Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Tuesday, December 12, 2017


This release adds new granular configuration of scan issues:

You can select issues by scan type, and active issues are now subdivided into light, medium, and intrusive, based on the nature of the scanning activity involved in finding them.

You can also select individual issues. Whereas previously, you could select broad areas of scanning activity (such as "server-side code injection"), you can now select each issue individually ("PHP code injection", "Perl code injection", etc.).

If you select individual issues, you can also select the detection methods that are used for some types of issues, using the context menu:

This gives you highly granular control of the checks that are performed by Burp Scanner, and lets you create customized configurations for all kinds of specific purposes.

There are various other minor enhancements:
  • A "cancel" button is now shown during long-running filter updates.
  • There is a new option at Project options / SSL / SSL Negotiation to disable SSL session resume.
  • The "Copy as curl command" function no longer ignores any request headers. In older versions of curl, attempting to set some headers was ignored, but this is no longer the case.
  • A bug that caused automatically added SSL pass through entries not to appear in the UI config has been fixed.
MD5: 2d415e17f8bd99da3eb13a24b49bfba2
SHA256: e23cea82a18a1802ee0a9b95e6f4c4252cb42d02814296c438fc51a4e427c417

MD5: b380b4b12d1fec74fb7543c173b41b88
SHA256: abca4f8aaaf07b58692f3b12c5b3dd2e1d3e6e655c17691f99644bf799465f4d

MD5: 7c574f9cdb533b9e7e8c067d8c106db7
SHA256: 71b6f074e5c591247f043286e4b1b3a236b151c75ab7baae475c87d8485ef759

MD5: e75a5536122a2f5bb885fb8993e0ec88
SHA256: 9613c3bdfe53a17c2a0b3140aa9da78fbed6aa0e7cccc6c74dbe505991ae42aa

MD5: 1419145ca7d2a6da477363ac6f4a26e1
SHA256: bae9ce69491c20167a07d5efcbc2a1751ad83eb7b335d190d72ab8ac629f1b22
MD5: ad4afbacde19270b37aaff2336c4ae9f
SHA256: 9b5656905afbbd5f7a03197f9445d2aa9a0de14cabe5bd25cad6ec3093a47482

MD5: 283d8cc624e780abdffd89e558d392d1
SHA256: dd938718ba21e48bd07195f4bf074b0d249c8a3b56ba257d2e65674c8cf448a7

MD5: b20ee3a6d3195739c9dfa42d3db094cb
SHA256: 13e9210504c1a3c99d7d7c33c9a5b437f7845dd0d5929101a045c84a7b571d52

MD5: e0933d8cc9821fe9047218a464782d8a
SHA256: b5547c7fc6ce30870e47cb3e0cee20e17acbc3ff0f172c1917edc044d6c08422

MD5: 4253d70211421ea3e73ccc04f84bc720
SHA256: dbf9c831101ffab284d67f802b5fc7b920acaad9f596778615f369a39b5b1010

Monday, November 20, 2017


This release fixes a bug that in some circumstances caused the UI to hang after installing a new BApp.
MD5: aaa7b51924908481e72e32e5e1ce23fc
SHA256: a27d63bd2b1a91a59cd73ba413e742e553acd8f1235f77a5d76e6880b334e23a

MD5: 0b033bf218cc142368c624dd9e95347b
SHA256: ec475c8cf7e4b70f73ff53b3e5630bf9adcda033cb05552e266b54ffda514b2e

MD5: fd9710fd1725bfb9d9b5ccbba143a46a
SHA256: 5a1972cae097777e087acc20dae8a354f7450d25ec13fc4b6e10f57b1c4c4200

MD5: ed564ff8629732040c3105a65d3d8372
SHA256: 34e4ec423fd298bc5d0d0a8e73b989cbe7edde061ab41abe94ab53a94f4a9631

MD5: 0a7279ed37487e4b3cdd1242f4ee62ae
SHA256: be2b9cdd84648437b92e6702e01435d27764d3d8991904beff393b998d73dae1
MD5: e354845b4cacf6ae4c0621c23885c24d
SHA256: 376f65f5599c0131c539a4f20a55e5e41f0e4386188b3bb14ca4970edccc945c

MD5: e75f8c499e228bc55b13d41f0ef0c52d
SHA256: a9f33093b476b771a9fb1548e304bf134e916b88b28363ba965de6a93127e6f7

MD5: b5433f10a9022bf20429ce0d85b54e98
SHA256: cd6d9d03d5db4749e9fe52fb998978d401202eaca3d30cedc4c374d30e297dab

MD5: 3f9c1cee595e7cf3124af2b6862a33c7
SHA256: edf675b6d576cde168594a13500b05eb851faceb8a04c980294d7e1a2e9cfd00

MD5: 58c1eb6babf578f301ffcbc244b893e0
SHA256: e090c55f757560754f678b1f4bebb438909470ce56f86cad21917a1cc34ff113

Wednesday, November 15, 2017


This release introduces simplified scope control.

Burp's existing scope mode employs complex rules allowing you to specify each component of the URL individually (protocol, host, port, and path). You can specify each component using simple expressions, wildcards, and regular expressions. These rules are sometimes complex to create and interpret, and are computationally expensive to apply.

The new scope mode uses simple URL prefixes to define what is in and out of scope. Wildcard expressions are not supported. However, you can omit the URL protocol to match both HTTP and HTTPS:

The new simplified scope control is flexible enough for most purposes, and is enabled by default. You can still enable advanced scope control if you require the power of the old-style scope rules.

State files no longer support saving and reloading of project options. Only project state (site map, Proxy history, etc.) is now included. You can save and reload project options via project configuration files. State files in general are deprecated, and Burp project files should be used instead.

A number of bugfixes and enhancements have been made:
  • A false positive for external service interaction, from certain Collaborator payloads placed into the URL request line when using an upstream proxy, has been fixed.
  • Burp now includes the SNI extension in SSL negotiations even when the hostname doesn't contain a dot.
  • Burp Clickbandit has been updated to fix some issues on Chrome and Edge.
  • The BApp Store tab now shows the popularity, date of last update, and link to source code on Github, for each BApp.
  • A bug in the sessions rules UI, where session rules' references to macros were not reflected after reloading settings, has been fixed.
  • A bug in the filter UI, where a entering a long search string caused the text field to outgrow the window, has been fixed.
Burp's colors and graphics have been updated in line with our website. Additionally, the free edition of Burp has been renamed to Burp Suite Community Edition. We are planning some brand new editions of Burp in the future, and the new name will sit better alongside those. It will, of course, remain free of charge.
MD5: d1525fa91a378932f314f271b94a3b1b
SHA256: e26c12ab11914e5d73d3bcd8e9578b789c59ee87200845136f9b6d5a238074ac

MD5: 973151867335371aa686e44996961ec6
SHA256: ba1aad6c20104db4d14d4bc6b48302d4099ffac3180942b0b090831b25df76f8

MD5: 762443b04893cbbce69b5e30ec01e156
SHA256: c2e8224c2b32eca82e3fe8b08c498ce201ac4aba911ab3caafc9e521cd8f8b2a

MD5: d91ccdaa68841977335c0bb714eba3cd
SHA256: 31e627fd936510e8180238e8061069d9a614cb3d20479ebf50302a1152fd9707

MD5: 80f25bf5100d3d44ce78970e147c8b96
SHA256: 62055dd967a6ca352a7e661aebe1c0300c61db94beab2f2f9fd3711c5204412d
MD5: 89672c80f81a35f3db1fcb9ae4b5260d
SHA256: 3c80d0643812946c6fac98bcc2cdfe898bc7f596ddf96605ffc81ee2ec9a246b

MD5: b8039f9228f9071fae50695de6ad7af6
SHA256: b1a915f8c9893c410cd010547fdc7ded1bff42648e767f6775223624afc56794

MD5: 11595cf3d7f1e2db998bae4309ea2b03
SHA256: 3092692f47c396fa81d5d536a0108b91e10599fe80c12421937175be3bedc401

MD5: b2446f640421a8c5902ab0427df45c06
SHA256: fc15ada5132d452d95a2ca79f9bdafa160a8d8eae6e64ca677db749b8eccb2a2

MD5: 7d9cc726717f83166266f4da6e4da173
SHA256: 6070248eac93d0fa52708a5bd8d8a1d2660fb933e9f1dde1e95eb8e7b8fa8e9b

Thursday, August 31, 2017


This release adds various minor enhancements:
  • There is a new hotkey for adding an Intruder payload position marker. This is not mapped to any keystroke by default, but this can be done at User options / Misc / Hotkeys.
  • There is a new option on startup to disable extensions. This can help resolve situations where a misbehaving extension causes problems during startup.
  • Burp Collaborator server now responds to DNS lookups containing the subdomain "spoofed" with the IP address This is to prevent the Collaborator being wrongly incriminated when a server being scanned is vulnerable to client IP spoofing, as happened here.
  • The option to strip the "Accept-Encoding" header in incoming requests to the Proxy has been modified so that it normalizes the header to a default value rather than stripping it altogether. The previous behavior caused problems with some WAFs configured to drop requests without this header.
  • The default max heap size requested by the platform installer has been reduced from 75% to 50% of total physical memory, in order to prevent OS performance issues on some platforms. This can be modified after installation by editing the vmoptions file in the installation directory.
  • MacOS App Nap has been disabled as this can cause Burp's automated activity (like scanning) to be suspended when the Burp window is in the background.
Additionally, a number of bugs have been fixed:
  • A bug that caused temporary data saved by Burp extensions and the sessions tracer to actually get stored in project files.
  • A bug that caused the Spider not to honor the "Maximum parameterized requests per URL" setting.
  • A bug that caused some lightweight popups to have full window decoration on some Linux desktop managers.
  • A bug that incorrectly handled loading of IP addresses from file into the scope configuration UI.
  • A bug that prevented upstream SNI from working when proxying traffic through Burp from an Android emulator.
  • A bug that caused report generation to fail altogether when it encountered an incomplete issue due to project file corruption.
MD5: 99e7126d8fd9c56a78e8a3464612e3c7
SHA256: be1b9c4c6c4d25a3d11bbd3ffff845a9ed3b2a1e7740c72ab89a913283eaad86

MD5: f48beee2667ec767ba733026e23043ce
SHA256: eb215ee1a453634685d5ec302ccd9c07031869ca72c9f2cce10cc8dd6c9989a2

MD5: b55145e3a432e78210a27f8cb8228bc3
SHA256: c7850eabdbacee1fc2e40b93d4f25503cbfab4c3a636063bb0f18325bbff1654

MD5: 92ad1d2b3166450d26601180793e65bd
SHA256: c07203e145fc475c80edb3fdf534e9880cc223d3f7ba581452f832b5bd7325d5

MD5: 2c458b547ca73c8912390a606722ee95
SHA256: 217596f1d59e6e535227b7837fc2126e948fc6eefe1bf5b470fd90a7a3592bca
MD5: 7543adff4ae24f7e9a32742232eb4443
SHA256: d73d89f51fa61085788f095f7177d26b930066cf57422ab18657191354111f75

MD5: ec600536f24455f8ad8f20c3e600ffbb
SHA256: df5fdd580ba1bc777d0ffa9a79e66a5171fce879af04d74d54ce9b9c884b559e

MD5: f579b2b8692dde5d0ef6388d91a98d55
SHA256: 9f5fcc2d0a10e00ef67632f49a12499fcd1730d738c67b9c323e2a7f0c345ab9

MD5: 54cbe4b8ae891a125a661d8c26b17181
SHA256: 3131d6b62dc6f43f306442327d3b3cecd0ef75897fc553c9a1a66629ceef982e

MD5: 562fe599a8e3586f29c0e8cad2e41498
SHA256: ca3f2b2929d8eb048e1f9a0f9103105cd032edbbe94b110420d9ce1d6495f09f

Thursday, August 3, 2017


This release adds a number of new scan checks relating to file upload functionality.

Burp Scanner has always treated the contents of a file upload (within a multipart POST request) as a regular insertion point where payloads can be placed. In the new release, various additional checks are performed on the file upload:
  • Some new payloads are used to upload files in various formats, such as PDF, SVG, HTML, PHP, and SSI.
  • Where relevant, Burp now modifies the file extension and content-type fields in the upload request to reflect the type of file that is being uploaded, so as to maximize the chance that the application will handle the file in the desired way.
  • Both in-band and out-of-band techniques are used to detect vulnerabilities in the application's handling of uploaded files.
For example, Burp can now detect server-side rendering of uploaded PDF documents, by using some embedded PDF JavaScript to trigger a Burp Collaborator interaction when the document is rendered:

The new detection techniques all lead to new versions of existing issues, notably PHP code injection, SSI injection, reflected XSS, stored XSS, and external service interaction.

Note: Some updates have been made to Burp Collaborator server to support the new scan checks. People running private Collaborator servers should update these now. As usual, Burp will show an alert on startup if the configured Collaborator server is out of date, and you can use the Collaborator health check to determine this at any time.

A number of bugs are also fixed, including a recently introduced bug affecting NTLM authentication.
MD5: a7b86742d1b7e63f56a7f0d713eea4de
SHA256: 4ad9c1a01f9428b77a5af70d0f2035029af1cf6cf28aed44493cb9848926dc32

MD5: d046d7cf3892a4c67b68a29e4af33c66
SHA256: 859b1625e411c58b6b6d64f8e7516bc74449849ceddc082622f8cfa4ddffe36d

MD5: 1ce58a5dc102f013b197972e023f2bd8
SHA256: da3f6386339d1ef3966f8c5598d9b6259d85e4b5ae99fce795198bd73bcfadd4

MD5: d3ab9ced8c2be6ff7d63b1dc4238685c
SHA256: dc29bc8850962fdb7ca0278e9b16a24e3fb3f500fc7405970b576ea5f8247588

MD5: 8c4873f0d7b81919b07cdc62822204a9
SHA256: 9424941730379d394fa8fe6df2dc1393c13df12fdf0fcab484ebadb1ecc75c6a
MD5: 495c3c1de6f8d4ba9b1eb44eadf28e9a
SHA256: c3b4eed80b6ec52e40ef973235fde22aa752f7a3e52e3c5238271c9cf15631da

MD5: bd22ac1d8eb6fbefda3397f87882ad83
SHA256: f85687cf68b8d9cac45fd3eca9eabadf710aa711dc3253abb6f05a3d681327fc

MD5: 5d1cbbebc7fb59a399ae7bcacbe05f74
SHA256: eb3edd7bde5b335ac463136a5b0ce54f5e9dd8971a25fc73477384f5e0ae3b1a

MD5: 89db4bc21a2b6857add677a7184f4e91
SHA256: 48a87db46976e7a8d0eb5668a0d18d42939f812b8830c754b5d59275ad001121

MD5: b208bbe5d46048c914f93791c4432530
SHA256: e42bd27853fc59de5e645e7868b66a82eadef89c1ec7a504b5d8083536973d5b

Thursday, July 27, 2017


This release adds a number of new scan checks based on our talk today at Black Hat, Cracking the lens: targeting HTTP's hidden attack surface.

The new scan checks use various techniques aimed at inducing vulnerable applications and infrastructure to route requests to a different destination. This can lead to serious attacks, for example SSRF against the application server itself or other infrastructure components. The research behind the new capabilities quickly netted us over $30,000 in bug bounty payouts, and demonstrates the huge power of OAST (out-of-band application security testing).

The novelty of the new checks lies not so much in the payloads themselves as where they are placed. The new scan checks send Collaborator-based payloads in the following locations:
  • The HTTP Request-Line (where the requested URL normally appears).
  • The server name specified in the SSL SNI extension.
  • The server specified in a CONNECT request.
  • The Host header.
  • Various other common and not-so-common request headers.
An example of a reported vulnerability is shown below. For full details of these and various other techniques, see today's blog post.
MD5: f66087ddd397d3b293468d308c512882
SHA256: 86a601aa79d8ef7353b5553cf72f32923ce6a1c9824c570bdc55734960c2ebf4

MD5: 7d4d7ce37c03198db796b8ce2e33ff68
SHA256: bd1153672fab9250e3ab313f239948f37271f45d63c30b02a41cf2652f735c88

MD5: 6995f2f0a24b014a6708f42657be7086
SHA256: e3df386479dac58a27ff436ee2a9508f0c66c8c3053b40b38f524104b9ba2990

MD5: 7a04f8454ba3d34299748c18184da08f
SHA256: c4290923b9e77db55b436e0d2f932277aa97d7dace56b3464f1ec515670d0e5d

MD5: 07dad6f191ee8335c1d5e131102e9dc7
SHA256: ebfd26f0396a1c38826b83ad98e3242f7a2964bf85aa7acb886f73278921eb39

Tuesday, July 18, 2017


This release adds a new feature to save a copy of the current project.

You can choose the tools whose data you want to be included in the project file and whether you only want to save in-scope items.

The new feature is useful for various purposes:
  • You can begin working in a temporary project, and later save it to disk if it proves useful.
  • You can save a live backup copy of a disk-based project while continuing to work.
  • You can save a smaller copy of a project after refining your target scope or deleting unnecessary data.
Note that after Burp saves the copy of the current project, it continues working in the current project. If you want to switch to using the newly saved copy, you will need to restart Burp and select the new project file at startup.

Some bugs have also been fixed:
  • A bug that caused SNI not to work with upstream HTTP proxy servers.
  • A bug that caused the Burp Infiltrator patcher to cause bytecode corruption, or fail to patch at all, when certain unusual bytecode features were encountered.
  • A bug that could cause remembered user settings to be lost if the user closed down Burp during startup.
  • Various other bugfixes and enhancements.
MD5: 5ca9ba7734ee97fbb8b1bd2343e94b72
SHA256: 37130dbff32c552c5ac20e2855515217ffc1e7285aae6d12f862d026b3365896

MD5: 5b9a650f0eeda7d5a477836f8e768a91
SHA256: 4edfbf71499ffbaa5baaac04db6eed995537ca39da98928e649e6922abff1f20

MD5: c9d2945ce3da7d6965745128c96ae5d9
SHA256: 265642d84921be9298a979fc963382e845c629c2effa76827ca54394a447f8ac

MD5: 1fcccd74d654c28356479cb2c99528e4
SHA256: 68ac0a547eaef6d2b3b80ef957022270dcce98452fec42795489b4cc00313042

MD5: c93e28ea48cad1df0171284a02be8086
SHA256: 005d16f08047062fb6bdee6deabbbf13eee63d14188d8acfa073ffd8cb032db7
MD5: 255fc4175b53f354f1c871ff96d49cdf
SHA256: e468618b8d06ac3b661a1df49aa2505a47f2d12e36edbddcab3dab9683422a01

MD5: c75615e238d49c63a1443692d25ddd18
SHA256: 4704416581977d01c3da66c5d3450e0ec1d7366ef871ddae49df17039357d173

MD5: 0c88ca1dccbb70e40ee5484a9ba36879
SHA256: e47eb6be8a54684623a8494cbffac4ced49f3228f3ad1c898e7bf54ff671b550

MD5: 3b6e9252deb81ddb44412c119271ad64
SHA256: d49f840c3d820175907a56033432f230ca392e4aad2ff01fc70418d5a1dd764e

MD5: f65275ba3316348079b95c032195db17
SHA256: d60550e64089dda0e5e786d80f8fc9862be4de2b8f5397fdbe7e48f8d310e0dd

Monday, May 22, 2017


This release adds the capability to report a number of new scan issues:
Burp Infiltrator for Java has been enhanced to correctly deal with some kinds of edge case bytecode that were not previously patched correctly.

Extensions written in Python and Ruby can now import libraries located in Java JARs. You can configure a location for Java libraries at Extender / Options / Java environment. This location is now used for extensions written in Python and Ruby, as well as those written in Java.

Various performance improvements and other minor enhancements have been made.
MD5: 72d9d7cddcc01e1f7313310deca24e8a
SHA256: 5e74b38ea51007009a1d8f19ccdb5dcfcea632b9895b41019084f5df0195cbd6

MD5: 758cdcd6fa227bf0028f35834a7cda5a
SHA256: 15fe5ac4c2d0f0aa62c1c470a237be669024fcab4aefa93f7d753992dc25d5f5

MD5: 0943306c0d1434ff79febf34210fb87e
SHA256: 5611badf74b68898d7270002acc796683365113c915e78374276de6475c403f9

MD5: ff903ff72e93b9ca44565388e0577e3a
SHA256: a71a165df2644cc829eabfaa01512f7d316b4f73a4a25cc4c8f4c0d6109b7c79

MD5: 2cf7aa2499647075b7b6b490b71e1b4e
SHA256: 7fe95e194622df38c8924484c43cfceb1ef5cda21a23f8e5ab392b6b0954fb79
MD5: bbd18a2bed12b8289bed27bb3870bbf3
SHA256: 642d597774b369120ede5d5251ca59203a2ccdfeafaa39e4620b60f60ffa8818

MD5: 69c13296d7411d00b5d376460b593277
SHA256: 09891adff1f7e39213167190fdb96641b7e5c2128431a45ffe43d436a21b795c

MD5: cc37820971ae74b32429ef962711e0b5
SHA256: a9e97e0d83b7b29db20f27b3e931e99ce64313206afd153fcae101a8c957eaea

MD5: eaa21157d1e2c4c898b225cbc6ead0a7
SHA256: 41a16a19e2486eaac7ef567fc3b719cfeb5045b70107c3dfbac181f06ae2fb9d

MD5: 63862e13eefe2516ee447840b1368049
SHA256: 0913910cfcab3571f350d46a326c749191d73917b4679fe227da1c42999d0ff9

Friday, April 28, 2017


This release introduces Burp Suite Mobile Assistant, a new tool to facilitate testing of iOS apps with Burp Suite. It supports the following key functions:
  • It can modify the system-wide proxy settings of iOS devices so that HTTP(S) traffic can be easily redirected to a running instance of Burp. (Supported on iOS 8 and later.)
  • It can attempt to circumvent SSL certificate pinning in selected apps, allowing Burp Suite to break their HTTPS connections and intercept, inspect and modify all traffic. (Supported on iOS 8 and 9).

Burp Suite Mobile Assistant runs on jailbroken devices running iOS 8 and later. For full details of how to install and use Burp Suite Mobile Assistant, please see the documentation.

A number of other minor enhancements and fixes have been made, including:
  • The selected column ordering in the Proxy history is now remembered in user-level settings.
  • Editing URL or cookie parameters in the "Params" view no longer loses the request body if it contains JSON/XML/etc.
  • Performance when deleting multiple selected items from the Proxy history is significantly improved.
  • Some memory problems encountered when scanning items with huge responses have been addressed.
  • A new method has been added to the API: IMessageEditor.getSelectionBounds().
MD5: 14dbd70a89460e54df480e9affd0e470
SHA256: 79dac5ec342dc037464496371129b29bc794d186dd36cbf447b96a68af7e0acf

MD5: 74c5f13c271039a01111458ac0d37244
SHA256: 938c7e7cb79477ce69a772e476d120b95963bd249801c63d65b330a220f57f6b

MD5: 1608a8e5c88271975ca66e5f4d122147
SHA256: 4f67942b1b5588f7c9707ea61a6de1b1d83f9496ab6a5532685eccaf1d0f0a4c

MD5: ec4bf216313865cae2f66078c0757b8a
SHA256: 487de9dc34a2638c3b1ade0e1765f10e8e8359b8b42f07610a22850cbbb5881f

MD5: 2fc257b38664d55d6d87d1de8490695d
SHA256: a0f9c5511e31af8570673861307100788d8edef6c8630944c22594d2a4952b98
MD5: 795d2bee9bec97d241243b4a24fa8779
SHA256: 915d9471ce9a00361b539f9fce1bf4175bd48c051264f3073178cfe71879e6d0

MD5: 94ab0c655589555e5abcbf4978bbdf4b
SHA256: 7cf1edfb508be61e5042669df7e3ee95335e18c6d089ff47767eab401db0e069

MD5: 5f9edf88e239d2f9c2c512f12675905f
SHA256: f6d38f66fdc9d33c719967754353580abfb84ec841b5cf86f513b129559fe435

MD5: 77ba365f8200a93a273e9a2fd6b86592
SHA256: 0e087cbc627d436c14b7e6688aa6b71c74ac3e648e0283f535e915528ac0382c

MD5: fdf1ade757bb41e2500aa55d27d024f0
SHA256: 776e418e64c7aabe3ad43a638dfd2ff4857f30cf5baa92ce7fca5e8f6249a646

Friday, April 7, 2017


This release fixes a bug that was introduced in 1.7.20 relating to configuration of SSL protocols and ciphers.
MD5: 277623002d675591590eaabc0ddc4f6d
SHA256: 92f8f3127ea7503716528e57e849c5514cfd41692d3ab77346d3b23ae98cb847

MD5: 97a21a2d67f77269260cec2d3d39c1c3
SHA256: 54160c183789824d9a75d5dce61990299bfbd2d3167a886b64edffcebef37591

MD5: a44cad25fd5e60f7523d5ca85754f8ad
SHA256: 2824d7651686c65d6161ba95047a2ccdc208bafb2b3b3cfa57132ff84b63cc53

MD5: 38272e3241413c6acae2d659c86ff7e9
SHA256: 94ff5c029ddf273ec79aeda5e49b4623a339ea07133dd773e9e81fc5404aab2f

MD5: b096337d370e28c8f809f73821572ed7
SHA256: e3fa9c8e097fb368569bdd6a24257e7a46a35e6c1f2b072c2ef12496c3981187
MD5: 28d91f937c013c39cd98bedb820016d5
SHA256: 0e5fe4325b7d6a6a65e9edb67e431dc435fea8198e2e701bd7aa398f4168e920

MD5: e4d7a02ea503819cb184ca37f9682499
SHA256: e98593ca2a76e6f6d9b0804cbcab55d8f0a574f83131a326415c2f8f1c67898e

MD5: c7d75718a8b7fe4d0cd9e7f94053a54d
SHA256: cdac5303caa21f9a1c10ba266fc0a8bb14b2b83a495451a6219114eb6b509dd4

MD5: 53295bc1ee8c57882bf239b4b2fc2c68
SHA256: 4677fec46904d597652f0f91fb3965aaa1b577161912165554fd9138bcb6df98

MD5: 63dd904695372c2c62a83da76125e31c
SHA256: c8e9a6a72d97b4f609dc279159e8e04ab5f512435d23925f074c89ae16657448

Thursday, April 6, 2017


This release considerably enhances the detection of blind injection vulnerabilities based on response diffing. Various Burp Scanner checks involve sending pairs of payloads (such as or 1=1 and or 1=2) and looking for a systematic difference in the resulting responses. Previously, Burp used a fuzzy diffing algorithm that analyzed the whole content of responses. This approach has various limitations that can lead to false negatives, such as:
  • Small variations that are insignificant in the context of the whole response content are liable not to trigger the fuzzy diffing threshold, despite being highly significant when their precise syntactic context is taken into account.
  • Situations where application responses vary due to non-deterministic or unrelated factors can lead to large variations that trigger the fuzzy diffing threshold for all payloads, thereby masking other variations that depend systematically on the supplied payload. 
Burp now uses a more granular diffing logic that takes into account all of the response attributes that were previously exposed in the analyzeResponseVariations API and used in our backslash powered scanning research. Variations are separately analyzed for attributes such as tag names, HTTP status code, line count, HTML comments, and many others. This granularity avoids the limitations described above and dramatically improves the accuracy of blind scan checks in many cases.

Additionally, several of the payloads used in diff-based scan checks have been enhanced to ensure that observed differences are indeed the result of injecting into the intended technology, rather than other input-dependent logic. For example, some web application firewalls (lamely) filter input that matches or N=N and cause a different response than is observed for or N=M. Burp's payloads are now intelligent enough to avoid false positives in situations like this.

The scan checks whose logic has improved include: SQL injection, LDAP injection, XPath injection, file path manipulation, User-agent-dependent response, X-forwarded-for-dependent response, and Referer-dependent-response.

We welcome feedback about the real-world performance of the new scanning logic, particularly in relation to false negatives or positives for diff-based injection issues.

Burp Proxy's generated per-host SSL certificates now include the site's commonName in the subjectAlternativeName extension. Apparently fallback to the commonName was deprecated by RFC2818 (in 2000), and browsers have recently decided to implement this.

Burp Collaborator server now has a configurable logging function that can be used for diagnostic purposes. See the Collaborator configuration file documentation for more details.

Various other minor fixes and enhancements have been made.
MD5: ed0d6a96f043ff4143dd28af3b07bec1
SHA256: 0b0053019f451132872d91c3c94bbad64b57e6990716b74f4724d187afc25900

MD5: ecdefeaa0359a25c1efd320bc7ca0b71
SHA256: ac576e85e7e02b6b4bd182198dac29289c171d6e5bf0dffafe1321b67a066364

MD5: e4074c98e1e3e41a2cb4777c83aaf2e0
SHA256: d5d7c93940507fce4ed6db5c0e422ae02bfce0f64af85a92b639054feb81d052

MD5: c4d8375750ac90b551d5dd48c4cce393
SHA256: fc61aafe3f5505db3abe8d370e04293aebd2340dbf6d6d825e75073e7f2ba4a1

MD5: 2f1f672f30bcc8d41e1b387d9402c478
SHA256: 68c182dc44e7d36bc3327b7103b242666b2b083adf096d7d314c119f94904a13
MD5: 7998e5b00e7308dae89fff7b2a6d3c8e
SHA256: 38f05f214b3292b6049c1f33446edba856b2c2d8fc083891c9c8566600016dc6

MD5: bdee19ebbccb76832b1ca79c9dd6f02f
SHA256: 161f69be4c5da6a6de927030d25a72da020e5a81a6c5419c25284a6b41b65808

MD5: 8b2751140a2a2c4f7dc073df122f9a73
SHA256: 5fd7d81ec4a5d0ec50aa3e4a37d26af17faea754b8a5652f9fc9e6842989013b

MD5: 52f0d409464ace54e00dc850be6e0fd5
SHA256: 463a6304978f000ee7fa62c150f4281784669481225ac65d3fe7fe4e3fd8a3ac

MD5: 9ae37b24a92237eea212d919a5161b87
SHA256: bc61f7bc1fa8e0e408a5cf1ebc83688b68d144064f584d15ef66af48e3d606ef

Wednesday, March 1, 2017


This release fixes a bug that was introduced in 1.7.18 that prevented Python and Ruby extensions from loading in Windows.
MD5: fbae4fd9f8e9a58dda009266c227be5b
SHA256: 45a4092218cc79cb41e008de12a5ff7ca539560df7f71097bbfab3b7f1c5c187


MD5: f41f66d2257d2155388fdf6ebc2c8020
SHA256: 0ee69e71319c6279f7c47baf1b9a3000350b3349a854374191bd76cd7ad7e6fa


MD5: bfb0dfb33b175b2eefc96694c1a635b4
SHA256: d00ab78507ca378dadf3c43153c014e87ba16f52487cb3091fb18de68fd57da6


MD5: 02e5771798b6d53264adebc972401e0b
SHA256: 867383ecdaa932ebc87a6b946dbfa8060d9f0834c6f42f0ea1232732a799b5ae


MD5: ec3545997c7e669e6ff27c3728c2d170
SHA256: 2aabd7dce50ea07b7b538ce54c751316440246499f28afd77d5946da60002f5d
MD5: 2bf759aee934cd2049f4aa68d86c1935
SHA256: e6fdaf42ec67eebb392d137ba914ff1c18920d6225646068e092fc7f8bb29c03

MD5: 49e50f15d148fd60ce05d0a719b79f78
SHA256: fbb0c14f038439efa48ba098281588aaaf336e1740ef2a2f2e5d2ec6144339c9

MD5: 8f8e1c809f3865ba5ee0d9f5ee901333
SHA256: fe2a486fe4c9cf33ea57af3a6a96ecbae15e69ebcbe3bd935d3cf314c0d2e3aa

MD5: c3e6e6afab4d948225939dca9c186e3b
SHA256: 8eec4e7f787cefb69c4292e2025d52a052e5098a59652faf5510cacda5b1e9a6

MD5: 545daea08c0b40a5010e7ad03c6acb28
SHA256: c589d98782f51f080938797f20935f8aa85be63348c9651c197565f4911d1c48

Tuesday, February 28, 2017


This release adds a new option to prevent project data being accumulated for out-of-scope items that pass through Burp Proxy.

It is common for users to configure their system-wide proxy settings to send all traffic through Burp, with the result that a large quantity of irrelevant requests and responses go through Burp Proxy, generated by OS components, other software, or unrelated browsing by the user. With the new feature, you can prevent out-of-scope items being added to the Proxy history or Target site map, or being automatically sent to other Burp tools (such as for live scanning).

The new option can be turned on at Proxy / Options / Miscellaneous:
When you first add an item to scope, Burp will ask if you want to enable this option, to prevent the Proxy from sending out-of-scope items to the history or other Burp tools:

If you check "always take the same action in future", then Burp will remember your choice and apply it automatically on future executions of Burp, when you first add an item to scope. You can control the use of this setting, and whether the dialog is shown, at User options / Misc / Proxy history logging:

A large number of minor bugfixes and other enhancements have also been made.
MD5: aa8969a7b564bf5713afb7ee6be7584d
SHA256: 891545d49099d8d2b636ad8f72ac54b2c615328fe55381f95f6de9a8296bc634

MD5: 4c76a10ea231eabf30950cc731a4bc7a
SHA256: edbd7ecd2bc80a72010c74780252c9d9c3be1ec8f9ee863924f115c47020a28a

MD5: 95ba0c1cb3b0de11a0bbc391bdb565bf
SHA256: 4dbb88e1bf69bc2ea02cf8d34198a7ca96b626a0dda87db71c6f83a738a1ff49

MD5: 19706e3b0919d5a9a9f33076900176fd
SHA256: ab35ad872adfdf390a7a71b1f855acf88be16d7df677f2ad1473342e8cfbf68c

MD5: d9fd8166a7f1eb6b4ed9ee5603705876
SHA256: 1fd91819c892ad9ead96004145af835406f24697e8ae24e977572aa1af52e2b4
MD5: 1a2b9127d2e97f140352e26514b450eb
SHA256: 3077a3416d312867c71b3eb43ac975b254bf457d1beea50a0be18653355f2af6

MD5: 721aab10d94b60983d0007d6312d4c8c
SHA256: 45101ad919943ea7d54325e0f399b195f19efb06d53424f16a08f454da8f43e0

MD5: 2c584dad187b623a96def1ddd697904b
SHA256: fa37d8e84cb7d8933929f59486ef785530091fee6f99fa0c38107efd0ac6275e

MD5: 3bff1e18963f8be977fbc18fdd2a2c7c
SHA256: 8a85245912d3b74de1a9daa61feb74c46950d88672453c5b24f899d9f6c39964

MD5: 8ddaf43ba0673bb926e83e5b46999553
SHA256: e04d9a4d7f59e47629183ae87c2d77617c9c083e7f3df947c160e954396bca0b

Wednesday, February 1, 2017


This release adds various new features and addresses some issues.

There is a new Scanner check for suspicious input transformation. This issue arises when an application receives user input, transforms it in some way, and then performs further processing on the result. Burp reports reflected and stored input that has been transformed in the following ways:
  • Overlong UTF-8 sequences are decoded.
  • Invalid UTF-8 sequences containing illegal continuation bytes are decoded.
  • Superfluous (or "double") URL-encoded sequences are decoded.
  • HTML-encoded sequences are decoded.
  • Backslash escape sequences are unescaped.
  • Unexpected transformations resulting from submitting any of the above payloads.
Performing these input transformations does not constitute a vulnerability in its own right, but might lead to problems in conjunction with other application behaviors. An attacker might be able to bypass input filters by suitably encoding their payloads, if the input is decoded after the input filters have been applied. Or an attacker might be able to interfere with other data that is concatenated onto their input, by finishing their input with the start of a multi-character encoding or escape sequence, the transformation of which will consume the start of the following data.

Various enhancements have been made to Burp Infiltrator, in response to feedback from real-world usage:
  • A bug affecting the patcher when running on Java 6 or earlier has been fixed.
  • A bug that caused the manifest files of some nested JAR files to be lost has been fixed.
  • A bug that left invalid signatures in place after the relevant bytecode was modified has been fixed
Burp Scanner's issues are now mapped to CWE vulnerabilities.

There is a new command-line option to prevent Burp from pausing the Spider and Scanner when reopening existing projects. To prevent this, add the following argument to the command to launch Burp:


Various other enhancements and bugfixes have been made.
MD5: b9371185454563e5ca279ab80d5fdd28
SHA256: aae6d011211313f9408de431c7ac3fe230d6d0d61c038add3778b453ad33e9b8

MD5: bb3592dd77027d583be6081988e48522
SHA256: 77740b44eebba7dce56cc866380a7cf94fca4536c22d14edb183d2f7f7a3177c

MD5: a572b5b026290335f8b5d2dac0766dbd
SHA256: 2bd6c8f09ad657716e95191ac4841297f268ca5ce279dd164b0d67ccd375683d

MD5: fc1bb251a9ec7685160cff3fcd5119e3
SHA256: 4b54fbe77bf8e89508316731f621ba03a25dd224fa7f3855e7a6db8dd653a5df

MD5: 8b40a5bdf55848329ca9f9eb9b3e7154
SHA256: c8c4c8cb3156d523e3f5630b0c1500df05eb4a0297bdcd23fb00e0853467bf7e
MD5: 408d063f42f51ea027bb6a5014ae58e6
SHA256: f18ad7d5873ca4fa29af04e8cd9ce967792377366b74edc5943014440f2cc815

MD5: 83d6022c7b739c346b14897ac491e8a0
SHA256: ea41d8afeb1f621ccfa15d56d4bb8a0a72d5fab3dabe4164696527ae692df4db

MD5: 1af427b18de46c38410b46fb5a3f8080
SHA256: 603ca7adb8561a73c6ce49c463c8e8bee36c9ae88422f53b9af5fe5136f80aec

MD5: 36567e3a4b010d981d477be97c924753
SHA256: ecc64b14e64225bd54429a283cc184f5febea93d1eac531cda302d2defcb48f5

MD5: b9c142ffff80cce82c54e3ed3ce17814
SHA256: 96fc23d40efbe386217ce71c33a68a31fa589f13443a25c2bb5842c55d6fca0f

Monday, January 16, 2017


This release adds various enhancements and fixes:
  • There is a new command-line option to launch Burp with a specified user configuration file:


    This can be used to set any user-level option, including Burp extensions to load. It is useful when running Burp on headless systems where there is no UI for configuring user-level options. By creating a suitable user-level config file, it is possible to launch Burp on a headless system with specific Burp extensions or any other user-level setting.
  • Some recent changes to Tomcat cause it to reject a wider range of raw characters in the URL query string, going beyond the standard practice of browsers and other web servers. Burp Scanner and Intruder now apply URL-encoding to the relevant characters by default, ensuring that their payloads are accepted by Tomcat and reach the application code.
  • A bug that was recently introduced that prevented license activation in headless mode has been fixed.
  • The Content Discovery function now correctly handles applications that have wildcard behavior for file extensions (e.g. those that return a specific response for regardless of the file extension). This eliminates the only known false positives reported by the new Content Discovery engine.
  • There are some new options in the Proxy for stripping request headers that offer to support encodings that may cause problems with intercepted traffic in Burp. These options are on by default.
  • Logging options have moved from the user level to the project level, and are now included in project-level configuration files and project files. This means that you can enable logging on a per-project basis and have this setting remembered when reopening a project file.
  • Unicode characters in URLs are now properly handled in the "Paste URL as request" function.
  • Various other minor bugfixes and enhancements have been made.
MD5: 6a1d1e734e9191b4eb8476b1da691597
SHA256: e2d30656bf3f6b51d48c212853ef0f1ab85a62850d398bfb40e616173eb2b023

MD5: 2ef30460b9609ff1c8692453a4f4ed35
SHA256: 9aa48e63d66e701a17db10bd47f12c899efc68213f4d32d29472e8ddd857fa07

MD5: e71679acf722df8f54a66df7bda1c5a4
SHA256: eda1e4ff9db2235cb2a3d2c7637c79d00387a862c82f839f042f4ee4d62b949a

MD5: a8d30d750458339a58165eda96a83b96
SHA256: ae0f3dd56005e5f7ea4e9addf4be448fcf50f321fb07148d9140d83a54f8b4f4

MD5: 60c970dc6830d1ad4a6080b88012d94f
SHA256: 655241b5da121cc34c7b3962f2d654cd029efebdc46aa6d80ceda7a6151e2019
MD5: 47d11b07fe7b385dd1001b326efb5e79
SHA256: 2acb901751a81411a73edd8e15bbcc5b8c6167faae491d88a8dced56747043d1

MD5: 4aea2396b922299976884414a0931dac
SHA256: 3e9ef1b58e9fd6aecde614b61a9a61f0a86f03ac123d1d81e11c60a5dd61252c

MD5: 647c2992b7c6bc463776a13439af2765
SHA256: a281b6101c0fbec7e07c9165a2865978a6c380f4471ff53d9256cba028b08c7d

MD5: af74d8e21dacb022f8ae76a65456c7e6
SHA256: 9187bcefbef1ea7a5ac6bbc9c76db8d0a53a8922c1251401775a8f6faf323c5d

MD5: b3962e75638ec65dcc17e4c6d4305989
SHA256: a7bb5f4a1af3ab27350d54c8567becd4c4ff96a79f0efb2bb951e67e7dae6f52