There is a new Scanner check for suspicious input transformation. This issue arises when an application receives user input, transforms it in some way, and then performs further processing on the result. Burp reports reflected and stored input that has been transformed in the following ways:
- Overlong UTF-8 sequences are decoded.
- Invalid UTF-8 sequences containing illegal continuation bytes are decoded.
- Superfluous (or "double") URL-encoded sequences are decoded.
- HTML-encoded sequences are decoded.
- Backslash escape sequences are unescaped.
- Unexpected transformations resulting from submitting any of the above payloads.
Various enhancements have been made to Burp Infiltrator, in response to feedback from real-world usage:
- A bug affecting the patcher when running on Java 6 or earlier has been fixed.
- A bug that caused the manifest files of some nested JAR files to be lost has been fixed.
- A bug that left invalid signatures in place after the relevant bytecode was modified has been fixed
There is a new command-line option to prevent Burp from pausing the Spider and Scanner when reopening existing projects. To prevent this, add the following argument to the command to launch Burp:
Various other enhancements and bugfixes have been made.