login

Burp Suite, the leading toolkit for web application security testing

Burp Suite Professional - Release Notes

Friday, August 21, 2015

1.6.25

This release adds a new scan check for external service interaction and out-of-band resource load via injected XML stylesheet tags. Burp now sends payloads like:

<?xml version='1.0'?><?xml-stylesheet type="text/xml" href="http://tqnm38srfkzw67vux9rred.burpcollaborator.net"?>

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

The release also fixes some issues:
  • A bug that caused the file path traversal scan check to produce false negatives in some edge cases has been fixed.
  • A bug that could cause the list of loaded extensions to become corrupted or deadlocked when restarting Burp with a large number of extensions configured has been fixed.
  • A bug that caused some items in the site map to be incorrectly placed after restoring state has been fixed.
  • A bug that caused changes made to the cookie jar configuration to be not applied until the next restart has been fixed.
Burp Suite Professional:
MD5: 9ce0a628ea620e5ce53edccbd081c227
SHA256: 4540b47156f2a2df3cb3193b3b8bbe0773442bfd7b71b8800ded369911f0e0a7

Burp Suite Free Edition:
MD5: 7d2b2060e3aa52568b7cd6b19efebcd0
SHA256: 2e88bbef868e3cb8d3bac9f62f7d91d3245162ecc92985305a2c72aeeb60b851

Wednesday, August 5, 2015

1.6.24

This release adds a new Scanner check for server-side template injection.

Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates leads to a vulnerability that is:
  • frequently critical, allowing full arbitrary code execution on the server; and
  • easily mistaken for cross-site scripting, which is usually a much less serious issue. 
The vulnerability is generic in nature, potentially affecting any web application that uses a template engine in an unsafe way. This can arise both through developer error, and through the intentional exposure of templates in an attempt to offer rich functionality, as is commonly done by wikis, blogs, marketing applications, and content management systems. Many template engines offer a "sandboxed" mode for this purpose, but it is frequently possible to escape from this.

In the course of researching this vulnerability and developing the new Scanner check, we have identified numerous zero-day instances of the vulnerability in real-world, widely-used applications. The exact frequency of the vulnerability is unknown, but we have repeatedly stumbled upon it on penetration testing engagements and have easily located several targets for demonstration. Today, James Kettle from the Burp Suite team has presented the results of this research at the Black Hat security conference.

For full technical details of how this vulnerability can be found and exploited, see our server-side template injection blog post.

The release also adds two other new features:
  • A new Scanner check for server-side Expression Language injection. From the client-side perspective, server-side Expression Language injection can look similar to server-side template injection. Burp should correctly distinguish between these different vulnerabilities.
  • A new Intruder payload list for common server-side variables. This list was compiled through analysis of a large quantity of real-world application source code posted on GitHub. As described in the blog post, full exploitation of server-side template injection may involve using brute force to guess the names of variables in use within the template code. The new payload list is useful for this purpose, as well as various others.
MD5: 9a76845b7f399dfd60094cee800b0194
SHA256: 7f340e07fd0c136228176d42df05a469e29b10541c377cc01808a1a4904d2b2f

Wednesday, July 29, 2015

1.6.23

This release adds a new scan check for external service interaction and out-of-band resource load via injected XML doctype tags containing entity parameters. Burp now sends payloads like:

<?xml version='1.0' standalone='no'?><!DOCTYPE foo [<!ENTITY % f5a30 SYSTEM "http://u1w9aaozql7z31394loost.burpcollaborator.net">%f5a30; ]>

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

The release also fixes some issues:
  • Some bugs affecting the saving and restoring of Burp state files.
  • A bug in the Collaborator server where the auto-generated self-signed certificate does not use a wildcard prefix in the CN. This issue only affects private Collaborator server deployments where a custom SSL certificate has not been configured.
MD5: 8ca11187e3966ac5eab42437aa2c9d78
SHA256: 56788de44626ee70decb858d910ce7faedef00a784ecfdd7a6d1723c932ff8e0

Thursday, July 16, 2015

1.6.22

This release adds a new scan check for external service interaction and out-of-band resource load via injected XML doctype tags. Burp now sends payloads like:

<!DOCTYPE foo PUBLIC "-//B/A/EN" "http://chx3bggs599lgla2n3wqnj2e35.burpcollaborator.net">

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

MD5: 65810fedf540ee6fa2d868fa14e6c68f
SHA256: fba2aec68822ec0a90da46e4aa1a67e0f75c3f103d1ecfedb247d2c25b14116d

Tuesday, July 7, 2015

1.6.21

In this release, the description and remediation text for all Scanner issues has been rewritten to bring things up to date.

Additionally, the definitions for all available issues can now be viewed within the Burp UI, at Scanner / Issue definitions:


Where applicable, issues also include a list of references to online resources relating to the vulnerability.

This should hopefully provide a useful learning resource for people setting out in web security testing who want to read up about different vulnerabilities.

It will also help people who create integrations between Burp and other security tools. The "type index" field on each issue type is the number that is included within Burp's XML output and available via the API. This can be used to map Burp's issues to other taxonomies of web security vulnerabilities.

MD5: 3db9e71152b01d6ba6ec2387231b08aa
SHA256: 115e7c37ecae00f769ce23581e690f13bf841b518034467fd2a0485146883983

Monday, June 22, 2015

v1.6.20

This release updates the Scanner to find super-blind OS command injection vulnerabilities.

Previously, Burp has been able to report OS command injection using both blind and non-blind techniques:
  • Injecting commands to trigger a time delay in the response.
  • Injecting commands to echo a value in the response.
In many situations, OS command injection vulnerabilities cannot be found using either of these techniques, because no time delay can be triggered and command output is not echoed in responses. The new release makes use of Burp Collaborator to find more of these vulnerabilities. The Scanner now injects commands like:

nslookup xkll4ipqd9936ht84ku7hw47k.burpcollaborator.net

and verifies that a DNS lookup has been performed on the Burp Collaborator server.

At present, Burp still does not detect cases of injection that are long deferred after submission of the payload (e.g. occurring in an overnight batch job). Later in the Burp Collaborator development roadmap, Burp will also report vulnerabilities of this kind.

This release also fixes some bugs:
  • A bug in the Collaborator Server that could cause threads to become deadlocked when processing incoming HTTP requests that time out. It is recommended that users with private Collaborator Server deployments update to the new version.
  • Some issues affecting the new site map UI that was introduced in 1.6.19.
  • A bug in the interactive prompting for platform authentication.
MD5: 2c95ca1033e526f2dc95889454c11e3d
SHA256: 71a099dfb5d6b69ad2ac31effa344e2fc4ff702f96f14be5ecad427d62ef4687

Thursday, June 18, 2015

v1.6.19

This release introduces some major enhancements to the Target site map.

The site map now includes both the contents of the target application and discovered Scanner issues. The Results tab that appeared within the Scanner tool has now been removed, and all Scanner results reside within the site map.

You can choose to view site map contents and issues within separate tabs:


or side-by-side:


This best option may depend on the size of your screen, and can be made via the site map context menu:


Within the tree view of the site structure, the icons now include an indication of the most significant issue that has been found within each branch or node of the tree, so you can quickly identify the parts of the application where vulnerabilities exist:


You can open additional site map windows, via the context menu:


Each window provides a separate view into the same underlying data. You can use this feature to easily keep an eye on different selected portions of a target application while you are working:


Or you can define different view filters on each site map window:


The new single integrated view of contents and issues should make it easy to track all relevant information capture about a target, and simplify typical testing workflows. Over time, we will be adding some more capabilities to the site map, to help drive common testing actions.

Two consequences of the change to the site map are worth noting:
  • In terms of saving and loading Burp's state, issues reported by the Scanner now reside within the Target tool. So if you want to save or reload a state file that includes your Scanner issues, be sure to leave the box checked for the Target tool.
  • The global search function no longer has an option to include the Scanner tool. Searches of the Target tool will include results for matching Scanner issues within the site map.
Some bugs were also fixed in this release:
  • A bug affecting reporting of XXE issues in certain very unusual situations.
  • A bug affecting synchronized selection of tree nodes within the compare site maps function.
  • A bug which prevented global hotkeys from working in detached tool windows.
MD5: 1c4f2425840cedf53dd5af7aaa7b8b16
SHA256: 7be4b36ebb63decfb6f0891477134c26d8c2641c9d82e33d6d1c0cf712247a60

Wednesday, May 6, 2015

v1.6.18

This release updates the Scanner to enable it to find blind XML external entity (XXE) injection vulnerabilities. See today's blog post for more details.

The following bugs have been fixed:
  • A bug in the display of Scanner issues which prevented the configured font size from being correctly used.
  • A false negative in the detection of certain edge-case OS command injection vulnerabilities.
  • A bug in the Burp Proxy listeners options panel, which prevented newly added listeners from being correctly displayed.
Some performance improvements have been made to the Burp Collaborator server, and the metrics page now splits interaction counters into TCP and UDP interactions.

MD5: 94dfd1779b96a118a953ae1f0564a900
SHA256: e998d4a1097924655860f403918441bbb36a925b43cf3a23548ad8a0a995c36b

Wednesday, April 29, 2015

v1.6.01 Free Edition

This release backports to the Burp Suite Free Edition two security-related fixes that were applied in v1.6.17 Professional edition:
  • The Proxy now by default strips any Proxy-* headers received in client requests. Browsers sometimes send request headers containing information intended for the proxy server that is being used. Some attacks exist whereby a malicious web site may attempt to induce a browser to include sensitive data within these headers.
  • A bug in the following of cross-domain redirections, which caused Burp to include cookies from the original request in the redirected request, has been fixed. In some situations, the bug presents a security risk because sensitive data in cookies could be leaked to a different and potentially untrusted domain. 
As always, users are encouraged to update to the latest Burp release to resolve these issues.

Other than these bugfixes, this release is functionally identical to v1.6 Free Edition.

MD5: 6aa35f21ff8fc0094a7bb5b5f06e09ea
SHA256: a27ac369826a4d5923d8cec76b3f6609384ec48bb310cd9a60ed90845b1ce9ae

Wednesday, April 22, 2015

v1.6.17

This release contains a number of minor enhancements and bugfixes:
  • The Proxy now uses SHA256 to generate its CA and per-host certificates if this algorithm is available, otherwise it fails over to using SHA1. Updating to a SHA256-based CA certificate removes SSL warnings in some browsers.
  • There is a new button at Proxy / Options / Proxy Listeners to force Burp to regenerate its CA certificate. You will need to restart Burp for the change to take effect, and then install the new certificate in your browser. You can use this function to help switch to using a SHA256-based CA certificate.
  • A bug in the "Paste from file" function which caused Burp to sometimes retain a lock on the selected file has been fixed.
  • A bug in the Intruder "extract grep" function, which sometimes caused extracted HTML content to be rendered as HTML in the results table, has been fixed.
  • The Proxy now by default strips any Proxy-* headers received in client requests. Browsers sometimes send request headers containing information intended for the proxy server that is being used. Some attacks exist whereby a malicious web site may attempt to induce a browser to include sensitive data within these headers. There is a new option at Proxy / Options / Misc allowing you to configure Burp to leave these headers unmodified if desired.
  • A bug in the Collaborator server configuration settings, in which Burp would wrongly add the prefix "polling." to the configured location of a private polling server, has been fixed. The documentation on deploying a private Collaborator server has been updated to clarify the use of the "polling" subdomain in some Collaborator server configurations.
  • A bug which caused the use of the request throttle option in Sequencer live capture to delay the initial rendering of the live capture UI has been fixed.
  • A bug in the issue selection step of the Scanner reporting wizard, which caused all extension-generated issues to be shown using the name of the first extension-generated issue, has been fixed. Extension-generated issues are now always labelled as "Extension-generated" in this panel.
  • A bug in the following of cross-domain redirections, which caused Burp to include cookies from the original request in the redirected request, has been fixed. In some situations, the bug presents a security risk because sensitive data in cookies could be leaked to a different and potentially untrusted domain. As always, users are encouraged to update to the latest Burp release to resolve this issue.
  • The Spider now ignores Burp Collaborator URLs when attempting to extract links from within response text. Some applications contain functionality to store and retrieve textual inputs. When these applications are scanned using Burp, they are prone to store some or all of the payloads that Burp sends during scanning, and return these in later responses. It is preferable for Burp not to add any returned Collaborator URLs to the site map when spidering.
MD5: 497d1878450b5a8eb9e08a879d140718
SHA256: 02d3fd0bcab72f6ca016991c8b595d5b252ebe64f9972e6f79d24700a3c116fc

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2015 PortSwigger Ltd. All rights reserved.