tag:blogger.com,1999:blog-85037557461054153942010-01-07T21:09:11.942ZPortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comBlogger98125tag:blogger.com,1999:blog-8503755746105415394.post-45737976071725653422010-01-07T16:56:00.009Z2010-01-07T17:19:30.013Z

Burp Suite v1.3 is now available to download. This is a major upgrade with a host of new features.New features in Burp Suite free edition include:A new message editor/viewer optimised for HTTP requests and responses, with colourised syntax, mouse-over decoding, and quick conversion functions.Facility to add comments and highlights to the proxy history and site map.Support for AMF-encoded

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com2tag:blogger.com,1999:blog-8503755746105415394.post-86742646348001164872009-12-14T22:03:00.004Z2009-12-14T22:10:19.292Z

This little chap showed up a couple of weeks ago, somewhat earlier than expected. Needless to say, this event has thrown my meticulous plans for the final release of Burp v1.3 into disarray. Many thanks to everyone who has emailed with bugs and suggestions from the beta release, and apologies for the lack of responses. Normal service will be resumed in January.

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com14tag:blogger.com,1999:blog-8503755746105415394.post-62257785991906578262009-11-30T10:15:00.001Z2009-11-30T10:19:18.338Z

A beta version of the new release of Burp is now available for Professional users. The free edition will be available in two or three weeks time. If you don't have a Pro license and are eager to try out the new features, why not treat yourself here?As always, any help flushing out bugs will be much appreciated. Please email these directly, so that I can easily get back to you for more details if

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com5tag:blogger.com,1999:blog-8503755746105415394.post-1068814072774204982009-11-29T09:06:00.000Z2009-11-29T09:06:00.636Z

I've described most of the major additions to Burp's functionality that are arriving in v1.3. There are a few other smaller tweaks that are worth drawing attention to:The tables in the site map and search results now include a timestamp column. Sorting the results on this column lets you easily see when new items are added. This is handy when you are running spidering or content discovery

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com0tag:blogger.com,1999:blog-8503755746105415394.post-34172366616355619532009-11-27T13:41:00.000Z2009-11-27T13:41:00.440Z

For Pro users, Burp now includes a function to analyse a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes. This can help you assess how much effort a penetration testing engagement is likely to involve, and can help you decide where to focus your attention during the test itself. To access this feature, you select one or more

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com0tag:blogger.com,1999:blog-8503755746105415394.post-72087428568227280592009-11-26T16:10:00.000Z2009-11-26T16:14:21.667Z

In the new release, Burp lets you export full details of interesting requests and responses in XML format, including all relevant metadata such as response length, HTTP status code and MIME type. For example:If you have annotated any of the exported items, your comments will also be included within the XML.You can access this feature via the context menu anywhere in Burp that you see requests and

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com1tag:blogger.com,1999:blog-8503755746105415394.post-40965592401337251292009-11-25T17:20:00.000Z2009-11-25T17:20:36.877Z

This feature won't exactly enhance your productivity, but you may sometimes find it useful nonetheless. In the new release, lazy Pro users can make Burp simulate manual testing activities, by sending common test payloads to random URLs and parameters within a target application, at irregular intervals. Burp doesn't do anything with the responses, so you won't find out about any bugs in this way.

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com5tag:blogger.com,1999:blog-8503755746105415394.post-81526739154690900122009-11-25T12:39:00.001Z2009-11-25T13:28:09.443Z

To my great pride, nearly everyone who has tried out Burp Scanner absolutely loves it. But people still helpfully come back with tons of feature requests for it.One of the biggest complaints is the relatively crude way in which Burp lets you send items for active scanning from the site map. For example, when you have mapped out all of the content and functionality within your target application,

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com2tag:blogger.com,1999:blog-8503755746105415394.post-75114393577516464662009-11-24T18:24:00.003Z2009-11-24T18:36:46.705Z

The display filters used in the proxy history and site map are now more powerful, and allow you to filter on:Simple and regex search terms (Pro version only) - this is often handier than using the suite-wide search function.File extension - this supplements the MIME type filter, and is useful for unusual content types, and when HTTP 304 responses do not contain any content.Annotations made by the

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com0tag:blogger.com,1999:blog-8503755746105415394.post-80056456963340641432009-11-24T12:21:00.000Z2009-11-24T14:00:31.606Z

Pro users can now search part or all of the site map for scripts and comments. This feature is accessed by selecting relevant branches within the site map, and using the context menu.The search results window shows responses from all Burp tools containing either scripts or comments. Selecting an individual item shows the full request and response in a preview pane, with relevant items

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com0tag:blogger.com,1999:blog-8503755746105415394.post-82005857230319181972009-11-23T09:49:00.001Z2009-11-23T14:15:03.302Z

Burp now includes a content discovery function, similar in concept to OWASP's DirtBuster. You can access this feature by selecting a request or URL anywhere within Burp, and using the context menu to start content discovery. Burp uses various techniques to discover content, including name guessing, web spidering, and extrapolation from naming conventions observed in use within the application.

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com5tag:blogger.com,1999:blog-8503755746105415394.post-56163187588321779732009-11-22T10:02:00.005Z2009-11-22T10:34:33.467Z

In v1.2.11, Burp introduced a new method of generating the server SSL certificates which are presented to your browser when you connect via Burp Proxy. This involved creating a root CA certificate (per user), which you can install into your browser, and using this to sign each host certificate, thus enabling you to eliminate SSL certificate errors. Read more here. Unfortunately, in v3.5 Firefox

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com2tag:blogger.com,1999:blog-8503755746105415394.post-82923843364492459192009-11-21T11:55:00.003Z2009-11-21T12:03:28.796Z

If I had a beer for every time someone has requested this feature, I'd have been way too wasted to implement it.Burp already supports upstream web proxies, but only as a global configuration which affects all outgoing traffic. In the new release, Burp allows you to configure rules specifying different proxy settings for different (ranges of) destination hosts.The following configuration will make

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com3tag:blogger.com,1999:blog-8503755746105415394.post-69071710419816196632009-11-20T08:36:00.006Z2009-11-20T15:10:31.723Z

You can now add comments and coloured highlights to items in the site map and proxy history:You can highlight individual items using a drop-down menu on the left-most table column:And you can comment individual items in-place by double-clicking and editing the table cell:Alternatively, if you want to annotate several items at once, you select the relevant items and use the context menu to add

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com5tag:blogger.com,1999:blog-8503755746105415394.post-16178783520539900682009-11-20T08:12:00.005Z2009-11-20T08:34:07.888Z

The suite-wide search function has had a revamp, with a number of useful features added:regex mode;optional restriction to target scope;optional dynamic updating of existing search results as new requests are made;ability to search selected hosts/branches within the site map, via the site map context menu.Here's an example of using a regex search term with dynamic updating, to monitor all

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com0tag:blogger.com,1999:blog-8503755746105415394.post-20816803658682603892009-11-20T08:03:00.002Z2009-11-20T08:09:19.295Z

Work on the next release of Burp is inching forwards, and over the next two weeks I'll be posting regularly with previews of some of the cool new features to look forward to. Then I'll release a beta version for Pro users to play with. Everyone with a current license will receive an automatic upgrade to v1.3.Many thanks to everyone who has submitted feature requests. A lot of these have been

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com0tag:blogger.com,1999:blog-8503755746105415394.post-87410801242585968012009-11-02T11:21:00.001Z2009-11-02T11:24:34.792Z

It's getting to that time of year again when all the hastily made promises about the next release of Burp need to be made good. So I'm pleased to announce that release 1.3 of Burp Suite will be available before Christmas*.The free edition of Burp will get a roll-up of some of the new stuff that has been added to the pro edition over the past year. And the pro edition will get a bunch of cool new

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com54tag:blogger.com,1999:blog-8503755746105415394.post-87962751380347802702009-11-02T11:06:00.000Z2009-11-02T11:21:40.879Z

401 Not AuthorizedGeorge W. Bush416 Not SatisfiableBill Clinton417 Expectation FailedBarack Obama302 FoundSaddam Hussein404 Not FoundOsama Bin Laden410 GoneJohn F Kennedy500 Internal ErrorDonald Rumsfeld415 Unsupported Media TypeTony Blair203 Non-Authoritative InformationSarah Palin306 UnusedAl Gore408 TimeoutJohn McCain303 See OtherNicolas Sarkozy100 ContinueVladimir Putin405 Method Not

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com11tag:blogger.com,1999:blog-8503755746105415394.post-68067434234049126172009-11-02T10:56:00.004Z2009-11-02T11:13:36.023Z

Karl Dawson has written a nice paper about using Burp Intruder for discovering login credentials, and how you can use various tricks to reveal other useful information and anomalies, as well as actually guessing valid passwords. Download it here.

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com1tag:blogger.com,1999:blog-8503755746105415394.post-23804776604265659862009-04-11T10:25:00.000Z2009-04-11T09:26:54.590Z

I've been releasing updates to the Pro version of Burp pretty frequently recently. Some of these are fairly minor so you won't always see alerts that a new version is available. To help people who do want to follow the latest updates, you can now subscribe to a listing of release notes. The latest update gives Burp a new editor for raw HTTP messages, which can handle much larger messages

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com1tag:blogger.com,1999:blog-8503755746105415394.post-34132117368670470802009-04-10T14:00:00.000Z2009-04-10T13:34:45.572Z

I've written before about how Burp's invisible proxying mode can help you intercept requests from non-proxy-aware thick clients. Burp Suite Pro now contains a new feature which makes this task even easier.If you are using a thick client component which cannot be configured to use a proxy, you can force it to talk to Burp Proxy instead of the actual destination host by performing the following

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com4tag:blogger.com,1999:blog-8503755746105415394.post-46756572300053187862009-04-09T19:18:00.000Z2009-04-09T15:10:37.771Z

If you use Windows, you may have encountered a problem following March's security update, in that Burp Proxy listeners running on the loopback interface stopped working. This was caused by Microsoft changing the "localhost" entry in the Windows hosts file from:127.0.0.1 localhostto:::1 localhostManually reverting to the old entry fixes the problem for a while, but Windows will silently update to

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com0tag:blogger.com,1999:blog-8503755746105415394.post-49971335396571163422009-04-08T19:08:00.000Z2009-04-08T18:14:39.244Z

From time to time, people ask me for help getting their code working with Burp Extender, so here is a quick worked example of how to do this. The example is based on a plugin written by Daniele Costa, which extracts HTML comments from HTTP responses, and writes these to file and to the command line.The core of the plugin code is simple. It implements the processProxyMessage method in

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com11tag:blogger.com,1999:blog-8503755746105415394.post-88747070039340875282008-12-14T14:00:00.000Z2008-12-14T14:11:15.007Z

Burp Suite v1.2 is now available to download. This is a major upgrade with a host of new features, including:Site map showing information accumulated about target applications in tree and table formSuite-level target scope configuration, driving numerous individual tool actionsDisplay filters on site map and Proxy request historySuite-wide search functionSupport for invisible proxyingFully

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com6tag:blogger.com,1999:blog-8503755746105415394.post-41595195392634668532008-11-30T15:29:00.003Z2008-11-30T15:47:57.198Z

A beta version of the new release of Burp Suite Professional is now available to licensed users. The free edition will be made available in two or three weeks time. If you just can't wait that long to get your hands on the new Burp, there is an easy solution!If you bought or renewed your Burp license within the last year, you should today have received the new beta. If you think you have missed

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.com6