Tuesday, June 25, 2013


This release includes fixes for the following issues:
  • A bug where repeating an Intruder attack using null payloads may generate no attack requests.
  • A bug where the default save location for automatic updates to Burp may contain URL-encoded characters, resulting in an invalid file path.
  • An issue where the CSRF PoC generator output using the cross-domain XHR technique fails to work on current versions of the Chrome browser.
  • Burp's behavior in quitting immediately without warning on OS X when Command+Q is pressed.
  • Poor performance saving and restoring state in v1.5.12.
MD5: 52900384fffe42121a4977c1b8ae2b90
SHA256: d89381858cec5c450c4b490e66511b47f884f0bac7c8ded2ca4a860c4673dc2e

Wednesday, June 12, 2013


This release contains various enhancements and bugfixes:
  • There is a new payload type in Intruder, which copies the value of the current payload at another payload position. You can also define processing rules to systematically derive one payload from another, rather than copying its literal value. This function is useful in cases where you need to submit the same payload in two locations, or where one parameter is derived from (e.g. a hash of) the parameter that you need to test.
  • You can define Proxy interception rules based on the listener port number, so you can e.g. prevent interception of all messages on a specific listener.
  • The IResponseInfo interface has two new methods: getStatedMimeType() and getInferredMimeType().
  • The memory overhead of saving and restoring state, and performing search operations, is reduced.
  • The Scanner no longer prompts the user for confirmation when an extension programmatically initiates a scan of an out-of-scope item.
  • The problem with superfluous whitespace characters appearing when text is copied from the Scanner advisory panel into another application has been resolved.
  • The CSRF PoC generator now properly escapes tag brackets when using the XHR method, to prevent any closing script tags that are required within the generated request message from breaking the PoC script.
  • Parameter matching between macro items now tolerates URL-encoding of parameter names when performing matching.
  • A bug where certain nonprinting characters were corrupted when loading Intruder payloads from a file has been resolved.
MD5: 2f0d5560ba63c02748b6cad2542a12e7
SHA256: 266c0c5eb5837f8fac32ce5343278a181f191e72b36c619d557ed351c7d5aad9