Burp Suite Pro Web Vulnerability Scanner

Please read in reverse order, if you interest from the latest to old manner. As the latest release note and build always increment update on the bottom for this product update.

1.7.31 19-Jan-2018

1.7.32 2-Feb-2018

1.7.33 28-Mar-2018

1.7.34 13-Jun-2018

A number of bugs have been fixed:

• A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
• A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
• A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
• Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
• A bug that prevented autocomplete popups from closing on some Linux window managers.
• A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
• A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
• A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.

The following enhancements have been made:

• Burp ClickBandit has been updated to support sandboxed iframes.
• A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

1.7.35 29-Jun-2018

This release includes a number of fixes and minor enhancements:

• Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
• A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
• The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.

1.7.36 30-Jul-2018

This release fixes a number of issues including:

• A bug that prevented the macro editor from correctly showing the Proxy history.
• A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
• A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.

1.7.37 10-Aug-2018