Friday, October 14, 2016

1.7.08

This release considerably enhances Burp Scanner's logic for reporting issues with cross-origin resource sharing (CORS) and introduces three new issues:
  • CORS: arbitrary origin trusted
  • CORS: all subdomains trusted
  • CORS: unencrypted origin trusted
There are many subtleties with CORS configuration that are not widely understood but can lead to catastrophic vulnerabilities, as described in today's blog post. This update puts all of the knowledge from this research into Burp so that it can accurately report all of the different problems that can arise with CORS.

burpsuite_pro_linux_v1_7_08.sh
MD5: 41d7091e6f726b054a94336eba590eb8
SHA256: 27e53041de128ee92b7faacba6808800bb2be9d4fc827cf62484a5bfb1b6f314

burpsuite_pro_macos_v1_7_08.dmg
MD5: 56e86cb01563730c6a59bea150dcf8c9
SHA256: 7320d6fdd4192fc34be0b72ce63df09e9c468c5f92a69ac0efaf038d5139b4ff

burpsuite_pro_v1.7.08.jar
MD5: eb98fc4432cff3e288afd2bd2b6b3661
SHA256: 5b20bc2f1b236af3049a155fa8f122f5d91097041ebf17964bd640aa439ecaaf

burpsuite_pro_windows-x64_v1_7_08.exe
MD5: 7301606590748be43d37a9080d78ba8f
SHA256: fa35a1c19ef7277540b367c36273096e92c97728317e1620a2cb836b76ecfe76

burpsuite_pro_windows-x86_v1_7_08.exe
MD5: 22e4f0913a94c734e4083a8dbcc7a01d
SHA256: e3e78068f87f28dd4421d1cc0e9d8f74bfbcd32502300871ee2bf5fa648437cf