Thursday, May 26, 2011

v1.4beta3

This release fixes a few bugs, and also adds some further features to enhance the new functionality added in v1.4:

  • There is a new tracer function for troubleshooting the session handling configuration. This shows you all of the steps performed when Burp applies session handling rules to a request, allowing you to see exactly how requests are being updated and issued. You can access the session handling tracer via options / sessions / view sessions tracer:

  • There is a new session handling action, to execute a post-request macro. This action issues the request that is currently being processed, and then executes a further macro (request sequence). Optionally, you can configure Burp to update parameters in the first macro request with values taken from the response to the current request, to handle anti-CSRF tokens, etc. Also, you can configure whether the invoking tool should receive the response from the current request, or the response from the final macro request. You can use this feature to perform testing on an request that is part way through a multi-stage process, and ensure that the rest of the process is completed in the normal way. This can be useful to identify some bugs like XSS and SQL injection, where the relevant input is supplied at one stage of a process, and is processed in a vulnerable way at a later stage of the process.

  • The auto-matching of parameter values between macro requests and responses now works for URL-encoded parameters. Further, there is a default-on option to URL-encode any problematic characters in parameter values that are updated by the session handler.

  • When you are performing a site map comparison that involves re-requesting a site map in the current session context, the comparison wizard displays the new site map while it is in the process of being re-requested. This enables you to inspect responses within the re-requested map to ensure that your session context is still valid and your session handling configuration is working in the way you intend.

Thursday, May 12, 2011

v1.4beta2

This release fixes a few bugs that were identified in the first beta release, and also adds some new features:

  • NTLMv2 authentication is now supported, for both web and proxy servers, allowing you to work with Windows servers that do not accept the older version of NTLM.

  • All relevant Burp features now work with IPv6.

  • Charsets are now automatically recognised and correctly rendered, per response. This avoids the need to set a specific charset on the command line when starting Burp, and allows you to work with content that uses multiple different charsets within the same instance of Burp. You can override this default behaviour and set a specific charset at options / display / charset handling. Note that some charsets are not supported for all fonts. If you are using a charset that employs non-Latin glyphs, you should first try using a system font such as Courier New or Dialog.

  • The directory path where Burp saves its temporary files is now configurable, at options / misc / temporary files location. This allows you to specify a directory on a different volume, or which is not world-readable, if required. Changes to this setting take effect the next time Burp starts up.

  • A new method has been added to IBurpExtenderCallbacks allowing you to programmatically send items to Burp Scanner with custom attack insertion points (in the same way as could already be done from the Intruder UI). The definition of this method is as follows:

    public IScanQueueItem doActiveScan(
    String host,
    int port,
    boolean useHttps,
    byte[] request,
    List<int[]> insertionPointOffsets) throws Exception;

    The insertionPointOffsets parameter is a list of index pairs representing the positions of the insertion points that should be scanned. Each item in the list must be an int[2] array containing the start and end offsets for the insertion point.

  • There is a new EULA, written by a proper lawyer.