Friday, August 21, 2015

1.6.25

This release adds a new scan check for external service interaction and out-of-band resource load via injected XML stylesheet tags. Burp now sends payloads like:

<?xml version='1.0'?><?xml-stylesheet type="text/xml" href="http://tqnm38srfkzw67vux9rred.burpcollaborator.net"?>

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

The release also fixes some issues:
  • A bug that caused the file path traversal scan check to produce false negatives in some edge cases has been fixed.
  • A bug that could cause the list of loaded extensions to become corrupted or deadlocked when restarting Burp with a large number of extensions configured has been fixed.
  • A bug that caused some items in the site map to be incorrectly placed after restoring state has been fixed.
  • A bug that caused changes made to the cookie jar configuration to be not applied until the next restart has been fixed.
Burp Suite Professional:
MD5: 9ce0a628ea620e5ce53edccbd081c227
SHA256: 4540b47156f2a2df3cb3193b3b8bbe0773442bfd7b71b8800ded369911f0e0a7

Burp Suite Free Edition:
MD5: 7d2b2060e3aa52568b7cd6b19efebcd0
SHA256: 2e88bbef868e3cb8d3bac9f62f7d91d3245162ecc92985305a2c72aeeb60b851

Wednesday, August 5, 2015

1.6.24

This release adds a new Scanner check for server-side template injection.

Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates leads to a vulnerability that is:
  • frequently critical, allowing full arbitrary code execution on the server; and
  • easily mistaken for cross-site scripting, which is usually a much less serious issue. 
The vulnerability is generic in nature, potentially affecting any web application that uses a template engine in an unsafe way. This can arise both through developer error, and through the intentional exposure of templates in an attempt to offer rich functionality, as is commonly done by wikis, blogs, marketing applications, and content management systems. Many template engines offer a "sandboxed" mode for this purpose, but it is frequently possible to escape from this.

In the course of researching this vulnerability and developing the new Scanner check, we have identified numerous zero-day instances of the vulnerability in real-world, widely-used applications. The exact frequency of the vulnerability is unknown, but we have repeatedly stumbled upon it on penetration testing engagements and have easily located several targets for demonstration. Today, James Kettle from the Burp Suite team has presented the results of this research at the Black Hat security conference.

For full technical details of how this vulnerability can be found and exploited, see our server-side template injection blog post.

The release also adds two other new features:
  • A new Scanner check for server-side Expression Language injection. From the client-side perspective, server-side Expression Language injection can look similar to server-side template injection. Burp should correctly distinguish between these different vulnerabilities.
  • A new Intruder payload list for common server-side variables. This list was compiled through analysis of a large quantity of real-world application source code posted on GitHub. As described in the blog post, full exploitation of server-side template injection may involve using brute force to guess the names of variables in use within the template code. The new payload list is useful for this purpose, as well as various others.
MD5: 9a76845b7f399dfd60094cee800b0194
SHA256: 7f340e07fd0c136228176d42df05a469e29b10541c377cc01808a1a4904d2b2f