login

Burp Suite, the leading toolkit for web application security testing

Burp Suite release notes

Tuesday, September 17, 2013

v1.5.17

This release includes a number of enhancements and bugfixes:
  • There is a new "copy as curl command" function on context menus. This function constructs a curl command that generates the selected request, and copies the command to the clipboard.
  • The Extender tool has a new option to specify a folder from which Burp will load library JAR files for use by Java extensions.
  • The IBurpExtenderCallbacks interface has several new methods:
    • Methods to list and remove extension-provided resources such as event listeners, resource factories, etc.
    • Methods to print a line of output to the extension's stdout or stderr streams.
  • The numbers payload generator in Intruder has been enhanced to cope with numbers of arbitrary size and precision, and is no longer subject to the constraints of Java's native integer or floating point arithmetic. It is possible configure and launch attacks that will result in arbitrarily many payloads. If the number of payloads exceeds 2^31 then Burp will report the number as "unknown" but the attack will still proceed in the expected way (even though actually completing the attack is not feasible).
  • There is a new hotkeyable action to forward the request currently showing in the Proxy intercept view and force interception of the response. This action is not assigned a hotkey by default.
  • The save and restore state functions can now include the configuration options for the Extender tool.
  • The extensibility API to retrieve the contents of the site map now auto-generates GET requests for items in the site map that have not yet been requested.
  • A bug in the session handling action to update the value of a named parameter, where multiple parameters with the same name were not updated, has been fixed.
  • A bug in Intruder that caused some valid custom iterator configurations to fail has been fixed.
  • A bug in the invocation of extension-provided custom Scanner checks, where an exception thrown by an extension could cause Burp's scanning thread to die, has been fixed.
  • A bug in the CSRF PoC generator where pure GET requests are not properly handled has been fixed. (Of course, a pure GET request is itself deliverable cross-domain using only its own URL, but Burp now gives the option of delivering the request via a form submission if required.)
MD5: 2b9a66b72e0162229103d4d57548384c
SHA256: 4a99433e77eb004f2b6a36d94256020ea379e4a65c38d3b866a3e17c46bc6d7b

Thursday, September 5, 2013

v1.5.16

This release fixes two bugs that were introduced in the v1.5.15 release:
  • A bug that caused some request headers to be lost when certain edits were made to request parameters has been fixed.
  • A bug where in-browser error messages contained relative links to in-browser UI functionality, causing broken links where the error page is returned to a request for an external domain, has been fixed. 
MD5: d73b8f5a072bd671328f1acdb9c83727
SHA256: 237559ff92a75460763737f1d849d232a3412c83e43cd8aa80bb33ea2f8e2d29

Tuesday, September 3, 2013

v1.5.15

This release includes a large number of updates to the Proxy tool.

SSL Pass Through

You can now specify destination web servers for which Burp will directly pass through SSL connections. Passing through SSL can be useful in cases where it is not straightforward to eliminate SSL errors on the client - for example, in mobile applications that perform SSL certificate pinning. If the application accesses multiple domains, or uses a mix of HTTP and HTTPS connections, then passing through SSL connections to specific problematic hosts still enables you to work on other traffic using Burp in the normal way.



If the option to automatically add entries on client SSL negotiation failure is enabled, then Burp will detect when the client fails an SSL negotiation (for example, due to not recognizing Burp's CA certificate), and will automatically add the relevant server to the SSL pass through list.

Startup Interception State

There is a new option to configure whether proxy interception should be enabled when Burp is started up. You can choose to always enable interception, always disable interception, or to restore the setting from when Burp was last closed.

Highlighting Unhidden Fields

When Burp is configured to automatically unhide hidden fields in responses, there is a new sub-option to prominently highlight unhidden fields on-screen, for easy identification:
 
 

Fix Newlines In Edited Requests

There is a new option to automatically fix missing or superfluous new lines at the end of requests that have been edited in the intercept view. If an edited request does not contain a blank line following the headers, Burp will add this. If an edited request with a body containing URL-encoded parameters contains any newline characters at the end of the body, Burp will remove these.

This new option, which is off by default, can be useful to correct mistakes made while manually editing requests in the interception view, to avoid issuing invalid requests to the server.

New Interception Rules

You can now configure interception rules for requests and responses based specifically on the names and values of cookies. You can configure rules for responses based on the MIME type and on whether the request was annotated (commented or highlighted) by the user.

New Match/Replace Rules

Various updates have been made to the match/replace functionality:
  • You can define rules based on parameter names and values.
  • You can configure a rule to operate only on the first line of requests, for making quick changes to the URL or request method.
  • You can optionally use literal or regular expressions in match rules.
  • You can add comments to rules to describe their purpose. This facilitates quick toggling of individual rules without needing to read them to understand what they are doing.
  • Various new default rules have been added for performing common tasks.
  • The documentation has been updated to describe how you can use regular expressions to match multi-line regions of message bodies, and how you can use regex groups in back-references and replacement strings.

Editing Target Server in Intercept View

You can now manually edit the target server to which an intercepted request will be sent, by clicking on the server caption or the button next to it.

Updated In-Browser Burp UI

Burp's in-browser UI has been updated in various ways:
  • There are more readable and informative messages when a request causes a problem.
  • Invalid client requests are reproduced in full in the error message, to assist debugging.
  • The interface is now available both at http://burp (when you have configured your browser to use Burp as its proxy) and at the URL of your Burp listener (for example, http://127.0.0.1:8080, even if your browser is not configured to use Burp).

Support for Firefox Plug-n-hack Plugin

Burp now supports the new Firefox plug-n-hack plugin. This enables faster configuration of the browser to work with Burp, by automatically configuring the browser to use Burp as its proxy, and installing Burp's CA certificate in the browser. If you are using Firefox and have installed the plug-n-hack plugin, you can configure your browser to use Burp by visiting the URL of your Burp listener (by default, http://127.0.0.1:8080) and following the "Plug-n-hack" link.

 

Quick Navigation of History In Repeater

The back/forward buttons for navigating the Repeater history now have drop-down lists showing numbered nearby items in the history, to enable quick navigation to a required item.

MD5: 72fa775fff28cee8f53e30b853f7231e
SHA-256: 0b0a56960278e48aa6cc336e2e34dc12d86926e6a8f60ba4403ae633af5fcde1

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2016 PortSwigger Ltd. All rights reserved.