Friday, November 18, 2016

1.7.12

This release updates the Burp Collaborator server to capture SMTP interactions, and adds two new related checks to Burp Scanner.

There is a new scan check for SMTP external service interaction. This reports an informational issue that identifies application functions that can be used to generate an email to an arbitrary address. This will typically (though not always) be intended application behavior, but it represents interesting attack surface for manual review:



There is a new scan check for SMTP header injection. This reports cases where it is possible to inject email headers, with the result that an email generated by the application is copied to an arbitrary email address:



For all SMTP-related issues, Burp Collaborator captures the full SMTP conversation that took place, and this is reported within the scan issue. This provides evidence for the issue itself, and also may contain interesting information about the technologies and infrastructure being used:





Note that users who have deployed a private Burp Collaborator server will need to upgrade their deployment to use the latest version, to gain the benefit of the new SMTP capabilities.

burpsuite_pro_linux_v1_7_12.sh
MD5: 163b26f266bbe93c8a7221e443e0f2a5
SHA256: 538d434c90e345227a104e23e06d1610945b36079899ab7f8d555e14b9480211

burpsuite_pro_macos_v1_7_12.dmg
MD5: 0b9f924a7db0f2d128d3c86b27e29e79
SHA256: 2c456dc9d1ed8e1770536ecd2f52232a2d2642c37c744216382c236d21f63548

burpsuite_pro_v1.7.12.jar
MD5: 5e5d7ee45ec4b453e7d1f9e08b813337
SHA256: 844e2732f137a6fff82983fd06af7a54f6bfbbc595b93be71b70208097c5643f

burpsuite_pro_windows-x64_v1_7_12.exe
MD5: 2f2c9ab2089911b95b115f54c2cc6594
SHA256: 62ac35945dd995a69797255758d40acc6013009ddea70f784f0f41cb5fe13878

burpsuite_pro_windows-x86_v1_7_12.exe
MD5: e3ac458fe4a30762ebe1b1b4694301ac
SHA256: 8e46719bccbc6750cb53c1dfa9b8bb90824f2381b38bcd09eebdebe6494623dd