Burp Suite, the leading toolkit for web application security testing

Burp Suite release notes

Tuesday, October 20, 2015


This release fixes a bug that was introduced in 1.6.29 in the handling of cookies in session handling rules. When a session handling rule attempts to update the values of multiple cookies within a single request, the bug caused this operation to fail in some situations, with the result that the request might be made out of session.

Burp Suite Professional:
MD5: e7e8cb9012cd2c81faf39ac877fb18e6
SHA256: 99baa396c9f7065791f1dc024919e25a63d7a9422ef502470620c41f859f9803

Burp Suite Free Edition:
MD5: e4a752d67ac23d0e1c103b694b42cb0b
SHA256: b048e08264de811a75e180aedf1fbf92bec9c3f8bc0016017e67a0a529b92768

Monday, October 19, 2015


This release updates Burp to include a security fix in the BlazeDS library that Burp uses for parsing AMF messages, and disables AMF support by default:
  • AMF messages can contain embedded XML content, and this is processed by the BlazeDS library when it parses AMF messages. BlazeDS has been found to contain an XXE vulnerability in its processing of XML embedded within AMF messages. In the context of Burp, the potential impact of the vulnerability is that a malicious target application could read the contents of files from the Burp user's computer, provided it knows the names of those files. A malicious application could perform this attack if it generates a suitable AMF message and the user browses via Burp to a response containing the AMF message. The latest version of BlazeDS contains a fix for the XXE vulnerability, and Burp has been updated to use the new version of the library. Thanks are due to David Klein from Context Information Security for drawing our attention to this issue.
  • It is well known that XML parsing is fraught with problems, as is demonstrated by Burp Scanner's XML checks. To reduce the impact of any further issues within BlazeDS, Burp has been updated so that by default it disables the AMF tab within the HTTP message editor, and disables AMF insertion points in the Scanner. Users can turn on these options if they are testing a trusted application that uses AMF messages. It is recommended that users do not enable AMF processing when accessing any untrusted application functionality or content.
Burp's cookie jar has been updated to support the cookie path attribute. The cookie jar is now able to track multiple cookies from the same domain with the same name, but which are scoped to different application paths. Burp's session handling rules now correctly update cookies in requests based on the path attribute.

The functions to save and restore state now include options for handling the unique identifier that Burp uses to track interactions with Burp Collaborator. Each Burp project/session generates a unique identifier that is used to track any Burp Collaborator interactions that are associated with the project. If two users share a state file, and each continues testing from that point, there is the potential for interference in Collaborator interactions, causing some Collaborator-based issues to be missed or incorrectly reported. When saving state, you can now choose whether to include the identifier within the state file, so that you or someone else can resume the testing later. When loading a state file that was saved using a different installation of Burp and which contains a Collaborator identifier, you can now choose whether to take full ownership of the project and receive details of any ongoing Collaborator interactions that are associated with the project. 

(Note that each fresh Burp project/session generates a new random Collaborator identifier, so there is no risk of permanent cross-talk between different Burp instances, regardless of the options chosen when sharing a specific state file.)

A bug affecting the importing of some custom CA certificates in PKCS#12 format has been fixed.

Burp Suite Professional:
MD5: bec6d3149193488adac77e2c45d4eafa
SHA256: d8706d3777ab710c6d7e069e9e6c953b515d0e4233ec4c531a310b89f62ae489

Burp Suite Free Edition:
MD5: c940c22451c53c5f7fda8cba2b151b2a
SHA256: 722b831cf899f23573e80f7ba856d1b9316de090be13e73ef0d026b877957687

Tuesday, October 6, 2015


This release adds the ability to annotate the active scan queue with comments and highlights, as is already possible in the Proxy history and Target site map:

Recently, we removed the ability to delete items from the active scan queue. This was done in preparation for some planned new capabilities that will enable the Scanner to retrospectively report issues for scan queue items that have finished scanning. For this capability to work, we needed to retain the full scan queue history. Some users have complained that they were using the deletion of items as part of their testing workflow. To address this issue, we have added the ability to apply comments and highlights to scan queue items. This provides an improved alternative to the previous workflow that these users were following.

A number of other changes have been made:
  • The performance of the Target site map when selecting tree branches containing very large numbers of scan issues has been dramatically improved.
  • The process of configuring Burp to use a PKCS#11 certificate has been improved. You can now manually select the required card slot during installation, swap cards at runtime, and reload configuration from state files more easily.
  • There is a new Scanner option to create an insertion point for the entire request body, for relevant content types. This currently applies to requests with XML or JSON content in the request body. This insertion point is enabled by default, and should allow detection of some additional edge-case vulnerabilities (e.g. server-side JavaScript injection where an entire request body containing JSON is passed to the JavaScript eval function).
  • The Scanner insertion point type that was previously called "REST-style URL parameters" has been replaced with two insertion point types, covering URL path folders and the final URL filename. The filename insertion point is enabled by default, while folder insertion points are still disabled. This change should improve Burp's detection of some issues in its default configuration, such as XSS through reflection of the full URL path excluding the query string.
  • A bug that caused occasional corruption of saved state files and prevented them from correctly reloading has been fixed.
  • Scanner issues that are reported by Burp extensions are now identified as such within the UI and scan reports. This was primarily done to reduce the number of support tickets relating to defects in the wording of extension-generated issues.
  • The temporary directories created by Burp should now not be world-readable on any platforms, to prevent direct access to Burp's temporary files from other users on a multi-user machine. Note that by default such users can in any case access a large quantity of sensitive data, and interfere with Burp's operation, via the default Proxy listener on Users are encouraged not to use Burp on a machine that is shared with untrusted users.
Burp Suite Professional:
MD5: 2e9dbfa9b582cab1684ae2750eb95c8e
SHA256: 2ce0e85e30a39c9d3e1a1dac363dd57af69f50a4d8c81c9dc870b7852c32edaa

Burp Suite Free Edition:
MD5: 058b1ce8993318498f8e25ee6d09853c
SHA256: a3cedb8a2223287328273d7a2b928adde69e33f08ade6934b0a968bfb05bfd8e

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2016 PortSwigger Ltd. All rights reserved.