Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Thursday, July 27, 2017


This release adds a number of new scan checks based on our talk today at Black Hat, Cracking the lens: targeting HTTP's hidden attack surface.

The new scan checks use various techniques aimed at inducing vulnerable applications and infrastructure to route requests to a different destination. This can lead to serious attacks, for example SSRF against the application server itself or other infrastructure components. The research behind the new capabilities quickly netted us over $30,000 in bug bounty payouts, and demonstrates the huge power of OAST (out-of-band application security testing).

The novelty of the new checks lies not so much in the payloads themselves as where they are placed. The new scan checks send Collaborator-based payloads in the following locations:
  • The HTTP Request-Line (where the requested URL normally appears).
  • The server name specified in the SSL SNI extension.
  • The server specified in a CONNECT request.
  • The Host header.
  • Various other common and not-so-common request headers.
An example of a reported vulnerability is shown below. For full details of these and various other techniques, see today's blog post.
MD5: f66087ddd397d3b293468d308c512882
SHA256: 86a601aa79d8ef7353b5553cf72f32923ce6a1c9824c570bdc55734960c2ebf4

MD5: 7d4d7ce37c03198db796b8ce2e33ff68
SHA256: bd1153672fab9250e3ab313f239948f37271f45d63c30b02a41cf2652f735c88

MD5: 6995f2f0a24b014a6708f42657be7086
SHA256: e3df386479dac58a27ff436ee2a9508f0c66c8c3053b40b38f524104b9ba2990

MD5: 7a04f8454ba3d34299748c18184da08f
SHA256: c4290923b9e77db55b436e0d2f932277aa97d7dace56b3464f1ec515670d0e5d

MD5: 07dad6f191ee8335c1d5e131102e9dc7
SHA256: ebfd26f0396a1c38826b83ad98e3242f7a2964bf85aa7acb886f73278921eb39