Tuesday, November 29, 2016


This release adds various enhancements and bugfixes.

Burp Infiltrator has been enhanced with a large number of new API sink definitions, for both the Java and .NET platforms. This dramatically increases the coverage of existing vulnerabilities, such as OS command injection and file path traversal.

You can export the updated Infiltrator installers from the "Burp" menu in Burp Suite Professional. If you have already installed an earlier version of Infiltrator in an application, you can just run the new installer to update the instrumentation with the new API sink definitions.

The BurpInfiltrator.dll .NET assembly is now signed, and all instrumented assemblies refer to it by its strong name. This change will address some issues that can arise with usage of signed assemblies.

The manual Burp Collaborator client has been enhanced to give full details of Infiltrator interactions. This can greatly assist manual testing and exploitation of vulnerabilities, for example by showing the full SQL query that is executed when some particular input is submitted. Also, the Collaborator client UI now shows the Collaborator payload in the table of interactions, and supports user comments and highlights:

The IBurpCollaboratorClientContext API now supports separate retrieval of regular Collaborator interactions and Infiltrator-driven interactions.

The following bugs have been fixed:
  • A bug in the "copy as curl command" function which could enable a malicious website to generate an HTTP request which, if the Burp user uses the "copy as curl command" function and executes the output in a shell context, will cause arbitrary commands to be executed. There is no exposure to users who do not use the "copy as curl command" function, but it is recommended that all users upgrade to the latest version. This issue was discovered through an internal security review, rather than a user report.
  • A bug in the Burp Collaborator health check which caused SMTP/S connections made by the health check not to honor the configured SOCKS proxy settings.
  • A bug which caused Proxy match/replace rules to display as type "regex" even if they are not.
  • A bug where use of a partial/incomplete configuration file at project startup caused any undefined configuration options to have blank values. Now, any undefined options are assigned their default values.
  • A bug which caused Burp to leave temporary files on disk if the user cancels out of the project startup wizard.
  • A bug which caused items in the active scan queue in the "waiting to cancel" state to display in that state indefinitely if the project is closed and reopened. 
MD5: d77803b395e89359ce243db83a6f0b19
SHA256: 61f932686e199ade470ee7850e17c87798dc0ea36c30543e8cb57783e3728e36

MD5: a1b3edbf90dedebb9aff09833d576a62
SHA256: 8c53f3af171c4338af1777e2ed59481a135ccb04a2b747d739a6730fe67564f4

MD5: 39f627254197e64a5026bc2432468717
SHA256: 2f704124384bb8fe81ea6dc2e2a15a97dd349dbcee66d7f6999a8720bc657f3e

MD5: a3856f999d22265a70e76657e6e50bee
SHA256: a521df231d4471827d8028b79b7a4b821ffcb6ed872ae6362b25efb96f9eb50b

MD5: 1b066f7cfc92059904c5e756cad4817b
SHA256: 55e9bfeb31948a6f6403f20b1a0356e6f5a2af4e1175beadce3f038621def6d3

MD5: 290ecf4a30f15a9bded2ea86958e2f87
SHA256: a46680443dfae0b4c8e9cff2ce7fc40be6cf347b6dbbb6b140960f8c7551454b

MD5: 36826e7c67d74e39805131139709406b
SHA256: edb8351bd21980b30a2439e88603a4aae8907d18c552c1759eee15b24349446b

MD5: e34414aa760ae741e01f134eb08cdcd9
SHA256: 48ac90ae33c51be4576109a438422f67c77d5694e2e0cad8aea7bd29b4f18ad2

MD5: 09c2e95dd6421e1890c1c2b6f96d6a01
SHA256: 9c4dc164d20d224a3235cb78bf6932c85bda41d983589d9f742d7ccf36d9f0ea

MD5: 0e3bfa771ca43388329629eaa354cc79
SHA256: c95154eb56d295ad109165751e6842ceb7cf8ab69dc47e6c97d2b9799fbb9bac