Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Monday, 11 August 2014

PortSwigger moves into “Challengers” Quadrant in 2014 Gartner Magic Quadrant for Application Security Testing for its web security solution

In July 2014 Gartner released its annual Magic Quadrant for Application Security Testing.

The report published by analysts Joseph Feiman and Neil MacDonald evaluates organizations based on ‘completeness of vision’ and ‘ability to execute’. Gartner have positioned PortSwigger Web Security in the ‘challengers’ quadrant, and according to the report:
“Challengers in this magic quadrant are vendors that have executed consistently, typically by focusing on a single technology. In addition, they have demonstrated substantial competitive capabilities against the leaders in this particular focus area and also have demonstrated momentum in their customer base in overall size and growth.”
Dafydd Stuttard, founder of PortSwigger Web Security, said: “We are delighted that Gartner have recognized us as a challenger in this market. Burp Suite is a powerful web scanning tool, and is extremely competitively priced. It is one of the most widely adopted tools in the market, with users in over 90 countries and a majority of the Fortune 100 companies. Burp Suite provides its users with exceptional capabilities and value for money.”

In this new report, Feiman and MacDonald state that “Global-scale scandals around critical applications’ breaches have highlighted the need for effective detection of exploitable application security vulnerabilities. Application security testing is the solution for web, cloud and mobile applications”.

In the past year, PortSwigger Web Security has accelerated its investment in Burp Suite, and expanded its core team. We have a very ambitious roadmap for the product, driven by the continual changes in web security and our customers’ requirements. We have some major product enhancements planned through 2014 and 2015, which will continue to raise the bar in web security testing.

For information about PortSwigger Web Security, and to trial Burp Suite, please visit portswigger.net.

PortSwigger Web Security is a global leader in the creation of software tools for security testing of web applications. For nearly a decade, we have worked at the cutting edge of the web security industry, and our suite of tools is well established as the de facto standard toolkit used by web security professionals.

Gartner disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Monday, 28 July 2014

Burp gets new JavaScript analysis capabilities

The latest release of Burp includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including:
  • DOM-based XSS
  • JavaScript injection
  • Client-side SQL injection
  • WebSocket hijacking
  • Local file path manipulation
  • DOM-based open redirection
  • Cookie manipulation
  • Ajax request header manipulation
  • DOM-based denial of service
  • Web message manipulation
  • HTML5 storage manipulation

In the initial release, the new functionality is officially experimental, and will be enhanced in future releases based on user feedback. The key areas for further enhancement are as follows:
  • Burp supports most core JavaScript language features, including local and global variables, function calls and return values, assignments, arrays, and relevant platform APIs. Two important language features are not supported: object dereferences and function pointer variables. Some vulnerabilities that are dependent on these language features are not currently reported.
  • Static code analysis is resource intensive. We have worked hard on the code analysis engine to minimize memory and CPU consumption, and its performance has been extensively tested against real-world code. However, there is more work yet to do in this area, and in the initial release it may be necessary to (a) increase the memory that is assigned to the Java process; (b) restrict static code analysis to key targets of interest; (c) configure a suitable maximum analysis time for complex items. See the static code analysis options for more details.
  • In a future release, we may provide a UI similar to the active scan queue, containing a view of pending and current code analysis tasks, and enabling the user to pause, resume or cancel individual tasks.
  • Some further refinement may be necessary of Burp's rules for identifying tainted sources and dangerous sinks, and mapping these to vulnerability types.
Despite the above opportunities for enhancement, the current functionality is sufficiently powerful that it would be wrong for us to sit on it any longer, and it's time for users to try it out in real-world situations. Feedback is actively welcomed about the new capabilities, to help drive the above and other improvements.

How does Burp's code analysis work? We don't simply match suspicious code based on patterns, which is too error-prone and only finds the simplest bugs. We don't execute the code, or fuzz the DOM in an instrumented browser, as this can lead to worse performance problems, many missed vulnerabilities, and poor code coverage due to missed execution branches. We don't employ any external dependencies as these can be brittle and a pain for users to set up.

Rather, Burp contains a home-grown language parser and dataflow analysis engine. We identify places in the code where data is read from potentially tainted sources within the DOM, and trace this data through possible execution paths in the code. If the data can reach a dangerous sink, then a potential vulnerability is reported. This is not, of course, a new approach to static code analysis, but there are many challenges in the details that we believe we have solved in novel and effective ways.

Have fun!

Thursday, 29 May 2014

PortSwigger is sponsoring BSides Manchester

PortSwigger Web Security is proud to be a gold sponsor of BSides Manchester. This free security conference is right on our doorstep in the North West of England, so we're very happy to be supporting it.

As the team behind Burp Suite grows, we're always on the look out for great people with a strong web security background. If you're at the event, come and find us and we can talk about how you could help us make Burp even better.

We also have a number of conference tickets to give away to Burp users. If you haven't managed to obtain a ticket to the event, and you (or your employer) are a licensed user of Burp Suite Pro, please email us at office@portswigger.net to claim your ticket - first come first served!

Tuesday, 15 April 2014

Burp Suite Free Edition v1.6 released

Burp Suite Free Edition v1.6 is now available to download.

This is a significant upgrade with a wealth of new features added since v1.5, including:
  • Support for WebSockets messages.
  • Support for PKCS#11 client SSL certificates contained in smart cards and physical tokens.
  • A new Extender tool, allowing dynamic loading and unloading of multiple extensions.
  • A new powerful extensibility API, enabling extensions to customize Burp's behavior in much more powerful ways.
  • Support for extensions written in Python and Ruby.
  • A new BApp Store feature, allowing quick and easy installation of extensions written by other Burp users.
  • An option to resolve DNS queries over a configured SOCKS proxy, allowing access to TOR hidden services.
  • Generation of CSRF PoC attacks using a new cross-domain XHR technique.
  • New options for SSL configuration, to help work around common problems.
  • Optional unpacking of compressed request bodies in the Proxy.
  • Support for .NET DeflateStream compression.
  • New and improved types of Intruder payloads.
  • New Proxy interception rules.
  • New Proxy match/replace rules.
  • Improved layout options in the Repeater UI.
  • An SSL pass-through feature, to prevent Burp from breaking the SSL tunnel for specified domains.
  • Support for the Firefox Plug-n-hack extension.
  • An option to copy a selected request as a curl command.
And the best thing about Burp upgrades? No one pays for them ...

The Free Edition is and always will be free, despite its huge capabilities.

Burp Suite Professional still costs only $299, and all licensed users can upgrade without any extra charge. We haven't changed the price for two-and-a-half years, despite two major updates and nearly forty minor updates. Even better? We've already said that we won't be hiking the price during 2014.

Have fun!

Tuesday, 4 March 2014

Introducing the BApp Store

Today's release of Burp includes a brand new feature: the BApp Store. This contains Burp extensions that have been written by users of Burp Suite, to extend its capabilities.

You can install BApps with one click from within Burp:

You can also download BApps from the BApp Store web site, for manual installation on Burp machines without an Internet connection:

All BApps are free! We may support paid-for BApps in future, but we have no current plans to do so.

We really hope that the new feature will help users find and use good quality Burp extensions that other users have shared. You can rate BApps that you have used, and see the aggregated ratings submitted by other users.

We also hope that the BApp Store will encourage more extension authors to create and share great Burp extensions. We'll be adding more BApps to the store in the near future. If you have written or are aware of a great Burp extension that you'd like included in the BApp Store, please submit your BApp to us.

Thursday, 6 February 2014

Burp Suite Pro shines in new survey

A new survey has just been published comparing the performance of 63 different web application security scanners. This is what it says overall about Burp Suite Pro:
"Burp is the undisputed winner of the overall versatility category, was the winner in the input vector support category, got one of the highest scores in detecting Backup/Hidden Files, and decent scores in many other categories. It also came out FIRST in the SQL Injection and Reflected XSS categories, and dramatically improved its RFI score."
There is a lot of technical detail in the survey results that we plan to work through, to understand exactly how Burp performed, and can be improved even further.

In the past few months, we've made numerous significant enhancements to Burp Scanner, adding support for nested insertion points, new payload encodings, new categories of vulnerability, and improved coverage of existing scan checks. But we're far from complacent: this year we will continue enhancing the Scanner engine to find even more edge-case vulnerabilities, and also the Spider tool to improve Burp's fully automated crawling capabilities.

As always, new features and enhancements to Burp Suite Pro are made available free to licensed users, and the cost of a Burp license will not be increasing during 2014.

Wednesday, 1 January 2014

Burp Suite Pro price held for 2014

It's been a while since we increased the price of Burp Suite Pro. In fact, it's cost $299 since November 2011.

Since that time, we've released 34 updates, and added over a hundred great new features, including:
  • Fully updated user interface
  • In-tool documentation
  • Support for JSON parsing and rendering
  • Various Scanner engine enhancements, including several new checks
  • Options to optimize the Scanner for speed and accuracy
  • Nested Scanner insertion points, to handle XML within JSON within a URL parameter, etc.
  • New extensibility API
  • Ability to load multiple extensions, and load/unload dynamically via the UI.
  • Support for extensions written in Python and Ruby
  • CSRF PoC generator
  • Importable / exportable SSL CA certificates
  • Workarounds for various Java SSL issues
  • Support for PKCS#11 smart card authentication
  • SSL passthrough function
  • sslstrip functionality
  • "Copy as curl command" feature
  • New Intruder payload types
  • Support for Firefox plug-n-hack
  • Numerous other small enhancements throughout the suite.
All updates are made available to licensed users without any additional charge.

Today, we pledge that we will not increase the USD price of Burp Suite Pro during 2014. Instead of hiking the price, we'll continue to add great new features. We have some fantastic ideas in the pipeline, and if all goes well we will be making one or two really big announcements in the course of 2014.

Happy new year!

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Copyright 2014 PortSwigger Ltd. All rights reserved.