Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Wednesday, June 13, 2018


A number of bugs have been fixed:
  • A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
  • A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
  • A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
  • Some bugs in Burp's project repair function that caused some actually recoverable data to be lost.
  • A bug that prevented autocomplete popups from closing on some Linux window managers.
  • A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
  • A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
  • A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.
The following enhancements have been made:
  • Burp ClickBandit has been updated to support sandboxed iframes.
  • A fix has been applied following a change in JRuby that prevented Burp extensions written in Ruby from running.
Note that some of the security issues were reported through our bug bounty program, which pays generously for bugs large and small. Thanks are due to Bruno Morisson and Juho Nurminen
MD5: f67b0b9c77e516abb5bd0a3617bde332 
SHA256: d373eae59827c9b56c34f1fbc40e75b9dae94867854485554dd24337e6e7b971 

MD5: 9eb282923056870e0eccb0b41d159cdc 
SHA256: f47ea60a4beb6af72947d4635bf7404c7a5cbaa32c3f04590f3cbef64cd436d5 

MD5: a72d9d026159b1ca5e9bdde6c8e39839 
SHA256: 51e7bfebdb6795a2170a9a9909be84b69635f94577d1b5074cc1f3c307e44684 

MD5: 9bb1757c7201386902ba89c7ce80567b 
SHA256: fa73e3089a046fdabaec92a48a35499dcaca2140f81e9993b528e5cecbbb98f0 

MD5: 4f64d7358a0b519fc651eabb8413fa1f 
SHA256: e2a0eeb172bc71aaa9fc9260a26c5f64ae33811764543f2e542f0706970dfd28 

MD5: e9917ab71a3581782f5912ec2c2d0def 
SHA256: 8f556f27cca14fbde5781fbaea5a962fdecb9aba91d6fcb8dd5b42a961d299ed 

MD5: 035a50aaae32ae804532c438704783e8 
SHA256: 044e9db5d4e8bd790045f211ae978fb51918ac8d626f250292dbb949e98797d8 

MD5: b78198e5d3af17f12a52540acbf65655 
SHA256: e3921fe663c47b3e43c095eb1c8640710615cc98baa3dca2ebd9774802a046cd 

MD5: de472eb29b6f2d701756c519a7495aa2 
SHA256: 27f6e725364866fec4069720272183dbb4a2b8c62ba2ec3c7f5eb3165c3c64cb
MD5: e285ac90dca8758282fea4bbb06c830d 
SHA256: 48040dd4c4bf570d0d3e439ac237934a224305314f94872269b735a9494330ac