Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Wednesday, April 29, 2015

v1.6.01 Free Edition

This release backports to the Burp Suite Free Edition two security-related fixes that were applied in v1.6.17 Professional edition:
  • The Proxy now by default strips any Proxy-* headers received in client requests. Browsers sometimes send request headers containing information intended for the proxy server that is being used. Some attacks exist whereby a malicious web site may attempt to induce a browser to include sensitive data within these headers.
  • A bug in the following of cross-domain redirections, which caused Burp to include cookies from the original request in the redirected request, has been fixed. In some situations, the bug presents a security risk because sensitive data in cookies could be leaked to a different and potentially untrusted domain. 
As always, users are encouraged to update to the latest Burp release to resolve these issues.

Other than these bugfixes, this release is functionally identical to v1.6 Free Edition.

MD5: 6aa35f21ff8fc0094a7bb5b5f06e09ea
SHA256: a27ac369826a4d5923d8cec76b3f6609384ec48bb310cd9a60ed90845b1ce9ae

Wednesday, April 22, 2015

v1.6.17

This release contains a number of minor enhancements and bugfixes:
  • The Proxy now uses SHA256 to generate its CA and per-host certificates if this algorithm is available, otherwise it fails over to using SHA1. Updating to a SHA256-based CA certificate removes SSL warnings in some browsers.
  • There is a new button at Proxy / Options / Proxy Listeners to force Burp to regenerate its CA certificate. You will need to restart Burp for the change to take effect, and then install the new certificate in your browser. You can use this function to help switch to using a SHA256-based CA certificate.
  • A bug in the "Paste from file" function which caused Burp to sometimes retain a lock on the selected file has been fixed.
  • A bug in the Intruder "extract grep" function, which sometimes caused extracted HTML content to be rendered as HTML in the results table, has been fixed.
  • The Proxy now by default strips any Proxy-* headers received in client requests. Browsers sometimes send request headers containing information intended for the proxy server that is being used. Some attacks exist whereby a malicious web site may attempt to induce a browser to include sensitive data within these headers. There is a new option at Proxy / Options / Misc allowing you to configure Burp to leave these headers unmodified if desired.
  • A bug in the Collaborator server configuration settings, in which Burp would wrongly add the prefix "polling." to the configured location of a private polling server, has been fixed. The documentation on deploying a private Collaborator server has been updated to clarify the use of the "polling" subdomain in some Collaborator server configurations.
  • A bug which caused the use of the request throttle option in Sequencer live capture to delay the initial rendering of the live capture UI has been fixed.
  • A bug in the issue selection step of the Scanner reporting wizard, which caused all extension-generated issues to be shown using the name of the first extension-generated issue, has been fixed. Extension-generated issues are now always labelled as "Extension-generated" in this panel.
  • A bug in the following of cross-domain redirections, which caused Burp to include cookies from the original request in the redirected request, has been fixed. In some situations, the bug presents a security risk because sensitive data in cookies could be leaked to a different and potentially untrusted domain. As always, users are encouraged to update to the latest Burp release to resolve this issue.
  • The Spider now ignores Burp Collaborator URLs when attempting to extract links from within response text. Some applications contain functionality to store and retrieve textual inputs. When these applications are scanned using Burp, they are prone to store some or all of the payloads that Burp sends during scanning, and return these in later responses. It is preferable for Burp not to add any returned Collaborator URLs to the site map when spidering.
MD5: 497d1878450b5a8eb9e08a879d140718
SHA256: 02d3fd0bcab72f6ca016991c8b595d5b252ebe64f9972e6f79d24700a3c116fc

Friday, April 17, 2015

v1.6.16

This release fixes some issues with yesterday's beta release of the new Burp Collaborator feature, including a bug that may cause Burp to sometimes send some Collaborator-related test payloads even if the user has disabled use of the Collaborator feature.

This release is still officially beta while we monitor the Burp Collaborator capabilities for any further issues.

MD5: 57fb7cd772e492eff5210e23e0991921
SHA256: 4fc01e05c878c7f6709bbd5f9dacfeba2e5264d0b534123d52b1fbea2119cf2c

Thursday, April 16, 2015

v1.6.15

This release introduces a brand new feature: Burp Collaborator.

Burp Collaborator is an external service that Burp can use to help discover many kinds of vulnerabilities, and has the potential to revolutionize web security testing. In the coming months, we will be adding many exciting new capabilities to Burp, based on the Collaborator technology.
This release is officially beta due to the introduction of some new types of Scanner checks, and the reliance on a new service infrastructure. However, we have tested the new capabilities thoroughly and are not aware of any stability issues.

MD5; 25902d79a417ead2c18214501fcac189
SHA256: 8dd6738ef30a9500636cda06ce0454ae8c2c8ad5251b9cdd5bfbd6f5099b99b3

Wednesday, April 1, 2015

v1.6.14

This release fixes a bug introduced in yesterday's release, v1.6.13, which prevented some state files from restoring.

MD5: 036055e4fa0e914b3e346b8661589603
SHA256: b6b6710de27df3124bb2c24d778cdfb9da74eff2bd913be733df977b4f03c0d4