Burp Suite Pro Web Vulnerability Scanner

Please read in reverse order, if you interest from the latest to old manner. As the latest release note and build always increment update on the bottom for this product update.

Professional 2020.11.1 Release 2020-Nov-19

This release adds the Burp Suite Navigation Recorder extension to Burp’s embedded browser and fixes a minor bug in the startup process.

Burp Suite Navigation Recorder preinstalled in the embedded browser

The Burp Suite Navigation Recorder extension is now preinstalled and ready to use in Burp’s embedded browser. This means you can immediately start recording login sequences for Burp Scanner without having to perform any manual setup.

Embedded browser upgrade

Burp’s embedded browser has been upgraded to Chromium version 86.0.4240.198

Bug fixes

This release also provides the following bug fixes:

• Highlighting a null character no longer causes extra characters to be included in the selection by mistake.
• After a failed startup, relaunching Burp and selecting an existing project no longer causes the startup to fail again.
• When the mouseover decoding popup is visible in Repeater, pressing the Ctrl + Space shortcut to send the request no longer causes Burp to crash.
• When entering a number range for payloads in Intruder, accidentally leaving a trailing space no longer causes the request and payload count to be set to zero.

Professional 2020.11 Release 2020-Nov-9

This release provides several new features for both manual and automated testing, as well as some major upgrades to the message editor UI.

Message inspector

The new message inspector is a collapsible panel displayed on the right-hand side of the message editor throughout Burp Suite. It provides a quick way to analyze and work with interesting features of HTTP and WebSocket messages without having to switch between different tabs.

The Hex, Params, Headers, and Cookies tabs that used to appear in the message editor have been removed. You can now access the same functionality, and some additional new features, directly in the inspector panel.

• Perform basic operations such as viewing and manipulating any headers, parameters, and cookies found in HTTP messages. You can also add new ones to the request.
• Instantly decode HTML, URL, and Base64-encoded values. The inspector automatically applies the appropriate sequence of transformations to decode headers, parameters, cookies, and any encoded text that you manually select in a message.
• Work with encoded data more easily by editing it in its decoded form. The inspector automatically reapplies the necessary encodings as you type so that you can inject your modified value into the request with a single click or key press.
• Inject non-printing characters by modifying the code point of a character.

You perform some of these actions by drilling down into items that were automatically identified by the inspector. Alternatively, you can manually select one or more characters in a message to work with them in the inspector panel.

For more information about using the inspector, please refer to the documentation.

API scanning

Burp Scanner is now able to scan both JSON and YAML-based APIs for vulnerabilities. By default, the crawler attempts to parse any API definitions that it encounters to identify potential endpoints, along with their supported methods and parameters. You can also explicitly provide the URL of an API definition when launching a scan. Based on the endpoints that it discovers, Burp Scanner is then able to derive new locations to crawl and audit.

If you prefer, you can disable API scanning by deselecting the “Parse API definitions” crawl option in your scan configuration. You can find this option under “Miscellaneous”.

Please note that this initial release only supports scanning of a fairly limited range of REST APIs. For a full list of the prerequisites and limitations, please refer to the documentation. We plan to further develop this feature and gradually add support for a wider range of APIs in future releases.

Test recorded login sequences

In the previous release, we added new functionality for recording and uploading full login sequences to help Burp Scanner handle more complex authentication mechanisms. This release adds a new feature that allows you to replay your recorded login sequences in an embedded browser.

This makes it much easier to check whether the recording accurately captured your browser interactions. It may also help you to diagnose any problems if the login sequence is failing during scans.

For more information, please refer to the documentation.

Automatic updates

By default, Burp now automatically downloads any available updates. When a new update has been downloaded, a notification will prompt you to restart Burp in order to install it. Note that you will still need to download the 2020.11 release manually.

If you prefer, you can disable automatic updates in the user options.

Note for Windows users

To support automatic updates, Burp can no longer be installed in a directory that requires admin privileges. As a result, installing 2020.11 on Windows will likely create a new instance of Burp rather than upgrading your existing installation. Unfortunately, this means you will have to manually uninstall your old version of Burp.

This is a one-off inconvenience. Upgrading to any subsequent releases will not require you to repeat this process.

Other improvements

To help reduce clutter, the custom views that some Burp extensions add to the message editor are no longer accessed via individual tabs. Instead, you can now alternate between your extension-specific views using a new drop-down menu.

Bug fixes

• We have fixed a bug that was causing the Burp UI to freeze in specific circumstances when the .NET Beautifier extension was enabled.
• When hovering the mouse over a long, encoded token in an HTTP message, the decoded text no longer overflows the tooltip. We have also extended the tooltip so that it can display up to 2000 characters.
• Launching an installed version of Burp now provides the same range of character sets as when launching Burp from a JAR file.

Professional 2020.9.2 Release 2020-Oct-2

This release enables support for recorded login sequences in Burp Scanner and provides several other minor improvements. It also includes a security fix for Burp Collaborator.

Recorded login sequences

Instead of entering basic sets of login credentials for Burp Scanner to use, you can now provide the full sequence of actions required to log in. This enables Burp Scanner to handle more complex login processes, including:

• Single sign-on
• Multi-step login where the username and password are not entered in the same form
• Login forms that contain extra fields, checkboxes, and so on

Our dedicated Chrome extension captures your actions while you perform the login sequence and generates a JSON-based “script”. You can then import this script in the Application Logins section of the scan launcher. When the crawler begins an authenticated crawl, it will open a new browser session and use the script to replicate your actions, performing the full login sequence from scratch.

For more details on how to use recorded login sequences, please refer to the scan launcher documentation.

Other improvements

You can now clear the interaction history in Burp Collaborator client.

Bug fixes

This release also implements several minor bug fixes, most notably:

• The TLS handshake no longer fails when the target site’s hostname contains an underscore.
• All bytes are now preserved correctly when pasting data from a file into an HTTP message
• Auto-modified responses resulting from match-and-replace rules are now paired with the correct request in the proxy history.

Security fix

This release resolves a security issue in the Collaborator server. Previously, an attacker in a position to perform an active, server-side MITM attack could obtain the contents of emails delivered using STARTTLS. If you are running your own Collaborator server, we recommend updating it.

This vulnerability was reported to us privately via our bug bounty program.

Professional 2020.9.1 Release 2020-Sep-4

This release fixes a bug that was preventing WebSocket messages from being displayed correctly in the message editor.

Professional 2020.9 Release 2020-Sep-3

This release provides some improvements to the HTTP message editor UI.

HTTP message editor toolbar

On the “Raw” tab, the various options you have for analyzing the HTTP message are now contained in a toolbar at the top of each request or response. From the toolbar, you can now:

• Alternate between the prettified, raw, or rendered HTML views where available
• Toggle whether non-printing characters are displayed as “lozenges” within the message
• Access a range of context-specific actions for the message from the new “Actions” menu

HTTP message editor layout options

In the upper-right corner of the message editor, you can now choose from three different layouts that determine how the request and response are arranged in the panel.

You can choose from the following options:

• Horizontal layout: The request and response are arranged side-by-side.
• Vertical layout: The request and response are stacked one on top of the other.
• Combined view: Either the request or response will fill the message editor panel. You can alternate between the two using the corresponding tabs.

These new layout options are available in various locations throughout Burp Suite, including the Target site map and Proxy history.

Other improvements

The embedded browser has been upgraded to Chromium 85.0.4183.83.

Professional 2020.8.1 Release 2020-Aug-20

After several months of live testing, we are pleased to announce that this release enables browser-powered scanning by default.

Browser-powered scanning

By default, Burp Scanner will now perform all navigation using an embedded Chromium browser, during both crawl and audit. This approach enables the scanner to accurately handle JavaScript and other navigational structures that modern browsers can. This has the potential to dramatically improve the coverage of the scan during both the crawl and audit phases.

To run browser-powered scanning efficiently, we recommend a machine with at least 2 CPU cores and 8 GB RAM. Burp Scanner automatically checks whether your machine appears to meet these requirements and will use the embedded browser if possible. Otherwise, scans will revert to the previous crawling engine.

If you prefer, you can also manually enable/disable browser-powered scanning in your scan configuration. You can find this option under “Crawl options” > “Miscellaneous” > “Embedded browser options”.

Note: Browser-powered scanning currently remains off by default for Burp Suite Enterprise Edition.

Other improvements

• Scan performance has been improved by reducing the number of duplicate locations that are scanned. Even when you choose to scan a URL using both HTTP and HTTPS, if Burp identifies that the content is the same, it will now only crawl and audit the location once.
• SVG images are now displayed correctly on the “Render” tab.
• The HTTP message editor now supports pretty printing of the content type image/svg+xml.
• The embedded browser has been upgraded to Chromium 84.0.4147.125.

Professional 2020.8 Release 2020-Aug-6

This release provides an upgrade to the web cache poisoning scan checks as well as several other minor improvements and bug fixes.

New web cache poisoning scan checks

Burp Scanner can now identify a variety of recently discovered cache poisoning issues. These checks are based on the techniques documented by James Kettle in his presentation “Web Cache Entanglement: Novel Pathways to Poisoning” at BlackHat USA 2020.

Other improvements

• We have improved the performance of Burp Intruder when using HTTP/2.
• We have reduced the amount of noise from the embedded browser by disabling Chromium’s random DNS checks during startup.

Bug fixes

• Closing the first tab in the embedded browser no longer causes the whole browser window to close.
• You can now launch the embedded browser on Kali Linux even as a non-root user

Professional 2020.7 Release 2020-Jul-17

In this release, we’ve greatly improved the usability of Burp Suite by removing the need to perform many of the initial configuration steps for Burp Proxy.

Use Burp’s preconfigured browser for testing

You can now use Burp’s embedded Chromium browser for manual testing. This browser is preconfigured to work with the full functionality of Burp Suite right out of the box. You no longer need to manually configure your browser’s proxy settings or install Burp’s CA certificate. The first time you launch Burp you can immediately start testing, even with HTTPS URLs.

To launch the embedded browser, go to the “Proxy” > “Intercept” tab and click “Open Browser”.

Note that if you want to use an external browser for testing. you can still configure any browser to work with Burp in the same way as you could before.

Other improvements

• Burp now provides feedback in the request and response when it successfully communicates using HTTP/2. The first request you send to a server will display HTTP/1. However, once Burp has established that the website supports HTTP/2, all subsequent messages will indicate this in the request line and status line respectively. For more information about Burp’s experimental HTTP/2 support, please refer to the documentation.
• Performance of the experimental browser-powered scanning feature has been improved.
• The embedded browser has been upgraded to Chromium 84.

Bug fixes

• Multiple Cookie headers are now displayed correctly in the “Params” tab.
• We have also fixed a security bug that was reported via our bug bounty program. With a significant amount of user interaction, an attacker could potentially steal comma-delimited files from the local filesystem. The attacker would have to induce a user to visit a malicious website, copy the request as a curl command, and then execute it via the command line.

Professional 2020.6 Release 2020-Jul-3

This release adds an option for using HTTP/2 and provides several minor improvements and bug fixes.

Experimental HTTP/2 support

This release provides experimental support for HTTP/2. From the “Project settings” > “HTTP” tab, you can now choose to use HTTP/2 for inbound and outbound communication over TLS.

As this is still an experimental feature, please use it at your own discretion.

Other improvements

You can now control the TLS protocols that Burp Proxy will use when performing TLS negotiation with the browser. You can configure Burp Proxy to use the default protocols of your Java installation, or override these defaults and enable custom protocols as required.

Bug fixes

In the HTTP history, you can now hover the mouse over URL encoded data to show the decoded data in a tooltip. Previously, this worked in Burp Repeater but not the “Proxy” > “HTTP history” tab.

Professional 2020.5.1 Release 2020-Jun-19

This release provides several bug fixes, including the following improvements to the HTTP message editor:

• Highlighting text no longer causes it to disappear and reappear after resizing the panel.
• Clicking on an empty line now positions the cursor where you click instead of at the end of the previous line.

We have also fixed a security bug that was reported via our bug bounty program. With a significant amount of user interaction, an attacker could potentially read local files. The attacker would have to induce a user to visit a malicious website, copy the request as a curl command, and then execute it via the command line. This was classed as a medium severity issue due to the level of user interaction required.

Professional 2020.5 Release 2020-Jun-5

This release provides a useful new feature for the HTTP message editor, as well as several general improvements.

You can now choose to display non-printing characters as “lozenges” in the HTTP message editor. This is supported for any bytes with a hexadecimal value lower than 20, which includes tabs, line feeds, carriage returns, and null bytes.

This feature will be greatly beneficial for many use cases, including:

• Spotting subtle differences between byte values in responses
• Experimenting with HTTP request smuggling vulnerabilities
• Studying line endings to identify potential HTTP header injection vulnerabilities
• Observing how null-byte injections are handled by the server

Non-printing characters are hidden by default, but you can toggle the lozenges on and off by clicking the “\n” button at the bottom of the editor.

These non-printing characters can currently only be displayed in the message editor. For now, you have to edit bytes using Burp’s hex view. However, we plan to enable you to do this directly in the message editor in the near future.

General improvements

This release also provides the following minor improvements to various areas of Burp:

• The embedded Chromium browser for the experimental browser-driven scanning mode has been upgraded to version 83.
• Java 14 is now supported for both Professional and Community Edition.
• Burp Proxy no longer intercepts requests for SVG or font files by default.
• Crawling of static content is now faster.

Bug fixes

We have also implemented several minor bug fixes, most notably:

• The response received/completed times are now displayed for 401 responses.
• The response time is now displayed even when the time taken was < 1ms.
• “Check session is valid” session handling rules are now applied properly when session tracing is running
• The content discovery tool no longer erroneously displays the “Session is not running” message.

Professional 2020.4.1 Release 2020-May-18

This release provides the following minor improvements:

• Soft wrapping has been added to the HTTP message editor for any lines longer than 2000 characters.
• Resource management has been improved for the experimental browser-driven scanning option. This ensures that scans can be processed as efficiently as possible.

Bug fixes

In addition to general bug fixes, we have also resolved an issue that sometimes caused overlapping text in the message editor.

Professional 2020.4 Release 2020-Apr-27

This release mainly provides usability improvements to the HTTP message editor. It also upgrades both Java support and Burp Scanner’s embedded browser version.

HTTP message editor

The HTTP message editor now supports pretty printing of JSON, XML, HTML, CSS, and JavaScript. Take a look at the following video to see this feature in action:

Unformatted JSON data, for example, would previously be displayed as follows:

But as of version 2020.4, all of the supported formats mentioned above are prettified by default, meaning the JSON data in our example would now be displayed as follows:

You can toggle pretty printing on and off by clicking the “Pretty” button at the bottom of the editor. Alternatively, if you would prefer not to use pretty printing by default, you can disable this setting under “User options” > “Display” > “HTTP Message Display”.

Java support

As of this release, we now support Java 13. Unfortunately, we will no longer be able to support Java 8. The vast majority of users will be unaffected by this change. However, if you normally launch Burp directly from the JAR file instead of using the provided installer, you need to make sure that you have one of Java versions 9 to 13 before attempting to launch the new JAR file.

Chromium update

We have updated Burp Scanner’s experimental embedded browser to Chromium 81.0.4044.122 in order to implement the latest security fixes.

Other improvements

This release also provides the following minor improvements:

• Provided you have Java 13, Burp Proxy now supports TLS 1.3.
• Burp now notifies you if the proxy listener is disabled for any reason, and provides guidance on how to reactivate it.
• When running Burp in headless mode, you can now execute multiple commands at once by using pipes, heredocs, and so on.
• The search bar in the editor is now displayed correctly on smaller screens.

Bug fixes

We have also implemented several minor bug fixes, including:

• The response time is now displayed correctly for each request you send in Burp Repeater.
• Configured extensions are no longer lost when Burp Suite closes unexpectedly.
• The text editor no longer scrolls infinitely when embedded inside another scrolling component.

Professional 2020.2.1 Released 2020-Mar-16

This release contains minor updates to the 2020.2 release.

There are further enhancements to the custom Collaborator content options that were introduced in version 2020.2. You can now host custom robots.txt and crossdomain.xml files at arbitrary URLs on your Collaborator server.

We have also improved the handling of XML reports by stripping any null values.

The general improvements to the HTTP message editor continue, with this release providing the following bug fixes:

• The message editor no longer freezes when editing some requests containing JSON data.
• Binary data is now preserved in its original state even if you make changes to the request.
• Arrow keys no longer stop working if your request becomes longer than the viewport.
• Arrow keys now work with extensions, provided that they use the same key mappings.
• When clicking on a wrapped line, the cursor is now placed exactly where you click.

The issue definition links now also work correctly on the latest version of Kali Linux.

As always, we’ve also implemented several minor bug fixes across the product.

Professional 2020.2 Released 2020-Mar-02

This release builds on the general improvements we have been making to the HTTP message editor and incorporates some feedback from the community:

• Triple-clicking a word now selects the entire token, for example, the header value or a string literal of a JSON value.
• In editable messages, such as requests and responses in Burp Repeater, hovering over URL-encoded text now shows the decoded version in a tooltip.
• The “Convert selection” popup now works in responses as well as requests.
• In the user options for displaying HTTP messages, you can now choose to use any monospaced font that is installed on your system.
• Performance when analyzing responses with multiple code blocks has been improved.

The “Render” tab now enables you to view rendered HTML pages and images directly within the various tools instead of in a separate popup.

You can now add custom content to the Burp Collaborator service. For example, you could add a readme on the index page identifying the organization and the purpose of the service, or prove ownership of your domain to validate TLS certificate requests. To do this, you simply add new entries in the configuration file containing a path, contentType, and base64Content as follows:

"customHttpContent":
[
{ "path": "/", "contentType": "text/plain", "base64Content": "VGhpcyBpcyBhIHJhbmRvbSBsaW5lIG9mIHRleHQ="},
{ "path": "/foo", "contentType": "text/html", "base64Content": "dGhpcyBpcyBhbm90aGVyIG9uZSBmb3IgZ29vZCBtZWFzdXJlLiBOaWNlLg==" }
]

You can now initiate instant active or passive scans in Burp. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.

The following bugs fixes have also been implemented:

• A bug causing load/save filter dialogs to be hidden has been fixed.
• The “Scan defined insertion points” feature now works for all environments.
• Redirections are now shown in the site map when crawling.

Professional 2020.1 Released 2020-Jan-31

This release updates the HTTP message editor with various new capabilities:

• Syntax colorising for JavaScript, JSON, and CSS.
• Syntax colorising is now dynamically updated as you type.
• Line numbers.
• Code folding.
• Performance improvements.

We will soon continue improving the editor, with better prettifying of some formats and other helpful features.

Various improvements have been made to the efficiency and stability of Burp Scanner. We are working towards enabling the new experimental browser-driven scanning by default, which will pave the way for significant enhancements to the scanner’s capabilities over the coming year.

A number of bug fixes and other enhancements have been made, including:

• Issues negotiating TLS through some LAN firewalls have been resolved.
• Feedback messages during crawls have been improved.
• File dialogs now remember the last selected folder on a per-function basis.
• Improvements have been made to some UI elements in the dark theme.
• The expiration of auto-generated TLS certificates has been shortened to comply with modern browser requirements.
• You can now save performance feedback data to a local file, to be submitted via email rather than automatically.
• Some causes of project file corruption have been resolved.

Professional / Community 2.1.07 Released 2019-Dec-17

This release considerably improves Burp’s SSL/TLS coverage.  Historically, quirks in different server-side implementations together with bugs in the client-side Java stack led to problems connecting to some web sites. These have now been virtually eliminated.

The Venn diagram below shows how Burp’s coverage now compares with Google Chrome for the Alexa top 100,000 sites. Burp achieves substantial overlap with Chrome. Burp can connect to 1,696 sites that Chrome does not, and only fails to connect to 125 sites that Chrome can connect to.

(Note that Burp’s additional coverage is largely because Burp tolerates some older and weaker protocols and ciphers, in the interests of maximizing connectivity.)

Various improvements have been made to the crawling phase of scans:

• The event log contains improved feedback regarding account self-registration and login.
• Crawling is more efficient, with substantially fewer requests needed to discover the same range of locations.
• Various minor bugs have been fixed.

Professional 2.1.06 Released 2019-Nov-22

This release includes various bugfixes and performance enhancements to the new experimental browser-driven scanning feature.

Professional 2.1.05 Released 2019-Nov-05

This release adds experimental support for using Burp’s embedded Chromium browser to perform all navigation while scanning.

This new approach will provide a robust basis for future capabilities in Burp Scanner, enabling it to eventually deal with any client-side technologies and navigational structures that a modern browser is able to deal with. It has the potential to dramatically improve coverage of the scan, during both the crawling and auditing phases.

In this initial release, Burp Scanner now correctly deals with:

• Applications that dynamically construct the navigational UI (links and forms) using JavaScript.
• Applications that dynamically mutate the request when a link is clicked or a form is submitted, using JavaScript event handlers.

There are numerous caveats at this stage:

• Performance is poor and will be improved considerably over the next few releases.
• Navigational elements other than links and forms are not yet supported (such as DIV elements with an onclick handler that makes a request).
• Asynchronous requests such as XHR are honored during navigation but are not audited.
• Navigational actions that mutate the existing DOM without causing a request to the server are not properly handled.
• Frames and iframes are not properly supported.
• File uploads are not supported.

The new feature is currently experimental, and is being released to gather feedback from users who want to play with the new capability and assess its effectiveness. The new feature is not currently a suitable replacement for the existing default scanning mode: you are likely to gain some coverage of JavaScript-heavy applications, but also lose some coverage and experience poor performance. Rest assured that over the coming months the new feature will be considerably enhanced until it becomes a robust and superior replacement to the existing scanning mode.

To enable experimental support for browser-based scan navigation, create a new scan, add a crawl configuration, and under “Miscellaneous” select “Use embedded browser for navigation”. You can also configure whether to allow the browser to fetch page resources that are out-of-scope.

The release also includes various other bugfixes. The embedded JRE that is included in Burp’s installer has been updated to Java 12.

Professional 2.1.04 Released 2019-Sep-27

This release includes a number of minor enhancements and bugfixes.

In Burp Repeater, there are new options to close a tab, close all other tabs, and reopen a closed tab. You can access these actions via the context menu on the tab header, or by assigning hotkeys.

There is a new (default-on) scan option to ignore the protocols of URLs to scan. This is to avoid a  common user error where the scan is configured for http://example.com only, while it needs also to include https://example.com.

When a Burp update is available, there are options to mute the update notification for one week, for the currently offered update, or for all beta updates.

A bug affecting use of PKCS#11 smart cards affecting Burp 2.x has been fixed.

Professional 2.1.03 Released 2019-Aug-07

This release adds a brand new scan check, for HTTP request smuggling vulnerabilities:

This is a long-overlooked vulnerability class that is prevalent in modern cloud architectures, and which often has a critical impact.

• Read the full PortSwigger research post on HTTP desync attacks
• Play with real HTTP request smuggling vulnerabilities on the Web Security Academy

Professional 2.1.02 Released 2019-Jul-26

The support for WebSockets in Burp Repeater has been enhanced with a new WebSocket connection wizard that lets you:

• Attach to an existing WebSocket that is currently open.
• Reconnect to a WebSocket that has closed.
• Clone a WebSocket.
• Manually configure a new WebSocket connection.

The new capability gives you full manual control over the WebSocket negotiation request.

Some other minor enhancements have also been made:

• When creating a new project on disk, Burp will now automatically suggest a project filename, based on the project name and a timestamp.
• When loading a configuration file for project or user options, Burp now warns if the file doesn’t contain any options of the relevant type.
• Various minor bugs have been fixed.

Professional 2.1.01 Released 2019-Jul-16

This release adds support for WebSockets in Burp Repeater.

You can select a WebSocket message in the Proxy history or intercept tab, and choose “Send to Repeater” from the context menu:

Each message you send to Repeater opens in a new tab. Here, you can manually edit and send the message, view the full message history, pick a message from the history and manually edit and resend it, and manage the WebSocket connection:

As always, feedback about this new feature is welcome.

Have fun!

Professional 2.1 Released 2019-Jun-28

Burp Suite 2.x is now officially out of beta!

This is a huge upgrade over 1.7 with a wealth of new capabilities. We encourage anyone still using 1.7 to switch to 2.x.

Community Edition users can now enjoy Burp’s new dark theme. To enable the dark theme, go to User options / Display / User Interface / Look and feel, and select Darcula.

Coming out of beta means we regard Burp Suite 2.x as essentially stable and suitable for general usage. It doesn’t mean there are no bugs. All software has bugs, and feedback is always welcome about any problems that users observe.

We will, of course, be continuing to enhance Burp Suite 2.x with various new features over the coming months.

Professional 1.7.37 Released 2018-Aug-10

This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.

For full details of this awesome new research, see our blog post on practical web cache poisoning.

Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”:

Note: On 10 October 2018, the .DMG package was regenerated to be compatible with MacOS Mojave.

Professional 1.7.36 Released 2018-Jul-30

This release fixes a number of issues including:

• A bug that prevented the macro editor from correctly showing the Proxy history.
• A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
• A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.

Note: On 10 October 2018, the .DMG package for Community Edition was regenerated to be compatible with MacOS Mojave.

Professional 1.7.35 Released 2018-Jun-29

This release includes a number of fixes and minor enhancements:

• Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
• A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
• The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.

Professional 1.7.34 Released 2018-Jun-13

A number of bugs have been fixed:

• A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
• A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
• A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
• Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
• A bug that prevented autocomplete popups from closing on some Linux window managers.
• A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
• A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
• A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.

The following enhancements have been made:

• Burp ClickBandit has been updated to support sandboxed iframes.
• A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

Note that some of the security issues were reported through our bug bounty program, which pays generously for bugs large and small. Thanks are due to Bruno Morisson and Juho Nurminen.

Professional 1.7.33 Released 2018-Mar-28

This release significantly improves the effectiveness of project repair when project file corruption occurs. Some users still experience corrupted project files when using virtualized file systems (for example, using Burp within a guest VM can lead to project file corruption if the host OS terminates abnormally). Previously, if some key metadata near the start of the project file was lost, then Burp’s project repair feature would not recover any data. In the new release, uncorrupted data within the file can still be recovered even if this key metadata is lost. Further feedback is welcomed regarding the effectiveness of project repair.

To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.

Some bugs have been fixed:

• A bug in macro configuration where some settings for cookie handling might not be saved correctly across executions of Burp.
• Some minor bugs in the automatic project backup feature that was recently released.
• A bug where extensions could still gain API access to the Burp Collaborator client even when the user had disabled use of Collaborator.

Professional 1.7.32 Released 2018-Feb-02

This release adds a new automatic project file backup function. If you are using a disk-based project, this function automatically saves a backup copy of your project file periodically in the background. The options for the new function can be found at User options / Misc / Automatic Project Backup:

The new function is superior to the older function that saved a state file backup in several respects:

Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.

• You can optionally include in-scope items only, to reduce the size of the backup file.
  Available disk space is checked before performing a backup. If insufficient space is available, the backup is skipped and an alert is shown.
• A single backup file is saved alongside the main project file. On successful completion of a new backup, the previous backup file is deleted.
• On attempting to open a corrupted project file, Burp checks if a backup is available, and if so offers to open that as an alternative to repairing the original.
• By default, the backup file is deleted on clean shutdown of Burp. Since the main project file is saved incrementally in real time, and project file corruption is typically caused by abnormal termination of the OS, it is not normally necessary to retain backup files following a clean shutdown. You can choose to retain the backup file on shutdown in the automatic project backup options.
• You can optionally disable the progress dialog that is shown when a backup is performed, so you can continue working without interruption.
• Backups are enabled by default with no configuration required. If you don’t want to use the feature, you can quickly turn it off using the option that is shown in the progress dialog:

Other enhancements include:

• Installed BApps are now updated automatically on startup. We issue frequent updates to BApps and it is highly recommended to be using the latest versions. You can disable automatic BApp updates in Extender options.
• A bug in the import project function, which omitted to import the Scanner issue activity log, has been fixed.
• Requests made by extensions during custom scan checks are now correctly reflected in the scan queue request counts, and are correctly subjected to configured request throttling.

1.7.31 19-Jan-2018

1.7.32 2-Feb-2018

1.7.33 28-Mar-2018

1.7.34 13-Jun-2018

A number of bugs have been fixed:

• A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
• A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
• A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
• Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
• A bug that prevented autocomplete popups from closing on some Linux window managers.
• A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
• A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
• A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.

The following enhancements have been made:

• Burp ClickBandit has been updated to support sandboxed iframes.
• A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

1.7.35 29-Jun-2018

This release includes a number of fixes and minor enhancements:

• Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
• A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
• The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.

1.7.36 30-Jul-2018

This release fixes a number of issues including:

• A bug that prevented the macro editor from correctly showing the Proxy history.
• A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
• A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.

1.7.37 10-Aug-2018