Since
@PortSwigger
won't be producing a third edition of The Web Application Hacker's Handbook, the
@Burp_Suite
team is working on something better: online, interactive, actively maintained, and best of all completely free!
More details to follow soon.
You can now scan for Log4Shell (CVE-2021-44228) using Burp Suite Pro or Enterprise Edition by installing
@SilentSignalHU
’s Log4Shell Scanner from the BApp Store.
Coming soon, the Burp Suite Inspector!
Easily analyse HTTP/WebSocket messages, manipulate layers of encoding, and apply changes back to the editor.
A feedback welcome.
#Tease
For the record, Burp Suite does not send details of your vulnerabilities anywhere. But do read this thread if you’re in need of a chuckle.
(In other news, the earth is round and Covid is not a hoax.)
How to exploit CSPP (on our early adopter channel)
1) Go to the proxy tab
2) Click Open Browser
3) Pin the extension
4) Enable prototype pollution
5) Visit
6) Open devtools > DOM Invader
7) Scan for gadgets
8) Open devtools > DOM Invader
9) Click exploit
Burp Suite Pro 2.1.05 released, with experimental support for using Burp's embedded Chromium browser to perform all navigation while scanning. This new approach will provide a robust basis for future capabilities. Feedback welcome if you want to play now.
Hackers, with a redesign of the Program Profiles, we’ve also released a new feature: download
@Burp_Suite
Project files. It enables you to import a Program scope into Burp. No need to manually set up scope in Burp anymore. You can find it at the bottom of a Scope. Happy hacking!
How to enjoy
@Burp_Suite
responsibly at
#Halloween
1. Update to Burp Suite Pro 2.0.11beta.
2. Go to User options / Display / User interface / Look and feel.
3. Select Darcula.
4. Gracefully shut down Burp and restart.
5. Feel the darkness enter your soul.
On Wednesday we'll update
@Burp_Suite
with a scan check for a massively overlooked vulnerability class that
@albinowax
will unveil at
#BHUSA
. This issue is very widespread in modern web stacks and often has critical consequences.
Today's Burp Suite release (2.0.18) includes a major iteration of the new crawler algorithm, based on real-world feedback. We're getting closer to Burp Suite 2.0 coming out of beta.
Burp Suite Community Edition users can now enjoy the new dark theme.
To enable, go to User options / Display / User Interface / Look and feel, and select Darcula.
Burp 2021.8 released, with powerful enhancements to Burp’s HTTP/2 support. Identify and exploit a number of HTTP/2-exclusive vulnerabilities, including 0-days presented by
@albinowax
at BlackHat USA 2021. You really don't want to miss this one!
Blog post: Nominations are now open for the Top 10 web hacking techniques of 2018. To make your nomination, reply to this thread or use the linked form.
If you're still using Burp Suite Pro 1.7, it's time to upgrade and get these awesome new capabilities:
- New crawler with automatic session handling
- Vastly improved new scanning engine
- Dynamic JavaScript analyzer
- Modern response renderer
- Configuration library
Burp Suite does not attempt to access the microphone. It’s possible this is Burp’s embedded browser rendering a response that requests microphone access. We’ll investigate.
Burp Suite Pro 2.0.21beta is now available. We've fundamentally re-architected the embedded Chromium browser to improve its long-term stability and security. This was the last major task holding us back in beta. Feedback about its performance on different platforms is welcome!
Burp Suite Pro/Community 2.1.02 released. Burp Repeater now has a new WebSockets connection wizard letting you attach, reconnect, clone, and manually configure WebSockets connections.
Burp Suite 2020.8 released, with scan checks for some brand new web cache poisoning vulnerabilities, as revealed by
@PortSwiggerRes
at Black Hat yesterday.
#BHUSA
Here’s a sneak preview of the native HTTP logger that is coming soon to Burp Suite. This provides performant and memory-efficient visual logging with a bunch of value-added features. All feedback is most welcome.
#Tease
In case you missed it, we're picking up the baton from
@whitehatsec
/
@jeremiahg
and will publish the top 10 web hacking techniques each year. Nominations are open for 2017, and we're updating this blog post as they come in. Keep them coming!
We believe our experimental browser-powered scanning feature is now stable and suitable for serious use. If you haven’t already, please upgrade to Burp Suite Pro 2020.7, turn it on, and try it out. All feedback is welcome.
We fixed this problem in Burp 2.0.15. It was indeed caused by a rendered web page requesting microphone access. We do always listen to our customers, just not in this way.
Burp Suite does not attempt to access the microphone. It’s possible this is Burp’s embedded browser rendering a response that requests microphone access. We’ll investigate.
HTTP request smuggling is a long-overlooked vulnerability class that is widespread in the modern web and is often critical.
@Burp_Suite
is currently the only web scanner that can report this vulnerability. Use Burp to find out if you're vulnerable.