Burp Suite, the leading toolkit for web application security testing

Burp Suite Professional - Release Notes

Friday, April 17, 2015


This release fixes some issues with yesterday's beta release of the new Burp Collaborator feature, including a bug that may cause Burp to sometimes send some Collaborator-related test payloads even if the user has disabled use of the Collaborator feature.

This release is still officially beta while we monitor the Burp Collaborator capabilities for any further issues.

MD5: 57fb7cd772e492eff5210e23e0991921
SHA256: 4fc01e05c878c7f6709bbd5f9dacfeba2e5264d0b534123d52b1fbea2119cf2c

Thursday, April 16, 2015


This release introduces a brand new feature: Burp Collaborator.

Burp Collaborator is an external service that Burp can use to help discover many kinds of vulnerabilities, and has the potential to revolutionize web security testing. In the coming months, we will be adding many exciting new capabilities to Burp, based on the Collaborator technology.
This release is officially beta due to the introduction of some new types of Scanner checks, and the reliance on a new service infrastructure. However, we have tested the new capabilities thoroughly and are not aware of any stability issues.

MD5; 25902d79a417ead2c18214501fcac189
SHA256: 8dd6738ef30a9500636cda06ce0454ae8c2c8ad5251b9cdd5bfbd6f5099b99b3

Wednesday, April 1, 2015


This release fixes a bug introduced in yesterday's release, v1.6.13, which prevented some state files from restoring.

MD5: 036055e4fa0e914b3e346b8661589603
SHA256: b6b6710de27df3124bb2c24d778cdfb9da74eff2bd913be733df977b4f03c0d4

Tuesday, March 31, 2015


This release contains various bugfixes and minor enhancements:
  • The previous release introduced some bugs into the Target site map, causing scope-based view filters to be sometimes misapplied, and orphaned tree nodes to occasionally appear. These have now been fixed. In recent months, we have been extensively reworking the site map to support a number of planned new features, and we apologize that these bugs slipped through into the public release. We welcome further feedback about any site map problems and will aim to resolve these quickly.
  • Some Scanner issues that are reported on a per-host basis (for example, Flash cross-domain policy) were previously reported on the root host node of the Scanner results tree. These are now correctly reported at the node for a specific URL where applicable (e.g. /crossdomain.xml).
  • Relatedly, where a Scanner issue is created at a URL file node that does not exist in the Target site map, the corresponding item is added to the site map, including the actual request and response for that item. This change is useful in its own right, because the site map now contains more content that Burp has obtained from the target. It also paves the way for a planned enhancement to the site map, in which it will become a unified dashboard of both discovered content and Scanner issues. In the meantime, one behavioral quirk which arises is that if you restore a state file and select only to import Scanner issues, some new content corresponding to these issues may also be added to the site map. We believe that this interim behavioral change is relatively harmless, and will become fully desired behavior once the transition to the new site map is completed.
  • Some users have reported problems with certain extensions that cause a deadlock in the Burp UI when they are reloaded on startup. Burp now tries to detect this situation, and on the subsequent startup will skip the automatic reload of extensions. (Note that a further, existing, workaround for this problem is to add "usedefaults" to the Burp command line, to prevent reloading of any saved settings.)
  • When Burp fails to delete its temporary files on shutdown, because the OS does not release locks on those files, Burp now remembers the affected items and automatically deletes them on the subsequent startup, without the need to prompt the user. The old prompt will still be shown if unexpected temporary files are detected on startup.
  • A bug which prevented column resizing in the Intruder results table has been fixed.
  • A bug which made certain configured options cause problems when saving state files has been fixed.
  • A bug where multiple Proxy history views shared the same underlying view filter, preventing the use of different filters on each view, has been fixed.
MD5: db3d21cec7a77a2edfc1ec3428f24184
SHA256: 98eca2744f14152e542d12b52bf7ca3d537846995c376b5580d30b716a897cea

Thursday, March 12, 2015


This release contains various bugfixes and minor enhancements:
  • In the site map table, the "Method" column previously always showed GET for requests without a body, and POST for requests with a body, even if the actual method was different, such as HEAD or PUT. This bug has now been fixed and the table shows the correct method.
  • A bug which prevented client SSL certificates from being used when an upstream proxy is configured has been fixed.
  • A bug which caused Decoder to fail to decode hex number HTML entities containing an upper-case X has been fixed.
  • A bug in which the Intruder payload options UI sometimes fails to repaint properly when switching between payload sets has been fixed.
  • The function to Ctrl+click on a column header in the Intruder attack results to copy the contents of the column previously had two problems. Firstly, as well as copying the contents, the default action of sorting by the selected column was also being carried out. Secondly, the column contents were being copied in the ordering of the underlying data model, not the ordering of the currently sorted view. Both these issues have been fixed.
  • A bug which prevented the sending of items to Intruder from the active scan queue table has been fixed.
  • The Scanner HTML report now includes the Burp version in the report footer.
  • Burp now attempts to explicitly prevent SSL session reuse, as this can cause connection failures with some misconfigured or buggy target servers.
  • The Intruder results table now truncates long payloads to 200 characters, rather than the previous 50.
MD5: 608154180c140c0e4c5e2c59369b40b4
SHA256: 1f365b6387fba075153869c680920d95f1ee281b8da3e166d85fd694c5b8aa04

Tuesday, February 17, 2015


This release adds a new Scanner check for path-relative style sheet import (PRSSI) vulnerabilities.

PRSSI vulnerabilities (sometimes termed "relative path overwrite") are not widely understood by security testers or application developers. The key prerequisite for the vulnerability (a CSS import directive that uses a path-relative URL) is both seemingly innocuous and very common. There are some other conditions that are needed for exploitability, but real vulnerabilities are quite prevalent in the wild. The impact of the vulnerability is in many cases serious, and equivalent to cross-site scripting (XSS).

Burp Suite is currently the only scanning product available that can detect PRSSI vulnerabilities. We hope that the addition of this scan check will enable Burp users to identify and fix any problems before PRSSI vulnerabilities become more widely understood and exploited.

For more information, including a real example of a recent PRSSI vulnerability in a public application, please see today's blog post.

MD5: dd103d75ac8733a426516708448ea1bf
SHA256: 77f6f5b1da508795cae8a58835f77ff17d0892683a480041fa22f81fe4e0caa1

Thursday, February 5, 2015


This release contains various enhancements and fixes.

Site map performance has been considerably improved, particularly in relation to loading state files and adjusting the view filter.

Some new Scanner checks have been added:
  • Server-side include (SSI) injection
  • Server-side Python code injection
  • Leaked RSA private keys
  • Duplicate cookies set
Improvements have been made to several existing Scanner checks, including cross-site scripting and server-side code injection.

A new option provides a workaround for a Java SSL problem. As of Java 7, the SSL Server Name Indication (SNI) extension is implemented and enabled by default. Some misconfigured web servers with SNI enabled send an "Unrecognized name" warning in the SSL handshake. Whilst browsers ignore this warning, the Java implementation does not, and fails to connect. Many users have been setting a command line option to disable the SNI extension, but there is now a UI option to do this, at Options / SSL / SSL Negotiation. Changes to this option take effect when you restart Burp.

The following new Burp Extender APIs have been added to help authors who are writing extensions that may appear in the BApp Store:
  • String getExtensionFilename();
  • boolean isExtensionBapp();
A number of bugs have been fixed, including:
  • A bug affecting the execution of some macros that update multiple request parameters.
  • A bug causing the sessions tracer to sometimes show the incorrect request when a redirect has been followed.
  • A bug which caused Burp's check for updates not to honor the configured upstream proxy settings.
MD5: e5b98c758db477c3c9173bdc2ea6f3dc
SHA256: 1607a402250d37752cfa9464fd2662acfb212c866bca81b47de30774b0f37e4b

Thursday, November 27, 2014


This release fixes a problem affecting some users of 32-bit systems with the new handling of temporary files that was introduced in v1.6.08.

When the temporary file store grows sufficiently large, some users of 32-bit systems have experienced out-of-memory errors with v1.6.08 of Burp. The new release reverts to the old handling of temporary files for users of 32-bit systems.

In the near future, we are planning to release some powerful new features in Burp which will only be properly supported on 64-bit systems. We recommend that any Burp users who are still using 32-bit editions of their operating system or Java should upgrade to 64-bit editions.

MD5: 2af52da4cc49f205639f7a7e9dd336e2
SHA256: 24e720ee05f751a4adfd6c4089d5604e84cae58b0ac68aa39a3866e45e7cdec3

Tuesday, November 18, 2014


This release contains various new features and enhancements:
  • The Scanner has been updated with the ability to detect cross-site request forgery (CSRF) vulnerabilities. We have held off reporting CSRF for a long time, because in our experience many scanners that attempt to automate this end up generating more heat than light. If a scanner generates too many false positives, then users lose faith in its output and start to ignore all of the issues it reports of that type. Because of this, we've worked hard to make our CSRF detection actually provide value to Burp users. We have deliberately erred on the side of reducing the number of false positives. The CSRF issues that Burp does report should all be worthy of manual investigation to determine whether the affected application functionality should be protected against CSRF attacks. We welcome real-world feedback about the performance of the new check, and we will aim to refine this further in future.
  • The Scanner logic for the detection of XSS and SQL injection vulnerabilities has been further enhanced.
  • Burp's use of temporary files has been updated to use a small number of large temporary files, rather than an individual file for each saved HTTP request and response. This change should resolve problems that some users have experienced with the operating system running out of open file handles, or even running out of file nodes within the temporary directory.
  • In the previous release, the Extender tool was modified so that its own configuration was not modified when an extension initiated a restore of a Burp state file. In this release, the same change has been made for the case where an extension initiates an update to Burp's configuration.
  • The maximum number of threads that can be configured for the Spider tool, and for an Intruder attack, has been increased to 999.
  • A hotkeyable action has been added to start the current Intruder attack. By default, no hotkey is assigned to this action, but one can be configured at Options / Misc / Hotkeys / Edit hotkeys.
MD5: 48ba9a48bca535109a7a63b3a198ce62
SHA256: 483055ab46c80ff55e9aee7849e295b30c2a81e45c20da9afd91fad2b9938478

Monday, November 3, 2014


This release contains various enhancements to the Scanner engine logic, to improve both the reliability of issue reporting, and the quality of proof-of-concept exploits. Improvements have been made to the following checks:
  • OS command injection
  • SQL injection
  • HTTP response header injection
  • File path traversal
  • Server-side JavaScript / NoSQL injection
  • Reflected cross-site scripting
  • Various DOM-based issues
  • Open redirection
Several other improvements have also been made, including:
  • The maximum number of active scan threads has been increased to 999.
  • A workaround has been applied to override a recent change in Java platform behavior which affected SSL negotiation with some servers.
  • A problem in which extension-initiated restoration of state could cause the configuration of the Extender tool to be reloaded, thereby interfering with the extension's own execution, has been resolved,
  • A "Start attack" button has been added to each configuration panel in the Intruder tool.
  • A bug in which multibyte characters are copied from the HTTP message viewer to the clipboard as raw bytes has been resolved.
MD5: 2b61fdc0669800654e915d629b20e614
SHA256: 48dd29167af6f467ceb5a457ae99b34944eed9cfbf4640ae58abe58f8b3fe8be

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2015 PortSwigger Ltd. All rights reserved.