Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Monday, 28 July 2014

Burp gets new JavaScript analysis capabilities

The latest release of Burp includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including:
  • DOM-based XSS
  • JavaScript injection
  • Client-side SQL injection
  • WebSocket hijacking
  • Local file path manipulation
  • DOM-based open redirection
  • Cookie manipulation
  • Ajax request header manipulation
  • DOM-based denial of service
  • Web message manipulation
  • HTML5 storage manipulation

In the initial release, the new functionality is officially experimental, and will be enhanced in future releases based on user feedback. The key areas for further enhancement are as follows:
  • Burp supports most core JavaScript language features, including local and global variables, function calls and return values, assignments, arrays, and relevant platform APIs. Two important language features are not supported: object dereferences and function pointer variables. Some vulnerabilities that are dependent on these language features are not currently reported.
  • Static code analysis is resource intensive. We have worked hard on the code analysis engine to minimize memory and CPU consumption, and its performance has been extensively tested against real-world code. However, there is more work yet to do in this area, and in the initial release it may be necessary to (a) increase the memory that is assigned to the Java process; (b) restrict static code analysis to key targets of interest; (c) configure a suitable maximum analysis time for complex items. See the static code analysis options for more details.
  • In a future release, we may provide a UI similar to the active scan queue, containing a view of pending and current code analysis tasks, and enabling the user to pause, resume or cancel individual tasks.
  • Some further refinement may be necessary of Burp's rules for identifying tainted sources and dangerous sinks, and mapping these to vulnerability types.
Despite the above opportunities for enhancement, the current functionality is sufficiently powerful that it would be wrong for us to sit on it any longer, and it's time for users to try it out in real-world situations. Feedback is actively welcomed about the new capabilities, to help drive the above and other improvements.

How does Burp's code analysis work? We don't simply match suspicious code based on patterns, which is too error-prone and only finds the simplest bugs. We don't execute the code, or fuzz the DOM in an instrumented browser, as this can lead to worse performance problems, many missed vulnerabilities, and poor code coverage due to missed execution branches. We don't employ any external dependencies as these can be brittle and a pain for users to set up.

Rather, Burp contains a home-grown language parser and dataflow analysis engine. We identify places in the code where data is read from potentially tainted sources within the DOM, and trace this data through possible execution paths in the code. If the data can reach a dangerous sink, then a potential vulnerability is reported. This is not, of course, a new approach to static code analysis, but there are many challenges in the details that we believe we have solved in novel and effective ways.

Have fun!

Thursday, 29 May 2014

PortSwigger is sponsoring BSides Manchester

PortSwigger Web Security is proud to be a gold sponsor of BSides Manchester. This free security conference is right on our doorstep in the North West of England, so we're very happy to be supporting it.

As the team behind Burp Suite grows, we're always on the look out for great people with a strong web security background. If you're at the event, come and find us and we can talk about how you could help us make Burp even better.

We also have a number of conference tickets to give away to Burp users. If you haven't managed to obtain a ticket to the event, and you (or your employer) are a licensed user of Burp Suite Pro, please email us at office@portswigger.net to claim your ticket - first come first served!

Tuesday, 15 April 2014

Burp Suite Free Edition v1.6 released

Burp Suite Free Edition v1.6 is now available to download.

This is a significant upgrade with a wealth of new features added since v1.5, including:
  • Support for WebSockets messages.
  • Support for PKCS#11 client SSL certificates contained in smart cards and physical tokens.
  • A new Extender tool, allowing dynamic loading and unloading of multiple extensions.
  • A new powerful extensibility API, enabling extensions to customize Burp's behavior in much more powerful ways.
  • Support for extensions written in Python and Ruby.
  • A new BApp Store feature, allowing quick and easy installation of extensions written by other Burp users.
  • An option to resolve DNS queries over a configured SOCKS proxy, allowing access to TOR hidden services.
  • Generation of CSRF PoC attacks using a new cross-domain XHR technique.
  • New options for SSL configuration, to help work around common problems.
  • Optional unpacking of compressed request bodies in the Proxy.
  • Support for .NET DeflateStream compression.
  • New and improved types of Intruder payloads.
  • New Proxy interception rules.
  • New Proxy match/replace rules.
  • Improved layout options in the Repeater UI.
  • An SSL pass-through feature, to prevent Burp from breaking the SSL tunnel for specified domains.
  • Support for the Firefox Plug-n-hack extension.
  • An option to copy a selected request as a curl command.
And the best thing about Burp upgrades? No one pays for them ...

The Free Edition is and always will be free, despite its huge capabilities.

Burp Suite Professional still costs only $299, and all licensed users can upgrade without any extra charge. We haven't changed the price for two-and-a-half years, despite two major updates and nearly forty minor updates. Even better? We've already said that we won't be hiking the price during 2014.

Have fun!

Tuesday, 4 March 2014

Introducing the BApp Store

Today's release of Burp includes a brand new feature: the BApp Store. This contains Burp extensions that have been written by users of Burp Suite, to extend its capabilities.

You can install BApps with one click from within Burp:

You can also download BApps from the BApp Store web site, for manual installation on Burp machines without an Internet connection:

All BApps are free! We may support paid-for BApps in future, but we have no current plans to do so.

We really hope that the new feature will help users find and use good quality Burp extensions that other users have shared. You can rate BApps that you have used, and see the aggregated ratings submitted by other users.

We also hope that the BApp Store will encourage more extension authors to create and share great Burp extensions. We'll be adding more BApps to the store in the near future. If you have written or are aware of a great Burp extension that you'd like included in the BApp Store, please submit your BApp to us.

Thursday, 6 February 2014

Burp Suite Pro shines in new survey

A new survey has just been published comparing the performance of 63 different web application security scanners. This is what it says overall about Burp Suite Pro:
"Burp is the undisputed winner of the overall versatility category, was the winner in the input vector support category, got one of the highest scores in detecting Backup/Hidden Files, and decent scores in many other categories. It also came out FIRST in the SQL Injection and Reflected XSS categories, and dramatically improved its RFI score."
There is a lot of technical detail in the survey results that we plan to work through, to understand exactly how Burp performed, and can be improved even further.

In the past few months, we've made numerous significant enhancements to Burp Scanner, adding support for nested insertion points, new payload encodings, new categories of vulnerability, and improved coverage of existing scan checks. But we're far from complacent: this year we will continue enhancing the Scanner engine to find even more edge-case vulnerabilities, and also the Spider tool to improve Burp's fully automated crawling capabilities.

As always, new features and enhancements to Burp Suite Pro are made available free to licensed users, and the cost of a Burp license will not be increasing during 2014.

Wednesday, 1 January 2014

Burp Suite Pro price held for 2014

It's been a while since we increased the price of Burp Suite Pro. In fact, it's cost $299 since November 2011.

Since that time, we've released 34 updates, and added over a hundred great new features, including:
  • Fully updated user interface
  • In-tool documentation
  • Support for JSON parsing and rendering
  • Various Scanner engine enhancements, including several new checks
  • Options to optimize the Scanner for speed and accuracy
  • Nested Scanner insertion points, to handle XML within JSON within a URL parameter, etc.
  • New extensibility API
  • Ability to load multiple extensions, and load/unload dynamically via the UI.
  • Support for extensions written in Python and Ruby
  • CSRF PoC generator
  • Importable / exportable SSL CA certificates
  • Workarounds for various Java SSL issues
  • Support for PKCS#11 smart card authentication
  • SSL passthrough function
  • sslstrip functionality
  • "Copy as curl command" feature
  • New Intruder payload types
  • Support for Firefox plug-n-hack
  • Numerous other small enhancements throughout the suite.
All updates are made available to licensed users without any additional charge.

Today, we pledge that we will not increase the USD price of Burp Suite Pro during 2014. Instead of hiking the price, we'll continue to add great new features. We have some fantastic ideas in the pipeline, and if all goes well we will be making one or two really big announcements in the course of 2014.

Happy new year!

Friday, 4 October 2013

Burp through the ages

Here is a brief tour of the major releases of Burp from over the years. I can't believe it's been over 10 years already!

Burp v1.0

  • Released June 2003
  • First incarnation of Intruder tool
  • Includes burp sound effects you can't turn off

Burp Proxy v1.0 

  • Released August 2003
  • Basic intercepting proxy
  • Text / hex views
  • History feature


  • Released August 2003
  • First incarnation of Repeater tool
  • So-called because it simply opens a socket and sends a request to it

Burp Proxy v1.1

  • Released January 2004
  • Tons more options!
  • Supports chained proxy, authentication, match-and-replace
  • Getting pretty sophisticated now

Burp Spider v1.0

  • Released March 2004
  • Application-aware spider
  • Can follow links and submit forms

Burp Repeater v1.1

  • Released July 2005
  • New name for the sock tool
  • Adds chained proxy and authentication options

Burp Suite v1.0

  • Released August 2005
  • All four Burp tools together
  • Items can be easily sent between tools to speed up testing
  • Supports passive spidering as you browse
  • Extensibility
  • A huge breakthrough!

Burp Suite v1.1

  • Released November 2007
  • New Sequencer, Decoder and Comparer tools
  • New analysis of HTTP messages

Burp Suite v1.2

  • Released December 2008
  • Burp Scanner arrives
  • New site map
  • Tons of cool new features: scope control, view filters, search, invisible proxying
  • The infamous Month of Burp Pr0n is published
  • This is the big leap forwards!

Burp Suite v1.3

  • Released January 2010
  • Improved rendering and analysis of HTTP messages
  • Content discovery
  • Target analysis
  • The crucial manual testing simulator

Burp Suite v1.4

  • Released June 2011
  • New logo (still home-made)
  • Session handling rules and macros
  • New ways to test access controls
  • Works properly on OS X now

Burp Suite v1.5

  • Released October 2012
  • Another new logo (a proper one this time)
  • New UI, with bells, whistles and capital letters.
  • In-tool documentation
  • Lots of cool new features

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Copyright 2014 PortSwigger Ltd. All rights reserved.