Thursday, April 23, 2009

v1.2.07

Burp Scanner is updated to allow the severity and confidence levels of scanner issues to be modified by the user. Issues can also be marked as false positives, and deleted.

To reclassify issues, select the desired issues in the Results tab, and use the right-click context menu to adjust the severity and confidence levels.

To delete issues, select the desired issues and use the context menu or the 'del' key to delete them.

Note that if you delete an issue, and Burp rediscovers the same issue (for example, if you rescan the same request), the issue will be reported again. If instead you mark the issue as a false positive, then this will not happen. Therefore, deletion of issues is best used for cleaning up the Results tree to remove hosts or paths you are not interested in. For unwanted issues within the functionality you are still working on, you should use the false positive flag.

Thursday, April 16, 2009

v1.2.06

1. Scanner adds support for REST-style parameters in the URL. Some applications use the path portion of the URL to transmit data parameters, for example:

/cars/red/diesel/2004/ShowDetails

If you configure Scanner to attack REST-style parameters, then each of "cars", "red", etc. will be tested for input-based vulnerabilities. This option is off by default, to avoid creating excessive numbers of scan requests if this is not necessary. You should enable this option any time you believe the application may be transmitting data using the REST paradigm.

The rules for defining non-injectable parameters are now extended so you can exclude specific REST parameters by their index number. So, if you know that "cars" is used to define the application path, and is not a data parameter, you can define a rule to skip server-side injection tests for REST parameter 1 (use the index number as the parameter name in the rule).

2. Scanner adds support for fully customisable attack insertion points, so you can specify arbitrary locations within a base request where attack strings should be placed. To use this function, send the relevant base request to Intruder, use the payload positions UI to define the start/end of each insertion point in the usual way, and select the new Intruder menu option "actively scan defined insertion points".

3. Automatic placement of payload positions within Intruder now recognises XML-formatted data within the currently-selected range of the request template. Some applications send XML-encapsulated data within a multipart request body, for example:

POST /function HTTP/1.0
Content-Type: multipart/form-data; boundary=weidhwiderfhwiuehwiuehfwerrf
Content-Length: 202

--weidhwiderfhwiuehwiuehfwerrf
Content-Disposition: form-data; name="data"

<data>
<param1>foo</param1>
<param2>bar</param2>
<param3>123</param3>
</data>

--weidhwiderfhwiuehwiuehfwerrf--

If you perform auto-placement of payload positions on the entire message, then Intruder will mark the whole of the XML block as a single insertion point, which is probably not what you want:

However, if instead you manually select the precise XML block, then the auto-placement function will recognise that the selection contains XML, and will mark the individual XML parameter values as insertion points:

Used in conjunction with scanning of configurable insertion points (see #2), this enables you to quickly scan complex message bodies properly.

4. In any message display you can now copy to file, and (when editable) paste from file, using the right-click context menu. Copying operates on the selected text or, if nothing is selected, the whole message. Pasting replaces the selected text or, if nothing is selected, inserts at the cursor position.

5. When a message is showing in the Proxy intercept tab, you can forward or drop the message using the shortcut keys Alt-F and Alt-D.

Thursday, April 9, 2009

v1.2.05

Beta release containing a new text editor for raw HTTP requests and responses. The new editor has a number of enhancements:

  • Much faster display of large messages.

  • Colouring of request parameters and response syntax with minimal processing overhead.

  • Undo/redo.

  • Mouseover URL-decoding (in requests) and HTML-decoding (in responses).

  • Configurable font and text size.

The editor supports the following control keys:

  • Ctrl + A, select all

  • Ctrl + C, copy selected text

  • Ctrl + F, find and highlight the selected text throughout the message

  • Ctrl + V, paste

  • Ctrl + X, cut selected text

  • Ctrl + Y, redo last undone edit

  • Ctrl + Z, undo last edit

  • Ctrl + left, move to previous word

  • Ctrl + right, move to next word

  • Ctrl + up, move to previous paragraph

  • Ctrl + down, move to next paragraph

  • Ctrl + home, go to start of message

  • Ctrl + end, go to end of message

  • Ctrl + backspace, delete previous word

  • Ctrl + del, delete next word

Any feedback and suggestions much appreciated, particularly from users on less mainstream OS platforms.

This release also fixes a problem saving state when responses contain international characters, and addresses various other bugs.