "type index" field on each issue type is the number that is included within Burp's XML output and available via the API. This can be used to map Burp's issues to other taxonomies of web security vulnerabilities.

MD5: 3db9e71152b01d6ba6ec2387231b08aa
SHA256: 115e7c37ecae00f769ce23581e690f13bf841b518034467fd2a0485146883983

Monday, June 22, 2015


This release updates the Scanner to find super-blind OS command injection vulnerabilities.

Previously, Burp has been able to report OS command injection using both blind and non-blind techniques:
  • Injecting commands to trigger a time delay in the response.
  • Injecting commands to echo a value in the response.
In many situations, OS command injection vulnerabilities cannot be found using either of these techniques, because no time delay can be triggered and command output is not echoed in responses. The new release makes use of Burp Collaborator to find more of these vulnerabilities. The Scanner now injects commands like:

nslookup xkll4ipqd9936ht84ku7hw47k.burpcollaborator.net

and verifies that a DNS lookup has been performed on the Burp Collaborator server.

At present, Burp still does not detect cases of injection that are long deferred after submission of the payload (e.g. occurring in an overnight batch job). Later in the Burp Collaborator development roadmap, Burp will also report vulnerabilities of this kind.

This release also fixes some bugs:
  • A bug in the Collaborator Server that could cause threads to become deadlocked when processing incoming HTTP requests that time out. It is recommended that users with private Collaborator Server deployments update to the new version.
  • Some issues affecting the new site map UI that was introduced in 1.6.19.
  • A bug in the interactive prompting for platform authentication.
MD5: 2c95ca1033e526f2dc95889454c11e3d
SHA256: 71a099dfb5d6b69ad2ac31effa344e2fc4ff702f96f14be5ecad427d62ef4687

Thursday, June 18, 2015


This release introduces some major enhancements to the Target site map.

The site map now includes both the contents of the target application and discovered Scanner issues. The Results tab that appeared within the Scanner tool has now been removed, and all Scanner results reside within the site map.

You can choose to view site map contents and issues within separate tabs:

or side-by-side:

This best option may depend on the size of your screen, and can be made via the site map context menu:

Within the tree view of the site structure, the icons now include an indication of the most significant issue that has been found within each branch or node of the tree, so you can quickly identify the parts of the application where vulnerabilities exist:

You can open additional site map windows, via the context menu:

Each window provides a separate view into the same underlying data. You can use this feature to easily keep an eye on different selected portions of a target application while you are working:

Or you can define different view filters on each site map window:

The new single integrated view of contents and issues should make it easy to track all relevant information capture about a target, and simplify typical testing workflows. Over time, we will be adding some more capabilities to the site map, to help drive common testing actions.

Two consequences of the change to the site map are worth noting:
  • In terms of saving and loading Burp's state, issues reported by the Scanner now reside within the Target tool. So if you want to save or reload a state file that includes your Scanner issues, be sure to leave the box checked for the Target tool.
  • The global search function no longer has an option to include the Scanner tool. Searches of the Target tool will include results for matching Scanner issues within the site map.
Some bugs were also fixed in this release:
  • A bug affecting reporting of XXE issues in certain very unusual situations.
  • A bug affecting synchronized selection of tree nodes within the compare site maps function.
  • A bug which prevented global hotkeys from working in detached tool windows.
MD5: 1c4f2425840cedf53dd5af7aaa7b8b16
SHA256: 7be4b36ebb63decfb6f0891477134c26d8c2641c9d82e33d6d1c0cf712247a60

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2015 PortSwigger Ltd. All rights reserved.