Wednesday, February 1, 2017


This release adds various new features and addresses some issues.

There is a new Scanner check for suspicious input transformation. This issue arises when an application receives user input, transforms it in some way, and then performs further processing on the result. Burp reports reflected and stored input that has been transformed in the following ways:
  • Overlong UTF-8 sequences are decoded.
  • Invalid UTF-8 sequences containing illegal continuation bytes are decoded.
  • Superfluous (or "double") URL-encoded sequences are decoded.
  • HTML-encoded sequences are decoded.
  • Backslash escape sequences are unescaped.
  • Unexpected transformations resulting from submitting any of the above payloads.
Performing these input transformations does not constitute a vulnerability in its own right, but might lead to problems in conjunction with other application behaviors. An attacker might be able to bypass input filters by suitably encoding their payloads, if the input is decoded after the input filters have been applied. Or an attacker might be able to interfere with other data that is concatenated onto their input, by finishing their input with the start of a multi-character encoding or escape sequence, the transformation of which will consume the start of the following data.

Various enhancements have been made to Burp Infiltrator, in response to feedback from real-world usage:
  • A bug affecting the patcher when running on Java 6 or earlier has been fixed.
  • A bug that caused the manifest files of some nested JAR files to be lost has been fixed.
  • A bug that left invalid signatures in place after the relevant bytecode was modified has been fixed
Burp Scanner's issues are now mapped to CWE vulnerabilities.

There is a new command-line option to prevent Burp from pausing the Spider and Scanner when reopening existing projects. To prevent this, add the following argument to the command to launch Burp:


Various other enhancements and bugfixes have been made.
MD5: b9371185454563e5ca279ab80d5fdd28
SHA256: aae6d011211313f9408de431c7ac3fe230d6d0d61c038add3778b453ad33e9b8

MD5: bb3592dd77027d583be6081988e48522
SHA256: 77740b44eebba7dce56cc866380a7cf94fca4536c22d14edb183d2f7f7a3177c

MD5: a572b5b026290335f8b5d2dac0766dbd
SHA256: 2bd6c8f09ad657716e95191ac4841297f268ca5ce279dd164b0d67ccd375683d

MD5: fc1bb251a9ec7685160cff3fcd5119e3
SHA256: 4b54fbe77bf8e89508316731f621ba03a25dd224fa7f3855e7a6db8dd653a5df

MD5: 8b40a5bdf55848329ca9f9eb9b3e7154
SHA256: c8c4c8cb3156d523e3f5630b0c1500df05eb4a0297bdcd23fb00e0853467bf7e
MD5: 408d063f42f51ea027bb6a5014ae58e6
SHA256: f18ad7d5873ca4fa29af04e8cd9ce967792377366b74edc5943014440f2cc815

MD5: 83d6022c7b739c346b14897ac491e8a0
SHA256: ea41d8afeb1f621ccfa15d56d4bb8a0a72d5fab3dabe4164696527ae692df4db

MD5: 1af427b18de46c38410b46fb5a3f8080
SHA256: 603ca7adb8561a73c6ce49c463c8e8bee36c9ae88422f53b9af5fe5136f80aec

MD5: 36567e3a4b010d981d477be97c924753
SHA256: ecc64b14e64225bd54429a283cc184f5febea93d1eac531cda302d2defcb48f5

MD5: b9c142ffff80cce82c54e3ed3ce17814
SHA256: 96fc23d40efbe386217ce71c33a68a31fa589f13443a25c2bb5842c55d6fca0f