Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Tuesday, March 31, 2015

v1.6.13

This release contains various bugfixes and minor enhancements:
  • The previous release introduced some bugs into the Target site map, causing scope-based view filters to be sometimes misapplied, and orphaned tree nodes to occasionally appear. These have now been fixed. In recent months, we have been extensively reworking the site map to support a number of planned new features, and we apologize that these bugs slipped through into the public release. We welcome further feedback about any site map problems and will aim to resolve these quickly.
  • Some Scanner issues that are reported on a per-host basis (for example, Flash cross-domain policy) were previously reported on the root host node of the Scanner results tree. These are now correctly reported at the node for a specific URL where applicable (e.g. /crossdomain.xml).
  • Relatedly, where a Scanner issue is created at a URL file node that does not exist in the Target site map, the corresponding item is added to the site map, including the actual request and response for that item. This change is useful in its own right, because the site map now contains more content that Burp has obtained from the target. It also paves the way for a planned enhancement to the site map, in which it will become a unified dashboard of both discovered content and Scanner issues. In the meantime, one behavioral quirk which arises is that if you restore a state file and select only to import Scanner issues, some new content corresponding to these issues may also be added to the site map. We believe that this interim behavioral change is relatively harmless, and will become fully desired behavior once the transition to the new site map is completed.
  • Some users have reported problems with certain extensions that cause a deadlock in the Burp UI when they are reloaded on startup. Burp now tries to detect this situation, and on the subsequent startup will skip the automatic reload of extensions. (Note that a further, existing, workaround for this problem is to add "usedefaults" to the Burp command line, to prevent reloading of any saved settings.)
  • When Burp fails to delete its temporary files on shutdown, because the OS does not release locks on those files, Burp now remembers the affected items and automatically deletes them on the subsequent startup, without the need to prompt the user. The old prompt will still be shown if unexpected temporary files are detected on startup.
  • A bug which prevented column resizing in the Intruder results table has been fixed.
  • A bug which made certain configured options cause problems when saving state files has been fixed.
  • A bug where multiple Proxy history views shared the same underlying view filter, preventing the use of different filters on each view, has been fixed.
MD5: db3d21cec7a77a2edfc1ec3428f24184
SHA256: 98eca2744f14152e542d12b52bf7ca3d537846995c376b5580d30b716a897cea

Thursday, March 12, 2015

v1.6.12

This release contains various bugfixes and minor enhancements:
  • In the site map table, the "Method" column previously always showed GET for requests without a body, and POST for requests with a body, even if the actual method was different, such as HEAD or PUT. This bug has now been fixed and the table shows the correct method.
  • A bug which prevented client SSL certificates from being used when an upstream proxy is configured has been fixed.
  • A bug which caused Decoder to fail to decode hex number HTML entities containing an upper-case X has been fixed.
  • A bug in which the Intruder payload options UI sometimes fails to repaint properly when switching between payload sets has been fixed.
  • The function to Ctrl+click on a column header in the Intruder attack results to copy the contents of the column previously had two problems. Firstly, as well as copying the contents, the default action of sorting by the selected column was also being carried out. Secondly, the column contents were being copied in the ordering of the underlying data model, not the ordering of the currently sorted view. Both these issues have been fixed.
  • A bug which prevented the sending of items to Intruder from the active scan queue table has been fixed.
  • The Scanner HTML report now includes the Burp version in the report footer.
  • Burp now attempts to explicitly prevent SSL session reuse, as this can cause connection failures with some misconfigured or buggy target servers.
  • The Intruder results table now truncates long payloads to 200 characters, rather than the previous 50.
MD5: 608154180c140c0e4c5e2c59369b40b4
SHA256: 1f365b6387fba075153869c680920d95f1ee281b8da3e166d85fd694c5b8aa04