login

Burp Suite, the leading toolkit for web application security testing

Burp Suite Professional - Release Notes

Thursday, March 12, 2015

v1.6.12

This release contains various bugfixes and minor enhancements:
  • In the site map table, the "Method" column previously always showed GET for requests without a body, and POST for requests with a body, even if the actual method was different, such as HEAD or PUT. This bug has now been fixed and the table shows the correct method.
  • A bug which prevented client SSL certificates from being used when an upstream proxy is configured has been fixed.
  • A bug which caused Decoder to fail to decode hex number HTML entities containing an upper-case X has been fixed.
  • A bug in which the Intruder payload options UI sometimes fails to repaint properly when switching between payload sets has been fixed.
  • The function to Ctrl+click on a column header in the Intruder attack results to copy the contents of the column previously had two problems. Firstly, as well as copying the contents, the default action of sorting by the selected column was also being carried out. Secondly, the column contents were being copied in the ordering of the underlying data model, not the ordering of the currently sorted view. Both these issues have been fixed.
  • A bug which prevented the sending of items to Intruder from the active scan queue table has been fixed.
  • The Scanner HTML report now includes the Burp version in the report footer.
  • Burp now attempts to explicitly prevent SSL session reuse, as this can cause connection failures with some misconfigured or buggy target servers.
  • The Intruder results table now truncates long payloads to 200 characters, rather than the previous 50.
MD5: 608154180c140c0e4c5e2c59369b40b4
SHA256: 1f365b6387fba075153869c680920d95f1ee281b8da3e166d85fd694c5b8aa04

Tuesday, February 17, 2015

v1.6.11

This release adds a new Scanner check for path-relative style sheet import (PRSSI) vulnerabilities.

PRSSI vulnerabilities (sometimes termed "relative path overwrite") are not widely understood by security testers or application developers. The key prerequisite for the vulnerability (a CSS import directive that uses a path-relative URL) is both seemingly innocuous and very common. There are some other conditions that are needed for exploitability, but real vulnerabilities are quite prevalent in the wild. The impact of the vulnerability is in many cases serious, and equivalent to cross-site scripting (XSS).

Burp Suite is currently the only scanning product available that can detect PRSSI vulnerabilities. We hope that the addition of this scan check will enable Burp users to identify and fix any problems before PRSSI vulnerabilities become more widely understood and exploited.

For more information, including a real example of a recent PRSSI vulnerability in a public application, please see today's blog post.

MD5: dd103d75ac8733a426516708448ea1bf
SHA256: 77f6f5b1da508795cae8a58835f77ff17d0892683a480041fa22f81fe4e0caa1

Thursday, February 5, 2015

v1.6.10

This release contains various enhancements and fixes.

Site map performance has been considerably improved, particularly in relation to loading state files and adjusting the view filter.

Some new Scanner checks have been added:
  • Server-side include (SSI) injection
  • Server-side Python code injection
  • Leaked RSA private keys
  • Duplicate cookies set
Improvements have been made to several existing Scanner checks, including cross-site scripting and server-side code injection.

A new option provides a workaround for a Java SSL problem. As of Java 7, the SSL Server Name Indication (SNI) extension is implemented and enabled by default. Some misconfigured web servers with SNI enabled send an "Unrecognized name" warning in the SSL handshake. Whilst browsers ignore this warning, the Java implementation does not, and fails to connect. Many users have been setting a command line option to disable the SNI extension, but there is now a UI option to do this, at Options / SSL / SSL Negotiation. Changes to this option take effect when you restart Burp.

The following new Burp Extender APIs have been added to help authors who are writing extensions that may appear in the BApp Store:
  • String getExtensionFilename();
  • boolean isExtensionBapp();
A number of bugs have been fixed, including:
  • A bug affecting the execution of some macros that update multiple request parameters.
  • A bug causing the sessions tracer to sometimes show the incorrect request when a redirect has been followed.
  • A bug which caused Burp's check for updates not to honor the configured upstream proxy settings.
MD5: e5b98c758db477c3c9173bdc2ea6f3dc
SHA256: 1607a402250d37752cfa9464fd2662acfb212c866bca81b47de30774b0f37e4b

Thursday, November 27, 2014

v1.6.09

This release fixes a problem affecting some users of 32-bit systems with the new handling of temporary files that was introduced in v1.6.08.

When the temporary file store grows sufficiently large, some users of 32-bit systems have experienced out-of-memory errors with v1.6.08 of Burp. The new release reverts to the old handling of temporary files for users of 32-bit systems.

In the near future, we are planning to release some powerful new features in Burp which will only be properly supported on 64-bit systems. We recommend that any Burp users who are still using 32-bit editions of their operating system or Java should upgrade to 64-bit editions.

MD5: 2af52da4cc49f205639f7a7e9dd336e2
SHA256: 24e720ee05f751a4adfd6c4089d5604e84cae58b0ac68aa39a3866e45e7cdec3

Tuesday, November 18, 2014

v1.6.08

This release contains various new features and enhancements:
  • The Scanner has been updated with the ability to detect cross-site request forgery (CSRF) vulnerabilities. We have held off reporting CSRF for a long time, because in our experience many scanners that attempt to automate this end up generating more heat than light. If a scanner generates too many false positives, then users lose faith in its output and start to ignore all of the issues it reports of that type. Because of this, we've worked hard to make our CSRF detection actually provide value to Burp users. We have deliberately erred on the side of reducing the number of false positives. The CSRF issues that Burp does report should all be worthy of manual investigation to determine whether the affected application functionality should be protected against CSRF attacks. We welcome real-world feedback about the performance of the new check, and we will aim to refine this further in future.
  • The Scanner logic for the detection of XSS and SQL injection vulnerabilities has been further enhanced.
  • Burp's use of temporary files has been updated to use a small number of large temporary files, rather than an individual file for each saved HTTP request and response. This change should resolve problems that some users have experienced with the operating system running out of open file handles, or even running out of file nodes within the temporary directory.
  • In the previous release, the Extender tool was modified so that its own configuration was not modified when an extension initiated a restore of a Burp state file. In this release, the same change has been made for the case where an extension initiates an update to Burp's configuration.
  • The maximum number of threads that can be configured for the Spider tool, and for an Intruder attack, has been increased to 999.
  • A hotkeyable action has been added to start the current Intruder attack. By default, no hotkey is assigned to this action, but one can be configured at Options / Misc / Hotkeys / Edit hotkeys.
MD5: 48ba9a48bca535109a7a63b3a198ce62
SHA256: 483055ab46c80ff55e9aee7849e295b30c2a81e45c20da9afd91fad2b9938478

Monday, November 3, 2014

v1.6.07

This release contains various enhancements to the Scanner engine logic, to improve both the reliability of issue reporting, and the quality of proof-of-concept exploits. Improvements have been made to the following checks:
  • OS command injection
  • SQL injection
  • HTTP response header injection
  • File path traversal
  • Server-side JavaScript / NoSQL injection
  • Reflected cross-site scripting
  • Various DOM-based issues
  • Open redirection
Several other improvements have also been made, including:
  • The maximum number of active scan threads has been increased to 999.
  • A workaround has been applied to override a recent change in Java platform behavior which affected SSL negotiation with some servers.
  • A problem in which extension-initiated restoration of state could cause the configuration of the Extender tool to be reloaded, thereby interfering with the extension's own execution, has been resolved,
  • A "Start attack" button has been added to each configuration panel in the Intruder tool.
  • A bug in which multibyte characters are copied from the HTTP message viewer to the clipboard as raw bytes has been resolved.
MD5: 2b61fdc0669800654e915d629b20e614
SHA256: 48dd29167af6f467ceb5a457ae99b34944eed9cfbf4640ae58abe58f8b3fe8be

Monday, October 20, 2014

v1.6.06

This release includes some major enhancements to the Scanner engine. Burp can now automatically report the following new types of issues:
  • Perl code injection
  • PHP code injection
  • Ruby code injection
  • Server-side JavaScript code injection
  • File path manipulation
  • Serialized object in HTTP message
  • Client-side JSON injection (DOM-based)
  • Client-side XPath injection (DOM-based)
  • Document domain manipulation (DOM-based)
  • Link manipulation (DOM-based)
  • DOM data manipulation (DOM-based)
Additionally, the scanning logic for several existing checks has been enhanced to improve accuracy.

A number of bugs have also been fixed, including:
  • A bug that caused the option "skip server side injection tests for these parameters" to not work in some situations.
  • A bug that caused session handling rules to fail when using the sessions tracer, in some situations.
  • A bug affecting the auto-generation of CA-signed per-host SSL certificates, in some situations.
  • A bug that sometimes caused Burp to hang on startup when reloading certain extensions.
MD5: 694cf004dd433078f1eba9913a493c93
SHA256: 2e1f010a3ad4b8d51906e68b5a924404854a8a501d85f29185a31626b74d0fbb

Tuesday, August 19, 2014

v1.6.05

This release fixes a UI bug affecting a small number of users who are running Burp on Java 1.6.

MD5: f96be0b9bd18e2efd700ebf0fc74a81c
SHA256: 2dea974356f6459e284ec0ef1552e51eef1cd89ef0a558c46489f04feee5b3c8

Wednesday, August 13, 2014

v1.6.04

This release fixes a number of minor bugs in the JavaScript code analysis engine. These bugs resulted in false negatives or performance problems in the detection of certain DOM-based vulnerabilities.

Additionally, the following other changes have been made:
  • A bug affecting the restoration of saved Intruder attacks has been fixed.
  • A bug that prevented the button to help install Jython or JRuby from showing for some relevant BApps, has been fixed.
  • A bug that occasionally causes the Scanner UI to hang when modifying issue severity or confidence has been addressed (again). Further feedback on this problem is welcomed.
  • Some new match/replace rules have been added to the default Proxy options, allowing removal of HSTS response headers, and disabling of browser XSS protection.
MD5: 431d9b391c54d581948abb45dfd98eae
SHA256: b0a5a845fc46812a74ea0c9b692df71315607f622d7263270a63e3f75332a568

Monday, July 28, 2014

v1.6.03

This release includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including:
  • DOM-based XSS
  • JavaScript injection
  • Client-side SQL injection
  • WebSocket hijacking
  • Local file path manipulation
  • DOM-based open redirection
  • Cookie manipulation
  • Ajax request header manipulation
  • DOM-based denial of service
  • Web message manipulation
  • HTML5 storage manipulation
For more details, see the blog post.

MD5: bacd658a929c4a69580ea646d03b7d03
SHA256: 8f4ed620356d2ecedd3a8be6754137e0788dc3e1b6e2df628a28f1a8a75a21a7


Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2015 PortSwigger Ltd. All rights reserved.