Please read in reverse order, if you interest from the latest to old manner. As the latest release note and build always increment update on the bottom for this product update.
This release adds two new capabilities relating to Burp project files:
- You can now import project files into another disk-based project. This lets you merge multiple disk-based projects into one, to consolidate work that has been carried out separately. You can access this function via the Burp menu.
- You can now select project files as input to the compare site maps function.
Additionally, the “Number of threads” setting in Scanner options has been changed to “Concurrent request limit”. This paves the way for some major enhancements to the Scanner engine that are in the pipeline.
The new function is superior to the older function that saved a state file backup in several respects:
- Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.
- You can optionally include in-scope items only, to reduce the size of the backup file.
- Available disk space is checked before performing a backup. If insufficient space is available, the backup is skipped and an alert is shown.
- A single backup file is saved alongside the main project file. On successful completion of a new backup, the previous backup file is deleted.
- On attempting to open a corrupted project file, Burp checks if a backup is available, and if so offers to open that as an alternative to repairing the original.
- By default, the backup file is deleted on clean shutdown of Burp. Since the main project file is saved incrementally in real time, and project file corruption is typically caused by abnormal termination of the OS, it is not normally necessary to retain backup files following a clean shutdown. You can choose to retain the backup file on shutdown in the automatic project backup options.
- You can optionally disable the progress dialog that is shown when a backup is performed, so you can continue working without interruption.
- Backups are enabled by default with no configuration required. If you don’t want to use the feature, you can quickly turn it off using the option that is shown in the progress dialog:
- Installed BApps are now updated automatically on startup. We issue frequent updates to BApps and it is highly recommended to be using the latest versions. You can disable automatic BApp updates in Extender options.
- A bug in the import project function, which omitted to import the Scanner issue activity log, has been fixed.
- Requests made by extensions during custom scan checks are now correctly reflected in the scan queue request counts, and are correctly subjected to configured request throttling.
To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.Some bugs have been fixed:
- A bug in macro configuration where some settings for cookie handling might not be saved correctly across executions of Burp.
- Some minor bugs in the automatic project backup feature that was recently released.
- A bug where extensions could still gain API access to the Burp Collaborator client even when the user had disabled use of Collaborator.
A number of bugs have been fixed:
- A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
- A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
- A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
- Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
- A bug that prevented autocomplete popups from closing on some Linux window managers.
- A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
- A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
- A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.
The following enhancements have been made:
- Burp ClickBandit has been updated to support sandboxed iframes.
- A fix has been applied following a change in JRuby 188.8.131.52 that prevented Burp extensions written in Ruby from running.
This release includes a number of fixes and minor enhancements:
- Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
- A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
- The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.
This release fixes a number of issues including:
- A bug that prevented the macro editor from correctly showing the Proxy history.
- A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
- A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.
This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.
For full details of this awesome new research, see read on web cache poisoning.
Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”: