Any HTTP response within Burp can now be rendered in your browser, to avoid the limitations of Burp's built-in HTML renderer. This feature is accessed by selecting any item with a response, and choosing the "show in browser" item from the context menu. Burp then gives you a unique URL which you can paste into your browser (configured to use the current instance of Burp as its proxy), to render the response. The resulting browser request is served by Burp with the exact response that you selected (the request is not forwarded to the original web server), and yet the response is processed by the browser in the context of the originally requested URL. Hence, relative links within the response will be handled properly by your browser. As a result, your browser may make additional requests (for images, CSS, etc.) in the course of rendering the response - these will be handled by Burp in the usual way.
The function to save Burp's state now includes an option to include only in-scope items. When working on a client engagement, this enables you to save only relevant items for archiving or sharing with colleagues. The new option is available in the save state wizard, in the automatic backup feature, and in scheduled tasks that save state.
IBurpExtenderCallbacks now includes the following methods for loading and saving configuration:
void loadConfig(java.util.Map config)
Configuration information is handled as a map of name/value pairs. Any settings not specified in the Map will be restored to their default values. To selectively update only some settings and leave the rest unchanged, you should first call
saveConfigto obtain Burp's current configuration, modify the relevant items in the Map, and then call
loadConfigwith the same Map.
IBurpExtenderCallbacks now includes the following method for adding arbitrary items to Burp's site map:
void addToSiteMap(IHttpRequestResponse item)
This method allows extensions to write custom interfaces to import the output from other tools.
IHttpRequestResponse now includes the following methods for accessing user-annotated comments in items belonging to Burp tools that support comments:
void setComment(java.lang.String comment)
Burp Intruder now includes a built-in payload list containing User-Agent strings for numerous browsers. This can be used for testing whether applications return different content to different mobile devices, etc.
The Suite-wide options now include a default-off option to enable all supported cipher suites during SSL negotiation. This option is not normally necessary but may be useful when attempting to connect to unusually configured SSL stacks.
This release fixes another source of UI instability when running on Mac. Soon, Burp is going to be so stable on this platform that it will prevent OSX itself from crashing.
Thursday, November 4, 2010
Monday, August 23, 2010
This release includes various new features and fixes:
Improved stability on Mac OSX. The UI hangs that sometimes occur are hopefully
resolvedreduced. I'm keen to eliminate the remaining Mac problems and be able to say that Burp officially runs on this platform, so if you are aware of any issues at all, please let me know and I'll get them fixed.
Added support for upstream SOCKS proxies:
Each individual configuration panel now has its own "restore defaults" button, so you can revert specific parts of Burp's configuration without needing to reset the configuration for a whole tool or the entire suite.
Added support for headless mode (this is when you pass -Djava.awt.headless=true as a command-line argument to your JRE, to prevent it from building a user interface). In this mode, the proxy will pass through all messages without interception, and no other UI-based control is possible. Full programmatic control of Burp via Burp Extender is still possible.
The default proxy request interception rule now ignores JS and ICO extensions, in addition to CSS and other common image file extensions.
Some issues identified with UI extensibility (introduced in v1.3.07) have been addressed. In the previous version, there were some unnecessary limitations on the IHttpRequestResponse objects passed to IMenuItemHandler.menuItemClicked(), which have now been removed:
The setRequest() and setResponse() methods now work when invoked on requests and responses currently displayed in the proxy interception view.
The getRequest() and getResponse() methods now return the currently displayed message (after any user edits) in the proxy interception view.
The getResponse() method now works in Burp Repeater provided the request currently displayed in the request panel has been issued and has not been subsequently edited by the user.
These enhancements enable Burp extensions to perform various useful functions via custom menu items. For example, if a client-side application component adds a checksum to request data, an extension could create a custom menu item to reapply the correct checksum to the currently displayed request, following any edits by the user.
The colours used for some encoding types in Burp Decoder have been changed to make them more legible on some platforms.
There is a function (on the help menu) to extract diagnostic information about the OS and JRE on which Burp is running, to help troubleshoot some issues.
The "send to comparer" context menu item now supports multiple selection of items in tables/trees.
Various minor bugs are fixed.
Monday, July 19, 2010
The redirection targets which Burp will actually follow are still determined by the configuration within each individual tool (e.g. based on target scope).
2. Burp Repeater now has the facility to manually follow redirects where desired. When a redirect response is received which Repeater has not followed automatically, a "follow redirect" button appears, enabling you to manually follow the redirect after viewing it. This feature is useful for walking through each request and response in a redirection sequence. New cookies will be processed in these manual redirects if this option has been set in Repeater's configuration.
3. Burp Extender now provides the facility to register custom menu items which will appear on the context menus used throughout Burp to receive user actions. Extensions which need to add custom menu items should provide an implementation of the new IMenuItemHandler interface, and use the registerMenuItem method of IBurpExtenderCallbacks to register each custom menu item. Burp will then display the custom menu items whenever a context menu is shown to the user, and will invoke the relevant handler when the user clicks the menu item.
Burp passes to the menu item handler the full request and response details of the user-selected item(s) for which the context menu was generated. This new functionality enables extensions to inter-operate in user-driven ways with third-party software, or, using the various methods in IBurpExtenderCallbacks, extend Burp's own functionality in new ways.
4. Rendering of multi-byte character sets is improved, and most charsets should now render properly in the HTTP message editor when the appropriate encoding is set on the command line, for example:
Note that cursor positioning when editing content that uses some multi-byte charsets may be unreliable, due to the varying lengths of multi-byte sequences used in many charsets. Specific support for the SHIFT_JIS, EUC-JP and UTF-8 charsets has been provided. If you encounter any multi-byte charsets which are not handled properly in either viewing or editing, please let me know the encoding type and a sample URL, and proper support will be added.
Other future work in this area will enable Burp to dynamically determine the relevant charset from the contents of HTTP responses and use this when rendering, thus avoiding the need to set command line options for specific charsets.
5. The proxy history context menu now has a "clear history" option.
6. In XML exports of scan issues and request/response details, the "host" element now has an "ip" attribute which shows the IP address of the host. Note that for performance reasons fresh lookups are not performed during reporting, and the value of the "ip" attribute will be an empty string if Burp has not resolved the hostname.
7. The configuration for client SSL certificates now has a default-off option to allow unsafe renegotiation, which is apparently necessary when using some client certificates.
8. The state restore wizard now includes a default-on option to pause the spider and active scanner when the saved state is restored. This helps to avoid inadvertently attacking targets when loading old state files into Burp that include ongoing tasks in the spider and scanner queues.
9. There are numerous minor bugfixes.
Tuesday, June 22, 2010
This release adds various enhancements to the Scanner engine to further improve its ability to find vulnerabilities and avoid false positives. Most of the improvements affect the core detection logic for XSS and SQL injection.
Aside from the better performance, the only noticeable difference in the UI is a new Scanner option to follow redirects. If enabled, this lets the Scanner follow redirects where necessary to identify certain vulnerabilities (for example echoed input or a database error message which is only displayed when a redirect is followed).
Because some applications issue redirects to third-party URLs which include parameter values that you have submitted, Burp protects you against inadvertently attacking third-party applications, by not following just any redirection which is received. If the request being scanned is within the defined target scope (i.e. you are using target scope to control what gets scanned), then Burp will only follow redirects that are within that scope. If the request being scanned is not in scope (i.e. you have manually initiated a scan of an out-of-scope request), Burp will only follow redirects which (a) are to the same host/port as the request being scanned; and (b) are not explicitly covered by a scope exclusion rule (e.g. "logout.aspx").
Wednesday, May 26, 2010
This release adds a number of new checks to Burp Scanner, to report the following issues:
File upload functionality
SSL certificate problems
SQL syntax in request parameters
Silverlight crossdomain policy
Disclosure of social security numbers
Disclosure of credit card numbers
Disclosure of database connection strings
Disclosure of server-side source code
ASP.NET tracing enabled
ASP.NET debugging enabled
HTTP PUT enabled
It must be said that many of these aren't the most exciting issues you can find in web applications, but they are all checks that people have been asking for. And even seemingly banal issues can often lead to bigger things so are worth investigating.
Tuesday, May 18, 2010
This release adds a number of new features and bugfixes:
IBurpExtender now defines the following proxy interception actions:
public final static int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10;
public final static int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11;
public final static int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12;
If an implementation of processProxyMessage sets one of these values as the interception action, then Burp will make a second call to processProxyMessage after the user has viewed/edited the message. This enables extensions to perform further processing on the message. For example, to handle an unusual encoding scheme that is not supported by Burp, an extension could deserialise a custom message format in the first call to processProxyMessage, allow the user to manually review and modify the raw data, and then reserialise the message in the second call to processProxyMessage.
The Intruder payload processor adds a new type of processing rule to skip the current payload if it matches a regex expression. This enables you to use word lists with #commented lines, and skip these with a regex like:
The request timestamp which appears in various places (proxy history, site map, etc) now displays the date as well as the time, which is useful when your work spans several days.
In sortable tables, clicking on a column header to change the table ordering now preserves the selection of the selected item. This makes it easier to analyse certain sets of results - for example, in Intruder, you can select an interesting result, and quickly use column sorting to find other results that are similar to it in different respects (same payload, status code, response length, etc.) without having to hunt through the results for your item following each sort.
File extension filters in the proxy history, site map and active scanning wizard are now case insensitive, which is virtually always what you want.
The URL-decode function in the editor context menu now decodes Unicode URL-encoded data (for example, %u0041 decodes as A).
The help menu now has a link to the main Suite help as well as the help for individual tools.
The function to restore default settings now prompts for confirmation.
A bug in the proxy match-replace feature, in which Burp only replaced the first occurrence of a matched expression when operating on headers, has been fixed.
Some anomalies when copying attack configuration between Intruder tabs have been fixed.
The Intruder config for a request to retrieve cookies now uses the new request editor, eliminating some editing anomalies on some platforms.
Burp's XML output (used in Scanner reporting and exporting of request/response details) now uses XML version 1.1. It had been noted that some of Burp's output was not XML standards-compliant, as some binary content within raw HTTP messages contained characters which are disallowed in XML documents, even when they appear within CDATA blocks. Switching to version 1.1 reduces the extent of this problem, as the only disallowed character is NULL. When reported messages do contain NULL bytes, for purposes of accuracy Burp still preserves these in its output. A comment has been added within the output that it may be necessary for you to remove or replace NULL bytes before processing Burp's output using a standards-compliant parser.
A bug in the Proxy, in which Burp failed to properly handle non-proxy-style requests when running in invisible mode in conjunction with an upstream proxy server, has been fixed. Burp now correctly converts the URL in the request into its absolute form in this situation, so it can be processed by the upstream proxy.
A bug in Repeater, in which an edited but unrequested message is not preserved when saving state, has been fixed.
Thursday, April 15, 2010
This release addresses a number of stability issues, particularly on non-Sun JRE platforms like Apple and OpenJDK:
Occasional UI freezes during updates to the site map (during spidering, content discovery etc.).
Occasional UI freezes when toggling Proxy interception during display of large responses.
Complete failure to run on OpenJDK.
The moral of this story has been: don't assume that thread synchronization works the same way on all JREs. It's difficult to promise that there won't be any more of these issues, but initial feedback from Mac users has been positive. If you do encounter any more stability issues, please do let me know.
There are some minor bugfixes affecting all users. And the changes to the thread synchronization model have made some of Burp's functionality run a fair bit faster than previously.
The Sun JRE remains the only offically supported platform for Burp, but this release should make life much easier for users of other platforms.
Sunday, April 11, 2010
It also adds a facility to customise the preset payload lists that are included with Burp Intruder, and which are accessible via the "add from list" drop-down for various payload types. You can specify your own directory to hold payload lists, and these will automatically appear in the drop-down within Burp.
To access this feature, choose "configure preset payload lists" from the Intruder menu:
You can use the "copy" button to copy all of Burp's built-in payload lists into your custom directory, to use alongside your own payloads lists. You can then use your preferred text editor to modify any of the lists as required.
This release also adds a number of new built-in payload lists, including new fuzz strings and lists of interesting CGI files. These were kindly donated by Adam Muntner.
Thursday, March 25, 2010
This beta release introduces a large number of new features and other enhancements to Burp Intruder. A brief summary is below - see the online help for full documentation.
Tabbed attack configuration
You can now configure multiple attacks simultaneously in separate numbered tabs, as with Burp Repeater. Each time you send a request to Intruder, this opens a new attack tab. You can also add and delete tabs using the Intruder menu.
You can configure how Burp populates the configuration of each new tab, with three options accessible via the Intruder menu:
use default attack configuration
copy configuration from first tab
copy configuration from last tab
So, for example, you can set up a standard attack configuration in your first attack tab (e.g. for fuzzing parameters and grepping for error messages) and have this configuration copied into a new tab for each request that you send to intruder.
You can also copy attack configurations between tabs, and save and load attack configurations, using the Intruder menu. This enables you to construct various attack configurations optimised for various purposes, and easily load these into Burp for use on different occasions.
Payload positions editor
This panel now uses the same feature-rich request editor as other Burp tools, with quick search, in-place encoding/decoding, undo/redo, and a context menu with useful functions. Binary and non-printing content is now fully supported, with no normalisation of newlines or other characters.
Auto-placement of payload markers can be configured to either replace or append to existing parameter values, via an option in the Intruder menu.
New payload sources
There are three new payload sources:
Character frobber. This operates on the existing base value of each payload position, or on a specified string. It cycles through the base string one character at a time, incrementing the ASCII code of that character by one. This payload source is useful when you are testing which parts of parameter's values have an effect on the application's response (such as portions of complex session tokens).
Bit flipper. This operates on the existing base value of each payload position, or on a specified string. It cycles through the base string one character at a time, flipping each bit in turn. You can configure which bits are to be flipped. You can configure the bit flipper either to operate on the literal base value, or to treat the base value as an ASCII hex string. This payload source can be useful in similar situations to the character frobber but where you need finer-grained control. For example, if session tokens or other parameter values contain meaningful data encrypted with a block cipher in CBC mode, it may be possible to change parts of the decrypted data systematically by modifying bits within the preceding cipher block. In this situation, you can use the bit flipper payload source to determine the effects of modifying individual bits within the encrypted value, and understand whether the application may be vulnerable.
Username generator. This payload source takes human names as input, and generates potential usernames using various common schemes.
New payload processor
The previous simple options for post-processing payloads are replaced with a new rules-based processor which is much more powerful. You can define arbitrarily many rules, which are executed in sequence on each payload. The types of rules available are:
substring (from a specified offset up to a specified length)
reverse substring (as substring, but indexed from the end of the payload)
modify case (same options as for the case substitution payload source)
encode (as URL, HTML, Base64, ASCII hex and constructed strings for various platforms)
decode (as URL, HTML, Base64 and ASCII hex)
addition of raw payload (this can be useful if you need to include the same payload in both raw and hashed form)
New attack options
The following new options are added:
Number of retries on network error.
Wait between retries.
Make unmodified baseline request (for results comparison with actual attack requests).
Store full payloads. This option imposes some memory overhead and is off by default. It may be necessary to turn this on in some situations - for example, if you are using long payloads (truncated in the results UI) and want to access the full values at runtime, for example in order to modify the payload grep configuration, rebuild and issue requests based on a modified request template, or to save the full results table values.
Live attack configuration
The full configuration for each attack is now replicated within the attack results window. All feasible options can be modified in real time, and will take immediate effect within the running attack. This functionality is useful in various situations, for example: you can adjust the thread count to optimise attack speed; you can change grep settings to analyse existing results based on response content you only notice during the running attack; you can edit the base request template to modify your attack. You should use this feature with caution, and consider pausing the attack if making numerous or significant changes.
The attack results table adds numerous features that were previously added to other Burp tools, including:
Item annotation with comments and highlights
Fully-featured context menu
Deletion of results
Various other new functionality has also been added with attack results, which is specifically relevant to Burp Intruder:
You can flag individual or multiple results to be reissued. This is useful if intermittent network or application problems have caused some requests to fail. When a request is reissued, Burp will, if possible, rebuild a new request based on the current attack configuration, including the current request template if this has been modified. So if your application session has been terminated during an attack, you can modify the request template to set a new session token, and reissue any affected requests - these will be rebuilt using the new session token and so will be processed within the new application session.
You can select items within the results and add these to the Suite site map. This function is useful if you are manually enumerating application content, and want to populate the site map with the URLs of confirmed content.
If an attack has been configured to follow redirects, the request and response viewer will show all intermediate responses and requests, in addition to the initial request and final response.
Holding down CTRL and clicking a column header label copies the entire contents of that column to the clipboard.
Thursday, January 7, 2010
Tuesday, January 5, 2010
As well as various bugfixes, this release adds some handy conversion functions to the request/response editor, which are accessible via the context menu and shortcut keys. To use these, simply select the text you want to convert, and choose the relevant conversion:
Available conversions include URL-encoding, HTML-encoding and Base64-encoding. You can also convert raw data into a "constructed string" for various code-injection contexts. For example, selecting the expression:
This release also improves Mac compatibility in the message viewer/editor. Keyboard shortcuts now work with both the Ctrl and Command keys. And you can display the context menu without losing the current text selection. If you're experiencing other Mac pain, do let me know.