Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Tuesday, December 13, 2016


This release fixes the following security issues that were identified through our bug bounty program. Note that all of these issues involve the Burp user actively testing a malicious website that has been designed specifically to attack Burp Suite.
  • If a user visits a malicious website in their browser, and in Burp selects a crafted request that was generated by that website, and uses either the "Request in browser" function or the "Generate CSRF Poc" and "Test in browser" function, then the malicious website can XSS an arbitrary website.
  • If a user scans a malicious website and another website within the same Burp project, and exports all of the scan results as a single HTML report, and views that report in a browser, then the malicious website can capture the scan results for the other site.
  • If a user scans a malicious website and another website within the same Burp project, then the malicious website might be able to capture the raw data of any Burp Collaborator interactions that were performed by the other website.
We are pleased that our bug bounty program has alerted us to these issues within Burp. As well as fixing known issues at source, we have taken a defense-in-depth approach to hardening Burp in response to them, including:
  • Some functions within Burp's in-browser interface that increased its attack surface have been removed altogether, including the Proxy history, the buttons to repeat requests and view responses, and support for the plug-n-hack Firefox extension.
  • Scan issue descriptions, including those generated by Burp extensions, are now subject to an HTML whitelist that allows only formatting tags and simple hyperlinks.
  • HTML scan reports now include a Content Security Policy directive that prevents execution of scripts in modern browsers.
Note: The security issues identified have all been fixed within Burp Suite. As a defense-in-depth measure, some hardening has also been performed of Burp Collaborator. It is recommended that users who have deployed a private Burp Collaborator server should update to the current version in a timely way.

Thanks are due to @_Abr1k0s_ for reporting the aforementioned issues.

A number of other enhancements were made, including:
  • A number of improvements to existing Scanner checks to improve accuracy.
  • When a request is sent to Repeater but never issued, the request is now stored in the Burp project file, so the initial unrequested item will reappear when the project is reopened.
  • The Proxy listener now accepts SSL negotiations from browsers that are hardened only to support selected protocols and ciphers.
MD5: a7d25a036f8800876b0ea068c20aad74
SHA256: 850d7a319fd869f346435ff0cdf8f1e4be8cc6cb48c1e1873c5b6891d54ef16e

MD5: 127043d3efb121938d00df46b33475cb
SHA256: c2a9177e822dcb11c9b8135889bd5395b7f059d450e99e89c20b8e380c7aa479

MD5: cf7b9daf47cc691b71f8a9d0f7cf4ca1
SHA256: 5781caa88a5e5f24fbc69eb9c9a16923faa104f3962ebc6e309e5d1c5e4e1457

MD5: 6649ef1ec97760069c337c5ac2519e54
SHA256: 52c5539e099fbb1a09e3d7991f9122543ab22b3eb37250f5f304123378d3e6be

MD5: 56aacc5bd084284815f4cc4065536573
SHA256: b3b2878389bbd3145eaf2cd588e6f77ec9fc5dabd5cd9ea92d485d961ada5c9e
MD5: 5f5d41c2272b286e538ce262de638122
SHA256: f856708a42764683ad32aac14147b5b5dfc8a46e1ea896cdd152fd04c513eb0b

MD5: fe2f537e8857c85d15057c656a18109c
SHA256: a0dfd6655209712708194b37e33fb3d3b56589a0399ca0f17f4e3c24a204d72b

MD5: 3de7554ee093195b577ab47c556f86c1
SHA256: afa278687957f3bb8fad20d8f088b18fa0ffd399621ec891855fb1116ab42476

MD5: 91b9d62bf72b4de20cc18cf246fe8d12
SHA256: 64a25a8a79c69c0c6e2f59b654351333165f26af39fe7b044fb73f88c0818dc8

MD5: 132ad25dbde203ac9f0b09a4ca9bcba1
SHA256: 5dc5c9ca26bb1d4fef67b79fd77543fe8b854f85ecf2c1be94310b9c44f88314