Burp Suite, the leading toolkit for web application security testing

Burp Suite release notes

Tuesday, November 29, 2016


This release adds various enhancements and bugfixes.

Burp Infiltrator has been enhanced with a large number of new API sink definitions, for both the Java and .NET platforms. This dramatically increases the coverage of existing vulnerabilities, such as OS command injection and file path traversal.

You can export the updated Infiltrator installers from the "Burp" menu in Burp Suite Professional. If you have already installed an earlier version of Infiltrator in an application, you can just run the new installer to update the instrumentation with the new API sink definitions.

The BurpInfiltrator.dll .NET assembly is now signed, and all instrumented assemblies refer to it by its strong name. This change will address some issues that can arise with usage of signed assemblies.

The manual Burp Collaborator client has been enhanced to give full details of Infiltrator interactions. This can greatly assist manual testing and exploitation of vulnerabilities, for example by showing the full SQL query that is executed when some particular input is submitted. Also, the Collaborator client UI now shows the Collaborator payload in the table of interactions, and supports user comments and highlights:

The IBurpCollaboratorClientContext API now supports separate retrieval of regular Collaborator interactions and Infiltrator-driven interactions.

The following bugs have been fixed:
  • A bug in the "copy as curl command" function which could enable a malicious website to generate an HTTP request which, if the Burp user uses the "copy as curl command" function and executes the output in a shell context, will cause arbitrary commands to be executed. There is no exposure to users who do not use the "copy as curl command" function, but it is recommended that all users upgrade to the latest version. This issue was discovered through an internal security review, rather than a user report.
  • A bug in the Burp Collaborator health check which caused SMTP/S connections made by the health check not to honor the configured SOCKS proxy settings.
  • A bug which caused Proxy match/replace rules to display as type "regex" even if they are not.
  • A bug where use of a partial/incomplete configuration file at project startup caused any undefined configuration options to have blank values. Now, any undefined options are assigned their default values.
  • A bug which caused Burp to leave temporary files on disk if the user cancels out of the project startup wizard.
  • A bug which caused items in the active scan queue in the "waiting to cancel" state to display in that state indefinitely if the project is closed and reopened. 
MD5: d77803b395e89359ce243db83a6f0b19
SHA256: 61f932686e199ade470ee7850e17c87798dc0ea36c30543e8cb57783e3728e36

MD5: a1b3edbf90dedebb9aff09833d576a62
SHA256: 8c53f3af171c4338af1777e2ed59481a135ccb04a2b747d739a6730fe67564f4

MD5: 39f627254197e64a5026bc2432468717
SHA256: 2f704124384bb8fe81ea6dc2e2a15a97dd349dbcee66d7f6999a8720bc657f3e

MD5: a3856f999d22265a70e76657e6e50bee
SHA256: a521df231d4471827d8028b79b7a4b821ffcb6ed872ae6362b25efb96f9eb50b

MD5: 1b066f7cfc92059904c5e756cad4817b
SHA256: 55e9bfeb31948a6f6403f20b1a0356e6f5a2af4e1175beadce3f038621def6d3

MD5: 290ecf4a30f15a9bded2ea86958e2f87
SHA256: a46680443dfae0b4c8e9cff2ce7fc40be6cf347b6dbbb6b140960f8c7551454b

MD5: 36826e7c67d74e39805131139709406b
SHA256: edb8351bd21980b30a2439e88603a4aae8907d18c552c1759eee15b24349446b

MD5: e34414aa760ae741e01f134eb08cdcd9
SHA256: 48ac90ae33c51be4576109a438422f67c77d5694e2e0cad8aea7bd29b4f18ad2

MD5: 09c2e95dd6421e1890c1c2b6f96d6a01
SHA256: 9c4dc164d20d224a3235cb78bf6932c85bda41d983589d9f742d7ccf36d9f0ea

MD5: 0e3bfa771ca43388329629eaa354cc79
SHA256: c95154eb56d295ad109165751e6842ceb7cf8ab69dc47e6c97d2b9799fbb9bac

Friday, November 18, 2016


This release updates the Burp Collaborator server to capture SMTP interactions, and adds two new related checks to Burp Scanner.

There is a new scan check for SMTP external service interaction. This reports an informational issue that identifies application functions that can be used to generate an email to an arbitrary address. This will typically (though not always) be intended application behavior, but it represents interesting attack surface for manual review:

There is a new scan check for SMTP header injection. This reports cases where it is possible to inject email headers, with the result that an email generated by the application is copied to an arbitrary email address:

For all SMTP-related issues, Burp Collaborator captures the full SMTP conversation that took place, and this is reported within the scan issue. This provides evidence for the issue itself, and also may contain interesting information about the technologies and infrastructure being used:

Note that users who have deployed a private Burp Collaborator server will need to upgrade their deployment to use the latest version, to gain the benefit of the new SMTP capabilities.

MD5: 163b26f266bbe93c8a7221e443e0f2a5
SHA256: 538d434c90e345227a104e23e06d1610945b36079899ab7f8d555e14b9480211

MD5: 0b9f924a7db0f2d128d3c86b27e29e79
SHA256: 2c456dc9d1ed8e1770536ecd2f52232a2d2642c37c744216382c236d21f63548

MD5: 5e5d7ee45ec4b453e7d1f9e08b813337
SHA256: 844e2732f137a6fff82983fd06af7a54f6bfbbc595b93be71b70208097c5643f

MD5: 2f2c9ab2089911b95b115f54c2cc6594
SHA256: 62ac35945dd995a69797255758d40acc6013009ddea70f784f0f41cb5fe13878

MD5: e3ac458fe4a30762ebe1b1b4694301ac
SHA256: 8e46719bccbc6750cb53c1dfa9b8bb90824f2381b38bcd09eebdebe6494623dd

Friday, November 11, 2016


This release adds support for the .NET platform in the Burp Infiltrator tool.

To use Burp Infiltrator on .NET applications, go to Burp menu / Burp Infiltrator, and select the .NET option in the export wizard. For more details, see the Burp Infiltrator documentation.

The new .NET version of Burp Infiltrator works in the same way as the existing Java version. It supports languages written in C#, VB, and any other .NET languages. It supports versions 2.0 and later of the .NET framework.

To patch .NET applications, Burp Infiltrator makes use of bytecode assembly and disassembly tools. These can be either: (a) the ilasm and ildasm tools that are distributed with the .NET framework and the Windows SDK tools, respectively; or (b) the ilasm and monodis tools that are distributed with mono. You must specify the location of the assembly and disassembly tools during the patching process. Note that the version of the assembly tool must match the version of the .NET framework that the bytecode is targeting, to ensure compatibility.

MD5: 707d6a1f09af1de03286628d2989640e
SHA256: 9ed9d0f3bff9a777599245266de6f304e2ab82d03b2703fabfaf2bb781b32b66

MD5: 778f62d8c36820172d41bc261617bb2f
SHA256: 590f4665b2f09dce3e0396888d58efce6b7459705ac9edcfdf552c6b661f3d8d

MD5: bd3e47d505186329daa7ccd65fcb4447
SHA256: 936d8ab8d8ca5545186763204d5f83e0961608037d26ba1c472ddad58f9dbd79

MD5: 915cd98a93bce088540bdb3255f35d67
SHA256: 9a103b0666fecab997dec65779a5ea4cbb88c2c1a00b209eb8923647c8f91c7c

MD5: 98951da5d8e3280b4025e48dd189ec9b
SHA256: eda87ba8e143c3abc505d432d5e7643497151683f5e2081605296a9d853c1631

Wednesday, November 2, 2016


This release adds some new APIs that extensions can use to easily implement powerful scan checks and other logic that involves response diffing.

Two new APIs have been added to IExtensionHelpers. The method:

IResponseVariations analyzeResponseVariations(byte[]... responses)

analyzes a collection of responses to identify variations in a range of attributes. The IResponseVariations object that is returned can be queried to determine the invariant or variant attributes, and the "value" of each attribute for each response:

List<String> getVariantAttributes();
List<String> getInvariantAttributes();
int getAttributeValue(String attributeName, int responseIndex);

The attributes that are currently supported are as follows:


Note that all values are represented as integer numbers, and the values of some attributes are intrinsically meaningful (e.g. word count) while the values of others are less so (e.g. checksum of HTML tag names).

The method:

IResponseKeywords analyzeResponseKeywords(List<String> keywords, byte[]... responses)

analyzes a collection of responses to identify the number of occurrences of the specified keywords. The IResponseKeywords object that is returned can be queried to determine the keywords whose counts vary or do not vary, and the number of occurrences of each keyword for each response:

List<String> getVariantKeywords();
List<String> getInvariantKeywords();
int getKeywordCount(String keyword, int responseIndex);

The new APIs allow your extensions to let Burp handle the messy work of analyzing responses to determine if they are the same or different, and you can easily create powerful scan checks with some simple logic:
  1. Send novel payload.
  2. Ask Burp whether the response changed in some interesting respect.
  3. If so, report an issue.
On Friday, to coincide with our Backslash Powered Scanning talk at Black Hat EU, we will be releasing an extension to the BApp Store that demonstrates how the new APIs can be used to create powerful new scanning capabilities.

MD5: 64ae656dd589f1db2d3d47452e705318
SHA256: 6319c21bd790408d475ca63258966df111eb5ab414e8a6a5e0f4bde530ea65f6

MD5: 635d0684503e0ef5208dc74355647ae8
SHA256: 65e5054d1f6cde2610ead300d7847be315445d08b18ddd756fbe75e5b8578d3c

MD5: d34753e71e8fcd505e39510c6bf9e74b
SHA256: 9f609d14d474f43c9261c920c4a868278cbac119fcee62a328274e093738378d

MD5: a1ba61e1d546119d224200484ac8cf95
SHA256: 98736d7f2c6dc10b02ab2500674ee9da8cd242c5e23985aa6db308772ca1fdbf

MD5: e6c87ea96bf26e1d626f9a60d3432853
SHA256: 683829438af4b46c150f06ad434e8dcea4d8a831dfe92b74f2d13a3468122d94

MD5: 91a01d4c012b0d20c247d448de897f1c
SHA256: 1c7c86f939eac526fac76f39c9d18bd1900ad68248a39b229f367adae56c0458

MD5: f616c47bfcb8d3f4d9969da7dd20689c
SHA256: e605812b52480fd07b42295558867642a4d58d6827d61b4b97299f84875bb985

MD5: 0e7fe55599593c4308fd35b535cbc182
SHA256: 1bfcea1de60fdcd0b5e9d0271e92b34c3621e31e12ed114d3b599500b9168f94

MD5: 35e4ef35c1718a79eba8ce1fd311c854
SHA256: 63bdc696553cc9430110a0fbaafb493b925b9d53a0bbf85cda3448903cb6a179

MD5: fa60402b162ba509c6fca88961d6cbd7
SHA256: ee8156764423de5a6f65ff3683cf5b7c200769a5116ecb050abaa84de1ada950

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2016 PortSwigger Ltd. All rights reserved.