Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Tuesday, August 7, 2012

v1.4.12

This release resolves a problem with proxying SSL connections from Android clients. When Android proxies SSL, it resolves the destination hostname locally, and issues a CONNECT request containing the host's IP address. In earlier versions, Burp would then generate an SSL certificate with the IP address as its subject name, causing the Android client to show an SSL error, because the subject name on the certificate did not match the original hostname that Android had resolved.

Burp now behaves differently. If a CONNECT request is received containing an IP address, Burp connects to the destination server to obtain its SSL certificate. Burp then generates an SSL certificate with the same subject name (and alternative subject names, if defined) as the server's actual certificate. Assuming the server is returning a valid certificate for the hostname that Android is requesting, this should remove the SSL errors relating to the mismatched hostname.

(Note that it is still necessary to install Burp's CA certificate in the Android client, as for other SSL clients.)

A number of bugs are also fixed:
  • Some further causes of deadlock in the new UI.
  • A bug in the Scanner, where the "skip all tests" configuration was not properly applied to REST parameters.
  • An error saving and restoring state in headless mode, which was introduced in recent versions.
  • A bug in the macro item editor UI which prevented the list of items from scrolling properly.

Finally, the active scan wizard for consolidating multiple scanned items now contains an option to remove items with no parameters. (Note that this option should not necessarily be used automatically, because items with no parameters are normally fast to scan, and may still contain interesting bugs that can only be found via the active scanner.)

MD5: 1d9b6cbcbe046842b71393f1ca431cc8
SHA256: 17155923dac3748b05808d3b033f71761f0e00ba286c0edcda2e4f4af2478e7a