Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Thursday, August 3, 2017


This release adds a number of new scan checks relating to file upload functionality.

Burp Scanner has always treated the contents of a file upload (within a multipart POST request) as a regular insertion point where payloads can be placed. In the new release, various additional checks are performed on the file upload:
  • Some new payloads are used to upload files in various formats, such as PDF, SVG, HTML, PHP, and SSI.
  • Where relevant, Burp now modifies the file extension and content-type fields in the upload request to reflect the type of file that is being uploaded, so as to maximize the chance that the application will handle the file in the desired way.
  • Both in-band and out-of-band techniques are used to detect vulnerabilities in the application's handling of uploaded files.
For example, Burp can now detect server-side rendering of uploaded PDF documents, by using some embedded PDF JavaScript to trigger a Burp Collaborator interaction when the document is rendered:

The new detection techniques all lead to new versions of existing issues, notably PHP code injection, SSI injection, reflected XSS, stored XSS, and external service interaction.

Note: Some updates have been made to Burp Collaborator server to support the new scan checks. People running private Collaborator servers should update these now. As usual, Burp will show an alert on startup if the configured Collaborator server is out of date, and you can use the Collaborator health check to determine this at any time.

A number of bugs are also fixed, including a recently introduced bug affecting NTLM authentication.
MD5: a7b86742d1b7e63f56a7f0d713eea4de
SHA256: 4ad9c1a01f9428b77a5af70d0f2035029af1cf6cf28aed44493cb9848926dc32

MD5: d046d7cf3892a4c67b68a29e4af33c66
SHA256: 859b1625e411c58b6b6d64f8e7516bc74449849ceddc082622f8cfa4ddffe36d

MD5: 1ce58a5dc102f013b197972e023f2bd8
SHA256: da3f6386339d1ef3966f8c5598d9b6259d85e4b5ae99fce795198bd73bcfadd4

MD5: d3ab9ced8c2be6ff7d63b1dc4238685c
SHA256: dc29bc8850962fdb7ca0278e9b16a24e3fb3f500fc7405970b576ea5f8247588

MD5: 8c4873f0d7b81919b07cdc62822204a9
SHA256: 9424941730379d394fa8fe6df2dc1393c13df12fdf0fcab484ebadb1ecc75c6a
MD5: 495c3c1de6f8d4ba9b1eb44eadf28e9a
SHA256: c3b4eed80b6ec52e40ef973235fde22aa752f7a3e52e3c5238271c9cf15631da

MD5: bd22ac1d8eb6fbefda3397f87882ad83
SHA256: f85687cf68b8d9cac45fd3eca9eabadf710aa711dc3253abb6f05a3d681327fc

MD5: 5d1cbbebc7fb59a399ae7bcacbe05f74
SHA256: eb3edd7bde5b335ac463136a5b0ce54f5e9dd8971a25fc73477384f5e0ae3b1a

MD5: 89db4bc21a2b6857add677a7184f4e91
SHA256: 48a87db46976e7a8d0eb5668a0d18d42939f812b8830c754b5d59275ad001121

MD5: b208bbe5d46048c914f93791c4432530
SHA256: e42bd27853fc59de5e645e7868b66a82eadef89c1ec7a504b5d8083536973d5b