Burp Suite, the leading toolkit for web application security testing

Burp Suite release notes

Wednesday, December 21, 2016


This release includes the most frequently requested feature of all time: custom wordlists in the Content Discovery feature.

It also massively improves the accuracy of detection of valid vs. not-found responses in the Content Discovery engine. We believe that this is now approaching 100% accuracy in terms of both false positives and false negatives. If anyone encounters a site where the Content Discovery function is not completely accurate, please let us know the details and we will investigate.

A number of other enhancements and fixes have been made:
  • Further to the security issues that were fixed in 1.7.14, some additional hardening has been performed of in-browser actions and the CSRF PoC generator, to prevent some conceivable attacks involving excessive amounts of socially engineered user actions on a malicious site. 
  • A bug that caused the Burp Comparer progress bar to intermittently hang has been fixed.
  • The SMTP service of the Burp Collaborator server has been modified to reject emails without a valid interaction ID. This effectively prevents the Collaborator wrongly appearing to be an open mail relay, which caused failure reports by naive security scans.
  • A bug that was introduced in 1.7.14, which prevented Repeater requests from being issued when a tab other than the "Raw" tab was selected, has been fixed.

MD5: 28fd91f8d490539f43f7656be183a2f8
SHA256: 5c6c92ba03f9949bdee5ad06de1857cf95b6a185472099714c35fe803493d5f8

MD5: 4dda1b4b6f5b2f6e26800d2de27cee81
SHA256: 4981643c399dd99f9466137e847802358ace1008fb0e6e427b9608453b97d494

MD5: 00805dcdc13a8980feeda8385d090ab6
SHA256: f1ed25e925b68bbc6c83a350a768e663e51d2cbd60e1a7ef5fa9a70a305928f4

MD5: 6c0ead0f72fe6b1d5253c704112fed7b
SHA256: 9a58431985e160676dee27f86d5d0122a946b576d69b8c9501ec095635179b8f

MD5: 5d4eda1c4081fb6569210fb33ddfe1e0
SHA256: 82d7224ddd9e645686141eb47380df90f6717221fde65f865e2696c47944b559

MD5: bffe16e37aece609df12f4db5ce4521a
SHA256: 06a412dc4c42ea25e6aa374f6b37485d64ebde297e40a2c30a8ade889c242e1d

MD5: 0f6025fe4a822d784796fe376554438b
SHA256: 8d8ad2bcf579dec1a78f8972e0ea79c48d5a107b87bf870627f529b5f2e1c4fe

MD5: 2c237465d7a56e06f36191566f0c9e7c
SHA256: 0fc1c1cfe9804277a4674e16ceb5ac564d24330eae085c660f6c8b9646315e91

MD5: 70fe127e99827df4c15453a89dc6afab
SHA256: 500f265c1726b7d87cba6ccdf24b4e173606c07c8c7a2fae83a96808375c8c86

MD5: ddb4e11c25f65403083cf4911f9c78cf
SHA256: d5816fa34f22c4d90e4903e756c52c925e09701a00941892848d24288678a57b

Tuesday, December 13, 2016


This release fixes the following security issues that were identified through our bug bounty program. Note that all of these issues involve the Burp user actively testing a malicious website that has been designed specifically to attack Burp Suite.
  • If a user visits a malicious website in their browser, and in Burp selects a crafted request that was generated by that website, and uses either the "Request in browser" function or the "Generate CSRF Poc" and "Test in browser" function, then the malicious website can XSS an arbitrary website.
  • If a user scans a malicious website and another website within the same Burp project, and exports all of the scan results as a single HTML report, and views that report in a browser, then the malicious website can capture the scan results for the other site.
  • If a user scans a malicious website and another website within the same Burp project, then the malicious website might be able to capture the raw data of any Burp Collaborator interactions that were performed by the other website.
We are pleased that our bug bounty program has alerted us to these issues within Burp. As well as fixing known issues at source, we have taken a defense-in-depth approach to hardening Burp in response to them, including:
  • Some functions within Burp's in-browser interface that increased its attack surface have been removed altogether, including the Proxy history, the buttons to repeat requests and view responses, and support for the plug-n-hack Firefox extension.
  • Scan issue descriptions, including those generated by Burp extensions, are now subject to an HTML whitelist that allows only formatting tags and simple hyperlinks.
  • HTML scan reports now include a Content Security Policy directive that prevents execution of scripts in modern browsers.
Note: The security issues identified have all been fixed within Burp Suite. As a defense-in-depth measure, some hardening has also been performed of Burp Collaborator. It is recommended that users who have deployed a private Burp Collaborator server should update to the current version in a timely way.

Thanks are due to @_Abr1k0s_ for reporting the aforementioned issues.

A number of other enhancements were made, including:
  • A number of improvements to existing Scanner checks to improve accuracy.
  • When a request is sent to Repeater but never issued, the request is now stored in the Burp project file, so the initial unrequested item will reappear when the project is reopened.
  • The Proxy listener now accepts SSL negotiations from browsers that are hardened only to support selected protocols and ciphers.

MD5: a7d25a036f8800876b0ea068c20aad74
SHA256: 850d7a319fd869f346435ff0cdf8f1e4be8cc6cb48c1e1873c5b6891d54ef16e

MD5: 127043d3efb121938d00df46b33475cb
SHA256: c2a9177e822dcb11c9b8135889bd5395b7f059d450e99e89c20b8e380c7aa479

MD5: cf7b9daf47cc691b71f8a9d0f7cf4ca1
SHA256: 5781caa88a5e5f24fbc69eb9c9a16923faa104f3962ebc6e309e5d1c5e4e1457

MD5: 6649ef1ec97760069c337c5ac2519e54
SHA256: 52c5539e099fbb1a09e3d7991f9122543ab22b3eb37250f5f304123378d3e6be

MD5: 56aacc5bd084284815f4cc4065536573
SHA256: b3b2878389bbd3145eaf2cd588e6f77ec9fc5dabd5cd9ea92d485d961ada5c9e

MD5: 5f5d41c2272b286e538ce262de638122
SHA256: f856708a42764683ad32aac14147b5b5dfc8a46e1ea896cdd152fd04c513eb0b

MD5: fe2f537e8857c85d15057c656a18109c
SHA256: a0dfd6655209712708194b37e33fb3d3b56589a0399ca0f17f4e3c24a204d72b

MD5: 3de7554ee093195b577ab47c556f86c1
SHA256: afa278687957f3bb8fad20d8f088b18fa0ffd399621ec891855fb1116ab42476

MD5: 91b9d62bf72b4de20cc18cf246fe8d12
SHA256: 64a25a8a79c69c0c6e2f59b654351333165f26af39fe7b044fb73f88c0818dc8

MD5: 132ad25dbde203ac9f0b09a4ca9bcba1
SHA256: 5dc5c9ca26bb1d4fef67b79fd77543fe8b854f85ecf2c1be94310b9c44f88314

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2016 PortSwigger Ltd. All rights reserved.