Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Wednesday, December 21, 2016


This release includes the most frequently requested feature of all time: custom wordlists in the Content Discovery feature.

It also massively improves the accuracy of detection of valid vs. not-found responses in the Content Discovery engine. We believe that this is now approaching 100% accuracy in terms of both false positives and false negatives. If anyone encounters a site where the Content Discovery function is not completely accurate, please let us know the details and we will investigate.

A number of other enhancements and fixes have been made:
  • Further to the security issues that were fixed in 1.7.14, some additional hardening has been performed of in-browser actions and the CSRF PoC generator, to prevent some conceivable attacks involving excessive amounts of socially engineered user actions on a malicious site. 
  • A bug that caused the Burp Comparer progress bar to intermittently hang has been fixed.
  • The SMTP service of the Burp Collaborator server has been modified to reject emails without a valid interaction ID. This effectively prevents the Collaborator wrongly appearing to be an open mail relay, which caused failure reports by naive security scans.
  • A bug that was introduced in 1.7.14, which prevented Repeater requests from being issued when a tab other than the "Raw" tab was selected, has been fixed.
MD5: 28fd91f8d490539f43f7656be183a2f8
SHA256: 5c6c92ba03f9949bdee5ad06de1857cf95b6a185472099714c35fe803493d5f8

MD5: 4dda1b4b6f5b2f6e26800d2de27cee81
SHA256: 4981643c399dd99f9466137e847802358ace1008fb0e6e427b9608453b97d494

MD5: 00805dcdc13a8980feeda8385d090ab6
SHA256: f1ed25e925b68bbc6c83a350a768e663e51d2cbd60e1a7ef5fa9a70a305928f4

MD5: 6c0ead0f72fe6b1d5253c704112fed7b
SHA256: 9a58431985e160676dee27f86d5d0122a946b576d69b8c9501ec095635179b8f

MD5: 5d4eda1c4081fb6569210fb33ddfe1e0
SHA256: 82d7224ddd9e645686141eb47380df90f6717221fde65f865e2696c47944b559
MD5: bffe16e37aece609df12f4db5ce4521a
SHA256: 06a412dc4c42ea25e6aa374f6b37485d64ebde297e40a2c30a8ade889c242e1d

MD5: 0f6025fe4a822d784796fe376554438b
SHA256: 8d8ad2bcf579dec1a78f8972e0ea79c48d5a107b87bf870627f529b5f2e1c4fe

MD5: 2c237465d7a56e06f36191566f0c9e7c
SHA256: 0fc1c1cfe9804277a4674e16ceb5ac564d24330eae085c660f6c8b9646315e91

MD5: 70fe127e99827df4c15453a89dc6afab
SHA256: 500f265c1726b7d87cba6ccdf24b4e173606c07c8c7a2fae83a96808375c8c86

MD5: ddb4e11c25f65403083cf4911f9c78cf
SHA256: d5816fa34f22c4d90e4903e756c52c925e09701a00941892848d24288678a57b

Tuesday, December 13, 2016


This release fixes the following security issues that were identified through our bug bounty program. Note that all of these issues involve the Burp user actively testing a malicious website that has been designed specifically to attack Burp Suite.
  • If a user visits a malicious website in their browser, and in Burp selects a crafted request that was generated by that website, and uses either the "Request in browser" function or the "Generate CSRF Poc" and "Test in browser" function, then the malicious website can XSS an arbitrary website.
  • If a user scans a malicious website and another website within the same Burp project, and exports all of the scan results as a single HTML report, and views that report in a browser, then the malicious website can capture the scan results for the other site.
  • If a user scans a malicious website and another website within the same Burp project, then the malicious website might be able to capture the raw data of any Burp Collaborator interactions that were performed by the other website.
We are pleased that our bug bounty program has alerted us to these issues within Burp. As well as fixing known issues at source, we have taken a defense-in-depth approach to hardening Burp in response to them, including:
  • Some functions within Burp's in-browser interface that increased its attack surface have been removed altogether, including the Proxy history, the buttons to repeat requests and view responses, and support for the plug-n-hack Firefox extension.
  • Scan issue descriptions, including those generated by Burp extensions, are now subject to an HTML whitelist that allows only formatting tags and simple hyperlinks.
  • HTML scan reports now include a Content Security Policy directive that prevents execution of scripts in modern browsers.
Note: The security issues identified have all been fixed within Burp Suite. As a defense-in-depth measure, some hardening has also been performed of Burp Collaborator. It is recommended that users who have deployed a private Burp Collaborator server should update to the current version in a timely way.

Thanks are due to @_Abr1k0s_ for reporting the aforementioned issues.

A number of other enhancements were made, including:
  • A number of improvements to existing Scanner checks to improve accuracy.
  • When a request is sent to Repeater but never issued, the request is now stored in the Burp project file, so the initial unrequested item will reappear when the project is reopened.
  • The Proxy listener now accepts SSL negotiations from browsers that are hardened only to support selected protocols and ciphers.
MD5: a7d25a036f8800876b0ea068c20aad74
SHA256: 850d7a319fd869f346435ff0cdf8f1e4be8cc6cb48c1e1873c5b6891d54ef16e

MD5: 127043d3efb121938d00df46b33475cb
SHA256: c2a9177e822dcb11c9b8135889bd5395b7f059d450e99e89c20b8e380c7aa479

MD5: cf7b9daf47cc691b71f8a9d0f7cf4ca1
SHA256: 5781caa88a5e5f24fbc69eb9c9a16923faa104f3962ebc6e309e5d1c5e4e1457

MD5: 6649ef1ec97760069c337c5ac2519e54
SHA256: 52c5539e099fbb1a09e3d7991f9122543ab22b3eb37250f5f304123378d3e6be

MD5: 56aacc5bd084284815f4cc4065536573
SHA256: b3b2878389bbd3145eaf2cd588e6f77ec9fc5dabd5cd9ea92d485d961ada5c9e
MD5: 5f5d41c2272b286e538ce262de638122
SHA256: f856708a42764683ad32aac14147b5b5dfc8a46e1ea896cdd152fd04c513eb0b

MD5: fe2f537e8857c85d15057c656a18109c
SHA256: a0dfd6655209712708194b37e33fb3d3b56589a0399ca0f17f4e3c24a204d72b

MD5: 3de7554ee093195b577ab47c556f86c1
SHA256: afa278687957f3bb8fad20d8f088b18fa0ffd399621ec891855fb1116ab42476

MD5: 91b9d62bf72b4de20cc18cf246fe8d12
SHA256: 64a25a8a79c69c0c6e2f59b654351333165f26af39fe7b044fb73f88c0818dc8

MD5: 132ad25dbde203ac9f0b09a4ca9bcba1
SHA256: 5dc5c9ca26bb1d4fef67b79fd77543fe8b854f85ecf2c1be94310b9c44f88314

Tuesday, November 29, 2016


This release adds various enhancements and bugfixes.

Burp Infiltrator has been enhanced with a large number of new API sink definitions, for both the Java and .NET platforms. This dramatically increases the coverage of existing vulnerabilities, such as OS command injection and file path traversal.

You can export the updated Infiltrator installers from the "Burp" menu in Burp Suite Professional. If you have already installed an earlier version of Infiltrator in an application, you can just run the new installer to update the instrumentation with the new API sink definitions.

The BurpInfiltrator.dll .NET assembly is now signed, and all instrumented assemblies refer to it by its strong name. This change will address some issues that can arise with usage of signed assemblies.

The manual Burp Collaborator client has been enhanced to give full details of Infiltrator interactions. This can greatly assist manual testing and exploitation of vulnerabilities, for example by showing the full SQL query that is executed when some particular input is submitted. Also, the Collaborator client UI now shows the Collaborator payload in the table of interactions, and supports user comments and highlights:

The IBurpCollaboratorClientContext API now supports separate retrieval of regular Collaborator interactions and Infiltrator-driven interactions.

The following bugs have been fixed:
  • A bug in the "copy as curl command" function which could enable a malicious website to generate an HTTP request which, if the Burp user uses the "copy as curl command" function and executes the output in a shell context, will cause arbitrary commands to be executed. There is no exposure to users who do not use the "copy as curl command" function, but it is recommended that all users upgrade to the latest version. This issue was discovered through an internal security review, rather than a user report.
  • A bug in the Burp Collaborator health check which caused SMTP/S connections made by the health check not to honor the configured SOCKS proxy settings.
  • A bug which caused Proxy match/replace rules to display as type "regex" even if they are not.
  • A bug where use of a partial/incomplete configuration file at project startup caused any undefined configuration options to have blank values. Now, any undefined options are assigned their default values.
  • A bug which caused Burp to leave temporary files on disk if the user cancels out of the project startup wizard.
  • A bug which caused items in the active scan queue in the "waiting to cancel" state to display in that state indefinitely if the project is closed and reopened.
MD5: d77803b395e89359ce243db83a6f0b19
SHA256: 61f932686e199ade470ee7850e17c87798dc0ea36c30543e8cb57783e3728e36

MD5: a1b3edbf90dedebb9aff09833d576a62
SHA256: 8c53f3af171c4338af1777e2ed59481a135ccb04a2b747d739a6730fe67564f4

MD5: 39f627254197e64a5026bc2432468717
SHA256: 2f704124384bb8fe81ea6dc2e2a15a97dd349dbcee66d7f6999a8720bc657f3e

MD5: a3856f999d22265a70e76657e6e50bee
SHA256: a521df231d4471827d8028b79b7a4b821ffcb6ed872ae6362b25efb96f9eb50b

MD5: 1b066f7cfc92059904c5e756cad4817b
SHA256: 55e9bfeb31948a6f6403f20b1a0356e6f5a2af4e1175beadce3f038621def6d3
MD5: 290ecf4a30f15a9bded2ea86958e2f87
SHA256: a46680443dfae0b4c8e9cff2ce7fc40be6cf347b6dbbb6b140960f8c7551454b

MD5: 36826e7c67d74e39805131139709406b
SHA256: edb8351bd21980b30a2439e88603a4aae8907d18c552c1759eee15b24349446b

MD5: e34414aa760ae741e01f134eb08cdcd9
SHA256: 48ac90ae33c51be4576109a438422f67c77d5694e2e0cad8aea7bd29b4f18ad2

MD5: 09c2e95dd6421e1890c1c2b6f96d6a01
SHA256: 9c4dc164d20d224a3235cb78bf6932c85bda41d983589d9f742d7ccf36d9f0ea

MD5: 0e3bfa771ca43388329629eaa354cc79
SHA256: c95154eb56d295ad109165751e6842ceb7cf8ab69dc47e6c97d2b9799fbb9bac

Friday, November 18, 2016


This release updates the Burp Collaborator server to capture SMTP interactions, and adds two new related checks to Burp Scanner.

There is a new scan check for SMTP external service interaction. This reports an informational issue that identifies application functions that can be used to generate an email to an arbitrary address. This will typically (though not always) be intended application behavior, but it represents interesting attack surface for manual review:

There is a new scan check for SMTP header injection. This reports cases where it is possible to inject email headers, with the result that an email generated by the application is copied to an arbitrary email address:

For all SMTP-related issues, Burp Collaborator captures the full SMTP conversation that took place, and this is reported within the scan issue. This provides evidence for the issue itself, and also may contain interesting information about the technologies and infrastructure being used:

Note that users who have deployed a private Burp Collaborator server will need to upgrade their deployment to use the latest version, to gain the benefit of the new SMTP capabilities.
MD5: 163b26f266bbe93c8a7221e443e0f2a5
SHA256: 538d434c90e345227a104e23e06d1610945b36079899ab7f8d555e14b9480211

MD5: 0b9f924a7db0f2d128d3c86b27e29e79
SHA256: 2c456dc9d1ed8e1770536ecd2f52232a2d2642c37c744216382c236d21f63548

MD5: 5e5d7ee45ec4b453e7d1f9e08b813337
SHA256: 844e2732f137a6fff82983fd06af7a54f6bfbbc595b93be71b70208097c5643f

MD5: 2f2c9ab2089911b95b115f54c2cc6594
SHA256: 62ac35945dd995a69797255758d40acc6013009ddea70f784f0f41cb5fe13878

MD5: e3ac458fe4a30762ebe1b1b4694301ac
SHA256: 8e46719bccbc6750cb53c1dfa9b8bb90824f2381b38bcd09eebdebe6494623dd

Friday, November 11, 2016


This release adds support for the .NET platform in the Burp Infiltrator tool.

To use Burp Infiltrator on .NET applications, go to Burp menu / Burp Infiltrator, and select the .NET option in the export wizard. For more details, see the Burp Infiltrator documentation.

The new .NET version of Burp Infiltrator works in the same way as the existing Java version. It supports languages written in C#, VB, and any other .NET languages. It supports versions 2.0 and later of the .NET framework.

To patch .NET applications, Burp Infiltrator makes use of bytecode assembly and disassembly tools. These can be either: (a) the ilasm and ildasm tools that are distributed with the .NET framework and the Windows SDK tools, respectively; or (b) the ilasm and monodis tools that are distributed with mono. You must specify the location of the assembly and disassembly tools during the patching process. Note that the version of the assembly tool must match the version of the .NET framework that the bytecode is targeting, to ensure compatibility.
MD5: 707d6a1f09af1de03286628d2989640e
SHA256: 9ed9d0f3bff9a777599245266de6f304e2ab82d03b2703fabfaf2bb781b32b66

MD5: 778f62d8c36820172d41bc261617bb2f
SHA256: 590f4665b2f09dce3e0396888d58efce6b7459705ac9edcfdf552c6b661f3d8d

MD5: bd3e47d505186329daa7ccd65fcb4447
SHA256: 936d8ab8d8ca5545186763204d5f83e0961608037d26ba1c472ddad58f9dbd79

MD5: 915cd98a93bce088540bdb3255f35d67
SHA256: 9a103b0666fecab997dec65779a5ea4cbb88c2c1a00b209eb8923647c8f91c7c

MD5: 98951da5d8e3280b4025e48dd189ec9b
SHA256: eda87ba8e143c3abc505d432d5e7643497151683f5e2081605296a9d853c1631

Wednesday, November 2, 2016


This release adds some new APIs that extensions can use to easily implement powerful scan checks and other logic that involves response diffing.

Two new APIs have been added to IExtensionHelpers. The method:

IResponseVariations analyzeResponseVariations(byte[]... responses)

analyzes a collection of responses to identify variations in a range of attributes. The IResponseVariations object that is returned can be queried to determine the invariant or variant attributes, and the "value" of each attribute for each response:

List<String> getVariantAttributes();
List<String> getInvariantAttributes();
int getAttributeValue(String attributeName, int responseIndex);

The attributes that are currently supported are as follows:


Note that all values are represented as integer numbers, and the values of some attributes are intrinsically meaningful (e.g. word count) while the values of others are less so (e.g. checksum of HTML tag names).

The method:

IResponseKeywords analyzeResponseKeywords(List<String> keywords, byte[]... responses)

analyzes a collection of responses to identify the number of occurrences of the specified keywords. The IResponseKeywords object that is returned can be queried to determine the keywords whose counts vary or do not vary, and the number of occurrences of each keyword for each response:

List<String> getVariantKeywords();
List<String> getInvariantKeywords();
int getKeywordCount(String keyword, int responseIndex);

The new APIs allow your extensions to let Burp handle the messy work of analyzing responses to determine if they are the same or different, and you can easily create powerful scan checks with some simple logic:
  1. Send novel payload.
  2. Ask Burp whether the response changed in some interesting respect.
  3. If so, report an issue.
On Friday, to coincide with our Backslash Powered Scanning talk at Black Hat EU, we will be releasing an extension to the BApp Store that demonstrates how the new APIs can be used to create powerful new scanning capabilities.
MD5: 64ae656dd589f1db2d3d47452e705318
SHA256: 6319c21bd790408d475ca63258966df111eb5ab414e8a6a5e0f4bde530ea65f6

MD5: 635d0684503e0ef5208dc74355647ae8
SHA256: 65e5054d1f6cde2610ead300d7847be315445d08b18ddd756fbe75e5b8578d3c

MD5: d34753e71e8fcd505e39510c6bf9e74b
SHA256: 9f609d14d474f43c9261c920c4a868278cbac119fcee62a328274e093738378d

MD5: a1ba61e1d546119d224200484ac8cf95
SHA256: 98736d7f2c6dc10b02ab2500674ee9da8cd242c5e23985aa6db308772ca1fdbf

MD5: e6c87ea96bf26e1d626f9a60d3432853
SHA256: 683829438af4b46c150f06ad434e8dcea4d8a831dfe92b74f2d13a3468122d94
MD5: 91a01d4c012b0d20c247d448de897f1c
SHA256: 1c7c86f939eac526fac76f39c9d18bd1900ad68248a39b229f367adae56c0458

MD5: f616c47bfcb8d3f4d9969da7dd20689c
SHA256: e605812b52480fd07b42295558867642a4d58d6827d61b4b97299f84875bb985

MD5: 0e7fe55599593c4308fd35b535cbc182
SHA256: 1bfcea1de60fdcd0b5e9d0271e92b34c3621e31e12ed114d3b599500b9168f94

MD5: 35e4ef35c1718a79eba8ce1fd311c854
SHA256: 63bdc696553cc9430110a0fbaafb493b925b9d53a0bbf85cda3448903cb6a179

MD5: fa60402b162ba509c6fca88961d6cbd7
SHA256: ee8156764423de5a6f65ff3683cf5b7c200769a5116ecb050abaa84de1ada950

Friday, October 21, 2016


This release adds a new Burp Collaborator client for use in manual testing, some new APIs for using Burp Collaborator capabilities within Burp extensions, and a new Burp extension that demonstrates usage of the APIs.

Burp Collaborator client is a tool for making use of Burp Collaborator during manual testing. You can use the Collaborator client to generate payloads for use in manual testing, and poll the Collaborator server for any network interactions that result from using those payloads.

To run Burp Collaborator client, go to the Burp menu and select "Burp Collaborator client".

The following functions are available:
  • You can generate a specified number of Collaborator payloads and copy these to the clipboard. You can use these in manual testing, for example using Burp Intruder or Repeater.
  • You can choose whether the generated payloads include the full Collaborator server location, or only the unique interaction ID.
  • You can poll the Collaborator server to retrieve details of any network interactions resulting from your payloads, either at a regular interval or on demand.

Some new APIs have been added for using Burp Collaborator capabilities within Burp extensions. There is a new method on IBurpExtenderCallbacks:

IBurpCollaboratorClientContext createBurpCollaboratorClientContext();

This creates an IBurpCollaboratorClientContext object that can be used to generate Burp Collaborator payloads and poll the Collaborator server for any network interactions that result from using those payloads.

To demonstrate usage of the new APIs, we have today released to the BApp Store a new extension that can detect the HTTPoxy vulnerability via Burp Collaborator.

The source code to the HTTPoxy Scanner extension is available here.
MD5: df736dbf78bb7fcc26d58f1fa814217a
SHA256: 4d44459c04421c934f0c8e60618e255bd913213ab88021d9eee6f651949bc389

MD5: adad04d39abf937bc7c3fb6f29f28297
SHA256: 629b0c6748b115daa8dc2f31db8c7809485fc6565b82b3b08b1fa6b64bd106ad

MD5: 96a2c68f76cdbe557cada92cf6363359
SHA256: 3df6b8da0a30489368cb9c532185020f4a72ec14f824f8a86072c4ff4c9d4b53

MD5: 1278ef18097e93702371972a5dffc1d8
SHA256: af405f2c2caeff869da58bcdd27b76ad1544b16a6fcbed0f39bfe42173fa3b41

MD5: 2ab5e0e558974ed4f631e6c3c20d2a55
SHA256: 27db96f7bdb6fdb477d77add896f562fb21f819fae7a3144b49aeca3e4c51ab8

Friday, October 14, 2016


This release considerably enhances Burp Scanner's logic for reporting issues with cross-origin resource sharing (CORS) and introduces three new issues:
  • CORS: arbitrary origin trusted
  • CORS: all subdomains trusted
  • CORS: unencrypted origin trusted
There are many subtleties with CORS configuration that are not widely understood but can lead to catastrophic vulnerabilities, as described in today's blog post. This update puts all of the knowledge from this research into Burp so that it can accurately report all of the different problems that can arise with CORS.
MD5: 41d7091e6f726b054a94336eba590eb8
SHA256: 27e53041de128ee92b7faacba6808800bb2be9d4fc827cf62484a5bfb1b6f314

MD5: 56e86cb01563730c6a59bea150dcf8c9
SHA256: 7320d6fdd4192fc34be0b72ce63df09e9c468c5f92a69ac0efaf038d5139b4ff

MD5: eb98fc4432cff3e288afd2bd2b6b3661
SHA256: 5b20bc2f1b236af3049a155fa8f122f5d91097041ebf17964bd640aa439ecaaf

MD5: 7301606590748be43d37a9080d78ba8f
SHA256: fa35a1c19ef7277540b367c36273096e92c97728317e1620a2cb836b76ecfe76

MD5: 22e4f0913a94c734e4083a8dbcc7a01d
SHA256: e3e78068f87f28dd4421d1cc0e9d8f74bfbcd32502300871ee2bf5fa648437cf

Friday, September 23, 2016


This release contains fixes for some bugs affecting a number of users, most notably:
  • A fix for a bug that caused excessive CPU consumption during active scanning in some situations.
  • A workaround for an OpenJDK bug that caused the JVM to crash when working with Burp project files on some Linux platforms.
MD5: 3f36c29637c99e9426718a74746b0aa9
SHA256: 8a337214b126e50f1d2b2055a35b7b80ea54601df70458d3b7e69af213e92c5e

MD5: 94f6e88ffc0c57a0f3ebd6bb7307236a
SHA256: 90a99549d93c15bc6ce2d33c5fd35adbbe403c3a1f8ca8eed2a32854ec60afb8

MD5: d1612f9172507f5d31e2271369529a5c
SHA256: e8473675ca256a0a2dcf13498481543f360881c1949db78648248d656ec6ca70

MD5: f210b5d81632ccf0aaaa566bf728c7e4
SHA256: 0cd3d4c4f3e469ba18a356521c982206b1785c0cf51405bd602ba1a0418698f8

MD5: e7569b00c2947ae71852f8483e85a785
SHA256: 080521f6c24a60eb0c67c583c59692eb0eec75ffe7d14f8885ac6afa62fa1ffa

Thursday, September 8, 2016


This release introduces a new scan check for second-order SQL injection vulnerabilities. In situations where Burp observes stored user input being returned in a response, Burp Scanner now performs its usual logic for detecting SQL injection, with payloads supplied at the input submission point, and evidence for a vulnerability detected at the input retrieval point.

The release also fixes a number of minor bugs.
MD5: b3296c14edbd8e118dd398259de15e5e
SHA256: e1412249fecdfb1fe3ac6d71920a2e243bec257f4961df5c37ab17f0f37ddaeb

MD5: 1191db44110714272fb474784b3d4dd0
SHA256: ce2da473fdb65f4704ad6597dcd6615ec84e7a4c3c81deaf4f2de360d362a9bd

MD5: 1385fa0625448329a8bde17d78b22f62
SHA256: 749e3d23d1d486c823d189da155d5637785de9ff6c5763f23fb54aa128e8a38f

MD5: 3cb9c69c9b589729ed46f75a7eca215d
SHA256: baa558f4754254ac2d7b9e94e6326929f8ac4553c60290d071a328a228573614

MD5: 05c1b4a8105d4e3d54d440ef89f0a8a3
SHA256: cba0a84144804fcc57ebb7a947c52aaee58452f14664e1c2c8ea8890f1ad1c12
MD5: 3f076d7508486ed8ca2045da47c482e1
SHA256: 4e92d57071c2402a471bff2684c056425dd32da2d97ed53682ac23d40f33c3a0

MD5: 71e8b517945a5a942b95b4fd01240505
SHA256: b1102ff98d7d4708e79028a0fa379e5e153b57645c2605c59eae28eabcd2fcc5

MD5: 738ee3c774c4ad9e3aefaaa4b4e6784c
SHA256: 185a86d6698c1da4224536a44c2ec2566226bc6c2399ab5b2ddb6f23539ed13f

MD5: b733aecf1678ca6352c6377e2a43a339
SHA256: 36f3c9e587f25bde066477c6a9e84fb3bc06fbae50e20c64de2a84af206377da

MD5: 4eea896f832ec4f0fcb93c4a0fe27040
SHA256: 873589bb08749b65ac9c4a47b11d00d94472fcf1dd08ff1756813e8a758a3b00

Monday, August 22, 2016


This release introduces native platform installers for Windows, Linux and OS X. These install Burp together with a private Java runtime environment, so you don't need to worry about installing or updating Java. The installation of Burp is fully integrated with standard OS features (start menu, dock, taskbar etc.), making it easier to launch Burp without use of the command line.

Pro edition users can obtain Burp platform installers in two ways:
  • Log in to your account and choose which installer to download.
  • Use the existing update feature to obtain the latest Burp JAR file, run that, and choose "Download other installers" from the Help menu.
Free edition installers can be obtained directly from the download page.
Note that although the platform installers have been extensively tested on various platforms, these are officially experimental and we welcome users' feedback about how they perform in real-world conditions. We will continue to distribute plain JAR files for people who prefer those.

There is also improved handling of updates. When an update is available, Burp lets you view full details of the release, and choose which installer type to download. When a release is flagged as beta, you can choose whether to download the beta release or the latest stable release.

A number of other enhancements have also been made:
  • The performance of the Proxy history view filter has been considerably improved, and changes to the filter are applied much faster on very large histories. 
  • Some instances where redundant data is saved to Burp project files have been fixed.
  • The options to select font size now permit selection of very large font sizes, as a workaround for lack of proper support for HiDPI screens on Java 8 and earlier.
MD5: 4f1b6f84c35c8b500cbf3085c382d797
SHA256: 88fa1d45493d3a835c97de1d63bcccc8bd94644eba64404044ba29390aae702e

MD5: 2a0a142e82b90813023707d611686f56
SHA256: 2ba86b92440c68dc9b9c9fc8af5de3e095cdfed3fc668f01064f8f475ad98740

MD5: d126dd11dc58fc1040bcf12f39966232
SHA256: c41894cce04a194fcb73ef0760bf9300fe283400a39b1f757d15827f68db94ad

MD5: 6d95586b8798a1e84692557ea87270ff
SHA256: 1430a8c481d1e7979719c9816a2f273529bef72bef46625d61ebfb30f8edb62e

MD5: 9066f94d41f4caf90756308be373ff7e
SHA256: 82c704200030ec941331baea1ec3948f0bfb4b1265410550df286a1102efaac0
MD5: 703f19226b8e53617d383b367f7fb437
SHA256: aa1d443288bc08112e556aad4959d1f81c3ee0d375d04efa2270fcf0fe03d514

MD5: c3aa1ef36ed80d34372f89be4b05ab03
SHA256: 3cf5c69130e95c2a3ea396d2c946b406d4448a1d9efe16be8b7d4adfcadf43d7

MD5: 471cc3470f2a80a7a02f345365c5603c
SHA256: ebcb7ad6732485569b36c145a4b99643056fc358c16ba1630a25f68b1e214c92

MD5: 3e29f6c7bc6a40fb456fce046097cc38
SHA256: dc023f8de24915fb52171d213f151499ea739a369d3646a469455dbe901c54a7

MD5: c1c4b842fa538f8c72c6171b669ddda2
SHA256: c0c303037432890921cfeed32cb428b1f7eb13ca8c7276eaeda5fb89e06b40df

Tuesday, July 26, 2016


This release introduces a new tool, called Burp Infiltrator.

Burp Infiltrator is a tool for instrumenting target web applications in order to facilitate testing using Burp Scanner. Burp Infiltrator modifies the target application so that Burp can detect cases where its input is passed to potentially unsafe APIs on the server side.

The initial release of Burp Infiltrator supports applications written in Java or other JVM-based languages such as Groovy. Java versions from 4 and upwards are supported. In future, Burp Infiltrator will support other platforms such as .NET.

For more details about how Burp Infiltrator works, how to use it, and some other important considerations, please refer to the Burp Infiltrator blog post and the Burp Infiltrator documentation.

Burp Infiltrator makes use of Burp Collaborator for its communications back to the instance of Burp Suite that is performing scans. To support this, some new capabilities have been added to Burp Collaborator. Users who have deployed a private Burp Collaborator server should upgrade to the new version.

Some minor bugs have been fixed, including:
  • A bug which caused the values of some project options to change when an existing Burp project is reopened.
  • A bug which prevented editing of macro requests when using a disk-based project.
  • A bug which prevented the hostname from being correctly parsed from some TLS client hello messages when Burp Proxy is running in invisible mode.
MD5: 85ab62c473e2be60d8da15ccc0c80cde
SHA256: 43fede912099ff0af99ac595ca45b56aef3af4a5743c5b5d3107ed170da74551

Thursday, May 12, 2016


This release adds some enhancements to, and fixes some minor issues with, the Burp projects feature:
  • If the operating system exits abnormally when Burp is running with a disk-based project then some in-memory data may not be saved to disk, resulting in a partially corrupted project file. On reopening a project, Burp now detects this condition, and offers to repair the project file. The repair process will preserve as much data as possible from the corrupted project file.
  • When a new project is created, at the second step of the startup wizard where a configuration file is selected, Burp now lets you specify to use the selected option by default in future. If you have created a configuration file that you prefer to use for new projects, using this feature avoids the need to manually select your configuration file every time.
  • In the startup wizard, the lists of recently used project and configuration files now automatically hide any items that no longer exist on disk.
  • Burp now prevents selection of the current project file in all file dialogs, to avoid accidental overwriting of project data.
  • A bug that could lead to bloating of project files with redundant data has been resolved.
Thanks are due to everyone who has provided feedback about the new projects feature since the 1.7beta release. Based on the enhancements made since that release, the projects feature is now officially out of beta, and this release may be regarded as stable. As with all Burp features, we welcome ongoing feedback about the projects feature as people continue to use it.

Burp Suite Professional:

MD5: f104167fd64b8212e0b1b4c65736aa91
SHA256: 2fa319e45a91c9ccc6e96dee3e362f62be9a6e1dff84827d99830d4703913ba4

Burp Suite Free Edition:

MD5: a6019d5cbea725c44342303084343ade
SHA256: f5c83a2cfa4bdf9010d7033f0e66cc76bfd732cccfcc279ef7b14078046161d1

Monday, April 25, 2016


This release improves the resilience of disk-based projects in situations where the operating system terminates abnormally.

Burp uses memory-mapped files for disk-based projects. The operating system has responsibility for synchronizing data held in memory with files on disk, and ensures eventual consistency even if an individual process crashes. However, if the operating system itself crashes, then some in-memory data may not be written to disk, leading to a partially corrupted project file. Burp now tries to reduce the impact of this event, by forcing the operating system to write to disk more frequently, and by reopening project files in a more fault-tolerant manner. We are continuing to investigate ways of avoiding data loss in the event of the operating system terminating abnormally, and expect to make further enhancements in future releases. For this reason only, we are continuing to describe the disk-based projects feature as being in beta.

MD5: 9ffbaf30d02f13dfca3f694a946147ba
SHA256: 48a2370ee0cac43d8aca3b97563c24b9b66fc65b9197a75282394900a5a8ad73

Monday, April 18, 2016


This release fixes a number of minor bugs:
  • A bug affecting the sending of some requests from Intruder to other tools when a disk-based project is being used.
  • A bug that could sometimes cause the SSL client certificates configuration UI to become corrupted when restoring settings that are not valid on the current machine.
  • A bug that could sometimes cause superfluous semicolons to be introduced into requests when manipulating cookie parameters via the API.
  • A bug that could very occasionally cause Burp Proxy's processing of HTTPS requests to stop working.
Although we are not aware of any significant bugs in version 1.7, this update is still officially a beta release, to allow more time for bugs to be identified.

Burp Suite Professional:

MD5: 2d75c238f00906dc415f8cb115399317
SHA256: 41fd0d33e0fce1d68c11100e6d1e73b85a97fd65a56c083b64411309ba39ac0f

Burp Suite Free Edition:

MD5: f645734ecd263ad713f024ca00fa0d15
SHA256: f5bb8e45b3a0873c64c443e9bf68f8ec90e682a544e335571398da039e81ebcb

Tuesday, April 12, 2016


This major release introduces several new features, including:
  • Burp projects
  • Burp configuration files
  • A new startup wizard
  • New APIs
  • New command line arguments
Full details about the new features can be found on the Burp projects blog post.

Note: This is a beta release and disk-based projects are an experimental feature. The release should be used with caution, as it may contain bugs that cause unexpected behavior including loss of data.

The release also fixes a bug in the Collaborator server that may cause loss of service if unexpected interaction data is received. Users who have deployed their own private Collaborator server should update to the latest version as soon as possible. The Collaborator server function in the new release may be regarded as stable and suitable for production use.

Burp Suite Professional:

MD5: 77b6daf566b4d5abdf5ff725edfbc946
SHA256: 4931f5d6351614a357a8ccb3edff5c9c4f9fe14cefb0966547187b2da93a0d45

Burp Suite Free Edition:

MD5: 9851e2c48ce91e6e9b47b789aec50245
SHA256: 6b02a74fa537504c8df4d7901cfe293a7ecb97aac91f06550498b7b73f382ea3

Thursday, March 3, 2016


This release improves the logic of some scan checks that depend upon the content type of responses.

Burp has previously reported content type incorrectly stated on any occasion where the stated content type of a response differs from the actual content (as determined by Burp). This has frequently led to a lot of noise because (a) Burp's own content type sniffing has not been perfect; and (b) many content type mismatches have no security implications. Hence, many users got accustomed to just ignoring this issue, despite the fact that, in some rare situations, it can lead to high-severity issues like cross-site scripting.

The cases where this issue matters occur when a response is intended to actually contain non-HTML content such as an image, but a browser may attempt to interpret the response as HTML based on the stated content type. This can lead to XSS if the content is dynamically generated, uploaded by a user, or otherwise contains user input.

In the real world, browsers' actual sniffing of responses depends on several factors, including:
  • The stated content type
  • The presence of the header X-content-type-options: nosniff
  • The file extension of the request URL
  • The browser type and version
The Burp research team have generated every possible permutation of these factors and identified all of the permutations that might lead to a browser attempting to interpret a response as HTML. This knowledge is now baked into Burp, so that Burp only reports the issue when a suitable combination of the above factors is observed. Further, the Burp advisory identifies precisely which browsers may be affected by an issue:

The other type of issue where the situation arises is cross-site scripting. In the past, Burp applied XSS checks to all responses that were either stated or appeared to contain HTML. The scan logic has now been tightened to be more accurate and informative in cases where exploitability of the issue depends upon browser sniffing:
  • Burp now uses its knowledge of actual browser behavior (based on the factors listed above) to determine whether any browser might attempt to interpret a response as HTML.
  • If content sniffing depends on the request URL having a different file extension, Burp will attempt to manipulate the extension so as to trigger this.
  • Any relevant details about specific browsers' behavior is included in the issue detail.
  • Seemingly unexploitable issues are still reported as informational, because a manual tester might nonetheless be able to find a way to exploit them.

Unrelatedly, the configuration of client SSL protocols and ciphers has been modified to include a master toggle specifying whether to use the default protocols and ciphers of the Java installation. This is the new default option, and can be overridden to allow configuration of specific protocols and ciphers. This change simplifies the configuration UI and makes it easier to share Burp configurations between different machines.

MD5: 8b4d1bad5f919d85fa09be7e35fba92f
SHA256: 2ff45ca7f1f3a01e675bfff7a2fa9804475102291085afa88dbdeca2b353a211

Wednesday, February 24, 2016


This release adds the capability to report reflected DOM-based and stored DOM-based vulnerabilities.

Burp already reports reflected XSS (where reflection of input allows direct execution of supplied JavaScript) and DOM-based XSS (where data is read from a controllable DOM location and processed in a way that allows execution of JavaScript). Burp now joins these steps together, to handle cases where:
  1. The server returns reflected or stored input in the value of a JavaScript string.
  2. That string is processed in a way that allows execution of JavaScript code from within the string.
The new capability applies to all of the DOM-based vulnerability types that Burp can report, such as JavaScript injection, WebSocket hijacking and open redirection.

MD5: cdba3138c9c0a92f1c2b19171db26e92
SHA256: 7bbd5500bb21a87fda1660f394d828d6c3bdcecc5df951a4f9e81a52dc28e62f

Friday, February 12, 2016


This release gives the Scanner the capability to report all instances where user input is returned in application responses, both reflected and stored:

The information gathered is primarily of use to manual security testers. Some applications contain numerous instances of input retrieval, since it is very common for the entire URL to be reflected within responses. For these reasons, the new Scanner checks are off by default, but can be turned on in the Scanner options:

MD5: d0287d85d288c2af116e0d60878a8a24
SHA256: 318a5544d92b137efb22d4935b343a1af4b610cf67bc6a8b89170d3a33d92dce

Wednesday, January 27, 2016


This release adds a new scan check for client-side template injection.

It is very common for applications that use AngularJS to incorporate user input into HTML responses within the client-side template. AngularJS has a long history of sandbox escapes that permit execution of arbitrary JavaScript via template expressions. Hence, when user input is echoed within AngularJS templates, it is frequently possible to perform XSS attacks using minimal syntax that is not usually sufficient to perform XSS, and so not blocked by input filters.

See today's blog post for a full description of this issue, and a list of sandbox escapes in recent versions of AngularJS.

MD5: 50d6256805893e5105941f5d85ca2c3d
SHA256: 2335c3111ea8e3ba7d53ace55f2f69761843aab5e53460a89137a945cb4ccf8a

Thursday, January 21, 2016


This release adds the capability to report three new Scanner issues relating to HTTPS:
  • Unencrypted communications - This is reported when requests are made to a host using plain HTTP. In the near future, browsers will display a prominent security warning whenever this occurs. Due to recent revelations about the mass interception of unencrypted communications by various powerful adversaries, there is a push to use HTTPS everywhere. See the screenshot below for more details.
  • Mixed content - This is reported when a page is loaded over HTTPS but loads other resources, such as scripts and images, over plain HTTP. Modern browsers are disabling the affected resources by default, leading to usability issues when mixed content is used. If a user elects to re-enable mixed content, then this presents a security issue.
  • Strict transport security not enforced - This is reported when a host fails to prevent users from connecting to it over plain HTTP, using the Strict-Transport-Security header. In this situation, a suitably positioned attacker can bypass the use of SSL by rewriting HTTPS links as HTTP.

MD5: c716529989c152f99e1f82ed78e99aad
SHA256: 9cd602308d405e4d9b5c39c0b62ca3a351a20bbc794c7d82d62300abcbdbb703

Saturday, January 16, 2016


This release fixes a bug that was introduced in 1.6.33. The effect of the bug was that state files generated by 1.6.33 containing certain newly discovered Scanner issues would fail to restore properly. The bug is now fixed and the affected state files generated by 1.6.33 should now restore correctly.

MD5: 62157ff3377cb139729cc1f7d83be7d5
SHA256: 77b28f05e8abbdf479554e1b5851f85aa5241ca1e81e5c5a233b214508d3c515

Wednesday, January 13, 2016


This release adds the ability to detect blind XSS, via Burp Collaborator.

Blind XSS is a special type of stored XSS in which the data retrieval point is not accessible by the attacker - for example, due to lack of privileges. This makes the vulnerability very difficult to test for using conventional techniques. In many cases, there is no hint whatsoever in the application's visible functionality that a vulnerability exists. Since security testers are in the habit of spraying target applications with alert(1) type payloads, countless admins have been hit by harmless alert boxes, indicating a juicy bug that the tester never finds out about. Due to the inherent difficulty in detecting blind XSS vulnerabilities, these bugs remain relatively prevalent, still waiting to be discovered. This new release of Burp empowers testers to easily find these critical vulnerabilities, with no special configuration or other tools required.

Previously, Burp Scanner has used purely in-band techniques to detect stored XSS. This involves first scanning the data entry point, later scanning the data retrieval point, identifying the connection between the two, and then supplying suitable payloads to the entry point to formulate a proof-of-concept attack. This approach can often be effective, but has some significant limitations:
  • It cannot detect blind XSS, because the data retrieval point is not accessible.
  • It requires that the entry and retrieval points are scanned in the correct order.
  • It is highly vulnerable to previously submitted data being overwritten by another user's actions in the time between scanning the entry and retrieval points.
Burp still uses conventional in-band techniques to detect stored XSS, but now also sends payloads like this:

This payload starts with a multi-context break-out sequence which, in all normal retrieval locations, will convert the HTML context to one where JavaScript can be executed. It then executes some script that triggers a connection to the Burp Collaborator server. This out-of-band interaction enables Burp to confirm when the payload has been successful. For more details on the breakdown of this payload, see our blog post on hunting asynchronous vulnerabilities.

The new approach to finding stored XSS has some significant benefits:
  • It can detect blind XSS, provided that another user, such as an administrator, eventually views a page containing the stored payload.
  • It only requires that the entry point be scanned by Burp. Other users' interaction with the application, or the Burp tester's own browser-based use of the application (if non-blind), is likely to lead to connections to the Collaborator server that enable Burp to report the issue.
  • Even where the stored data is short-lived, and has been overwritten by the time the Burp tester visits or scans the retrieval point, Burp may still detect the issue due to other users viewing the data.
  • As with other deferred Collaborator interactions, Burp can report stored XSS issues after the Burp user has finished testing, without any additional requests to the application.
Below is an example of what Burp's advisory looks like for a blind XSS issue that has been discovered via Burp Collaborator. This example uses a simpler payload that works in many situations. Note that Burp nicely identifies the Referer header from the incoming HTTP request to the Collaborator server, which will normally indicate the retrieval point where the payload appeared:

MD5: b032280fbfdc77395e9ef896c8d1b976
SHA256: c7ac01d3819094f314b57deb12cd63a3e1e1a4c6d9bd7f1e4a29cbf4e7b8f4b1