This release fixes a problem affecting some users of 32-bit systems with the new handling of temporary files that was introduced in v1.6.08.
When the temporary file store grows sufficiently large, some users of 32-bit systems have experienced out-of-memory errors with v1.6.08 of Burp. The new release reverts to the old handling of temporary files for users of 32-bit systems.
In the near future, we are planning to release some powerful new features in Burp which will only be properly supported on 64-bit systems. We recommend that any Burp users who are still using 32-bit editions of their operating system or Java should upgrade to 64-bit editions.
Tuesday, November 18, 2014
This release contains various new features and enhancements:
- The Scanner has been updated with the ability to detect cross-site request forgery (CSRF) vulnerabilities. We have held off reporting CSRF for a long time, because in our experience many scanners that attempt to automate this end up generating more heat than light. If a scanner generates too many false positives, then users lose faith in its output and start to ignore all of the issues it reports of that type. Because of this, we've worked hard to make our CSRF detection actually provide value to Burp users. We have deliberately erred on the side of reducing the number of false positives. The CSRF issues that Burp does report should all be worthy of manual investigation to determine whether the affected application functionality should be protected against CSRF attacks. We welcome real-world feedback about the performance of the new check, and we will aim to refine this further in future.
- The Scanner logic for the detection of XSS and SQL injection vulnerabilities has been further enhanced.
- Burp's use of temporary files has been updated to use a small number of large temporary files, rather than an individual file for each saved HTTP request and response. This change should resolve problems that some users have experienced with the operating system running out of open file handles, or even running out of file nodes within the temporary directory.
- In the previous release, the Extender tool was modified so that its own configuration was not modified when an extension initiated a restore of a Burp state file. In this release, the same change has been made for the case where an extension initiates an update to Burp's configuration.
- The maximum number of threads that can be configured for the Spider tool, and for an Intruder attack, has been increased to 999.
- A hotkeyable action has been added to start the current Intruder attack. By default, no hotkey is assigned to this action, but one can be configured at Options / Misc / Hotkeys / Edit hotkeys.
Monday, November 3, 2014
This release contains various enhancements to the Scanner engine logic, to improve both the reliability of issue reporting, and the quality of proof-of-concept exploits. Improvements have been made to the following checks:
- OS command injection
- SQL injection
- HTTP response header injection
- File path traversal
- Reflected cross-site scripting
- Various DOM-based issues
- Open redirection
Several other improvements have also been made, including:
- The maximum number of active scan threads has been increased to 999.
- A workaround has been applied to override a recent change in Java platform behavior which affected SSL negotiation with some servers.
- A problem in which extension-initiated restoration of state could cause the configuration of the Extender tool to be reloaded, thereby interfering with the extension's own execution, has been resolved,
- A "Start attack" button has been added to each configuration panel in the Intruder tool.
- A bug in which multibyte characters are copied from the HTTP message viewer to the clipboard as raw bytes has been resolved.