Burp Suite v1.3 released

Burp Suite v1.3 is now available to download. This is a major upgrade with a host of new features.

New features in Burp Suite free edition include:

• A new message editor/viewer optimised for HTTP requests and responses, with colourised syntax, mouse-over decoding, and quick conversion functions.

• Facility to add comments and highlights to the proxy history and site map.

• Support for AMF-encoded messages.

• Improved handling of SSL server certificates, to eliminate browser SSL warnings and connection problems with thick clients.

• Copy to file / paste from file to facilitate working with binary content.

• New display filters.

• Much enhanced extensibility.

• Configurable DNS resolution, to override host resolution, facilitating work with non-proxy-aware clients.

• Fine-grained upstream proxy rules.

• Exporting of HTTP messages and metadata in XML format.

New features in Burp Suite Professional include:

• Improved text search, with regex support, scope restrictions, dynamically updating results, etc.

• Automated discovery of unreferenced content.

• Scripts and comments search.

• Wizard for performing more effective scans of multiple items.

• Target analyser.

• Manual testing simulator.

Many thanks to everyone who helped with the beta testing and gave me their feedback - this was much appreciated.

Have fun!

MilkSwigger

This little chap showed up a couple of weeks ago, somewhat earlier than expected. Needless to say, this event has thrown my meticulous plans for the final release of Burp v1.3 into disarray.

Many thanks to everyone who has emailed with bugs and suggestions from the beta release, and apologies for the lack of responses. Normal service will be resumed in January.

[V13P] Pro beta version now available

A beta version of the new release of Burp is now available for Professional users. The free edition will be available in two or three weeks time. If you don't have a Pro license and are eager to try out the new features, why not treat yourself here?

As always, any help flushing out bugs will be much appreciated. Please email these directly, so that I can easily get back to you for more details if required.

The final edition will be released just as soon as we are happy with it, but the beta release is highly stable and suitable for day-to-day working right away. Have fun!

[V13P] Other bits and pieces

I've described most of the major additions to Burp's functionality that are arriving in v1.3. There are a few other smaller tweaks that are worth drawing attention to:

• The tables in the site map and search results now include a timestamp column. Sorting the results on this column lets you easily see when new items are added. This is handy when you are running spidering or content discovery exercises, or when performing dynamic searches, all of which add new entries to these tables periodically.

• The background autosave feature now optionally performs a final autosave on exit, so that you will always have a current snapshot of your work provided Burp closes down gracefully.

• Repeater now shows a response timer in milliseconds, which can help you verify time-delay-based tests for code injection bugs.

• Scope rules can be individually toggled on and off, so you can easily switch between different targets which you have configured.

• Scanner and Spider now support request throttling with optional random variations, to help you avoid overwhelming flimsy applications, and avoid alerting pattern-based intrusion detection systems.

Apologies to the many people whose requests haven't been met on this occasion - there will be further development efforts fairly early in 2010.

[V13P] Target analyser

For Pro users, Burp now includes a function to analyse a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes. This can help you assess how much effort a penetration testing engagement is likely to involve, and can help you decide where to focus your attention during the test itself.

To access this feature, you select one or more hosts or branches within the site map, and launch it using the context menu. The summarised information looks like this:

And you can drill down into more detail about individual URLs:

You can also export all of this information as an HTML report, which you can attach to client proposals and reports to show the attack surface you have covered.

A couple of caveats should be noted. Firstly, this function only analyses the content already captured within the site map, so you should ensure that you have fully browsed or spidered all of the application's content and functionality before running it. Secondly, URLs are deemed to be "static" if they no not take any parameters in the URL or message body; however the responses from these URLs may still be dynamically generated by the application.

[V13P] Exporting of request information

In the new release, Burp lets you export full details of interesting requests and responses in XML format, including all relevant metadata such as response length, HTTP status code and MIME type. For example:

If you have annotated any of the exported items, your comments will also be included within the XML.

You can access this feature via the context menu anywhere in Burp that you see requests and responses, and you can include individual items or multiple selections. The raw data and analysis captured within Burp is thereby available for any external tools that can process the XML export.

[V13P] Manual testing simulator

This feature won't exactly enhance your productivity, but you may sometimes find it useful nonetheless. In the new release, lazy Pro users can make Burp simulate manual testing activities, by sending common test payloads to random URLs and parameters within a target application, at irregular intervals. Burp doesn't do anything with the responses, so you won't find out about any bugs in this way. But if you think that someone might be reviewing the application's logs to confirm that you are working, you can use this feature while you nip out for a long lunch, gym session, drinking binge, or whatever happens to be your preferred diversion.

Regarding the obvious feature request, for you to be able to configure your day-rate, and have Burp calculate how much the simulation has cost your client; no, I don't think that would be appropriate, do you?