Friday, July 17, 2009

v1.2.13

1. You can now pause and resume active scanning, using the context menu on the scan queue tab. A new status bar shows you whether the scanner is running, and the number of currently active scan threads.

2. There is a new task scheduler, which you can use to automatically start and stop certain tasks at defined times and intervals. You can schedule a task on a specific URL using the new context menu item that appears throughout Burp:

This action starts a wizard which lets you configure the details and timing of the task. The tasks currently implemented are shown below:

You can configure each task to be one-off, or to repeat at regular intervals. Tasks that you have created appear in a table in the suite Options tab. For example, the following configuration will begin scanning a target overnight at 2am, and suspend the scanner each day during working hours:

You can also create a new task, and edit or remove existing tasks, using the above buttons.

3. The extensibility method IBurpExtenderCallbacks.getParameters now returns the type of each parameter, as well as its name and value. The method's signature is unchanged, however the implementation now returns the following object for each parameter:

String[] { name, value, type }

4. Passwords are now masked on-screen in the UI for configuring www and proxy authentication.

Friday, July 3, 2009

v1.2.12

1. This release adds a new "find references" feature, which you can access via the context menus throughout Burp:

Anywhere you see an HTTP request, URL, domain, etc., you can use the "find references" function to search all of Burp's tools for HTTP responses which link to that item. When you view an individual search result, the response is automatically highlighted to show where the linking reference occurs:

Note that this feature treats the original URL as a prefix when searching for links, so if you select a host, you will find all references to that host; if you select a folder, you will find all references to items within that folder or deeper.

The new "find references" feature effectively serves the same purpose as the "linked from" list that existed in earlier versions of Burp Spider, but is much more powerful.

2. There is a new autosave feature, which saves a backup of Burp's state in the background at a configurable interval:

This setting persists across reloads of Burp. So you can configure Burp to always save its state to a local temp directory, and know that every time you use Burp you will have a backup copy of your work.

3. The HTTP message editor now has an option to URL-encode relevant characters as you type. If this option is turned on (via the context menu) then characters like & and = will be automatically replaced with their URL-encoded equivalents as you type:

4. The live active scanning feature has been modified to ignore requests for media resources (images, etc.) where the request does not contain any non-cookie parameters. Requests like these are virtually always for static resources which do not have any security significance, and so can be safely ignored by the scanner.

Note that despite this change to the live scanning feature, if you manually select items like these and send them for active scanning, then they will of course be scanned in the normal way.