Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Friday, June 29, 2018


This release includes a number of fixes and minor enhancements:
  • Further enhancements have been made to Burp's project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
  • A fix has been applied to prevent Burp's filter popups from appearing in the task switcher on some Linux window managers.
  • The hardening of SSL validation that was added in 1.7.34 unfortunately didn't work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.
MD5: a7b3a976db8ec642ec4fbc6e2cfafcd8 
SHA256: 0bf141b55ffba6c6b30a24856f69542c5569b38b80324fbee39dbcfb3ded3fda 

MD5: a17ebf74e88f337c899728bcd9a4a86b 
SHA256: 9fb7eccc811f0e931535ce2b3d6caa3c76cbba9d056d9609aa85e39def8ccfa7 

MD5: e02603ad3c5b0535212d82b385b6a9b6 
SHA256: 4adcc986ea9353e5965cfa8ae5949ebc10346ff229dd433496e5d875379ccff8 

MD5: 0be074d4a7e3436c9cb98e81c2fb9965 
SHA256: 92434dd8026079b760d325ed2d7e6a247cdbc889119cfe719026c3179b178d56 

MD5: ef0b08366731de8afe7139273f52c758 
SHA256: 1fcc57822bc463acd8e72117cdf7b80abcae8075184c6a78af544bc92231a491 

MD5: dad08a1c94489b857983f4da115a13f0 
SHA256: beb52edfe12af1d0cd7e3dde2f35b1223be04608409fd9e7c1ed1a6f3abab42c 

MD5: f1dffcce0051b5c53fcc6fc8f7e27a05 
SHA256: 2b008868e6b491d38477b382a086c43d47614a0f0e92e7a187f8a1e5bac04db3 

MD5: e7464d5958327acc2d0970c85ff88b41 
SHA256: e5fcf0c9bf52b3cd645e040a7c00b2fe7e6e4feefa36aeaecaab347d733e6d13 

MD5: b3e0675efad8e8b5a126fa1a6a846308 
SHA256: 196da97ab6965f1537cf0aa7df2a4492bd04c045011bb2c88612e0332b5c25df
MD5: 2028098360e0a28deb5463f7396d00c5 
SHA256: ffde19219a0dc465d74a6471a3a4b14659172f8de40d9d59314aee79dc98fd45 

Wednesday, June 13, 2018


A number of bugs have been fixed:
  • A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
  • A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
  • A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
  • Some bugs in Burp's project repair function that caused some actually recoverable data to be lost.
  • A bug that prevented autocomplete popups from closing on some Linux window managers.
  • A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
  • A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
  • A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.
The following enhancements have been made:
  • Burp ClickBandit has been updated to support sandboxed iframes.
  • A fix has been applied following a change in JRuby that prevented Burp extensions written in Ruby from running.
Note that some of the security issues were reported through our bug bounty program, which pays generously for bugs large and small. Thanks are due to Bruno Morisson and Juho Nurminen
MD5: f67b0b9c77e516abb5bd0a3617bde332 
SHA256: d373eae59827c9b56c34f1fbc40e75b9dae94867854485554dd24337e6e7b971 

MD5: 9eb282923056870e0eccb0b41d159cdc 
SHA256: f47ea60a4beb6af72947d4635bf7404c7a5cbaa32c3f04590f3cbef64cd436d5 

MD5: a72d9d026159b1ca5e9bdde6c8e39839 
SHA256: 51e7bfebdb6795a2170a9a9909be84b69635f94577d1b5074cc1f3c307e44684 

MD5: 9bb1757c7201386902ba89c7ce80567b 
SHA256: fa73e3089a046fdabaec92a48a35499dcaca2140f81e9993b528e5cecbbb98f0 

MD5: 4f64d7358a0b519fc651eabb8413fa1f 
SHA256: e2a0eeb172bc71aaa9fc9260a26c5f64ae33811764543f2e542f0706970dfd28 

MD5: e9917ab71a3581782f5912ec2c2d0def 
SHA256: 8f556f27cca14fbde5781fbaea5a962fdecb9aba91d6fcb8dd5b42a961d299ed 

MD5: 035a50aaae32ae804532c438704783e8 
SHA256: 044e9db5d4e8bd790045f211ae978fb51918ac8d626f250292dbb949e98797d8 

MD5: b78198e5d3af17f12a52540acbf65655 
SHA256: e3921fe663c47b3e43c095eb1c8640710615cc98baa3dca2ebd9774802a046cd 

MD5: de472eb29b6f2d701756c519a7495aa2 
SHA256: 27f6e725364866fec4069720272183dbb4a2b8c62ba2ec3c7f5eb3165c3c64cb
MD5: e285ac90dca8758282fea4bbb06c830d 
SHA256: 48040dd4c4bf570d0d3e439ac237934a224305314f94872269b735a9494330ac