Tuesday, March 26, 2013


This release adds support for PKCS#11 client SSL certificates contained in smart cards and other physical tokens. These can be configured at Options / SSL / Client SSL Certificates.

Key features include:
  • Ability to configure multiple PKCS#11 and PKCS#12 certificates for use with different hosts (or host wildcard masks) .
  • Auto-detection of installed PKCS#11 libraries (currently Windows only).
  • Auto-detection of card slot settings.
  • Support for OS X, Linux and 32-bit Windows (note that Oracle Java does not currently support PKCS#11 on 64-bit Windows).
  • Persistence of configuration across reloads of Burp.
Although we have tested the PKCS#11 support using numerous cards on various platforms, please do let us know if you have problems with particular devices.

This release also adds an option to encrypt passwords contained in Burp's configuration options when these are saved in persisted preferences or Burp state files. This option is available via the Burp menu / Remember settings / Passwords, and also within the save state wizard. If the option is selected, Burp will prompt you for a master password with which to encrypt individual passwords. The master password is not saved anywhere. When the settings are later restored, Burp will prompt you for the master password to decrypt the individual passwords. For those who are interested, this feature uses AES encryption with a 128-bit key generated from your password using PKCS#5v2.0.

MD5: b5a6b8c240ae4ee1c3c26273a95c4a8f
SHA256: 69d339db54e50d8732096305199d4e3f758b1e881269427deea1f65315471d34

Tuesday, March 12, 2013


This release includes various minor enhancements and bugfixes, including:
  • The Proxy has a new option to unpack compressed request bodies (previously only compressed responses were supported). This option is off by default as it may break some applications that require compressed requests.
  • Decompression of compressed content now works with .NET DeflateStream compression, and a bug affecting some other deflate implementations has been fixed.
  • The default Proxy match and replace rules include an available item to remove the Accept-Encoding header in requests, to deter servers from compressing response content.
  • The active scan queue is now much more responsive, in terms of providing real-time information about progress, and responding to cancel/pause actions.
  • A bug affecting NTLM negotiation with some servers has been fixed.
  • A bug which occasionally caused the Proxy history filter panel to become uneditable has been fixed.
  • A bug affecting the generation of per-host SSL certificates using a custom CA certificate that has been imported from another tool, has been fixed.
  • The function to save and restore state now provides verbose debug output on error, to facilitate debugging of problems.
  • A bug affecting the parsing of some ASP.NET ViewState structures has been resolved.
MD5: 235e5f4c79772184b9c17674e8fdbe22
SHA256: 5090c9a2d2feb4cb73f7c0377beb57dc909ee07363a415aba59d320c167c1904