Friday, June 22, 2007

Burp Suite - feature requests please

Now that the manuscript for The Web Application Hacker's Handbook is out of the way, I'll have some proper time to think about the next release of Burp Suite. This will be a major upgrade with lots of new features in all of the tools, including:

  • Improved rendering and analysis of HTTP messages wherever they appear [preview].

  • Function to do a compare/diff between any set of requests and responses.

  • Versatile decoder/encoder with intelligence to detect encoding types and do recursive decoding.

  • Support for client SSL certificates.

  • New payload generators in Intruder.

At this point, it would be good to hear any other feature requests that people have, however large or small. Please leave them in the comments and I'll address as many as I can.


Anonymous said...

The function to add client SSL Certs will be highly useful, its the only reason I currently turn to Paros as an atlernative.

john1 said...

When you doubleclick an item in the proxy history to show the full request and response, can you add next/prev buttons to cycle through the history (like for in the intruder results). thx.

Daniel said...

Weird, I was talking to Paul about this the other day, asking if you had been working on a new ver!!

My wishlist:

- Support for saving of preferences (like proxy, intruder etc)
- SSL Certs!!!!
- In the proxy, having a option to not only see the request but also the response would be SUPAH
- Some kind of cookie analyser, although this is a massive wish list, i mean WebScarab does a damn fine job, so maybe i'm being lazy and wanting it in 1 tool)

Also, how could would it be to have a community based fuzzing submission list?

I find a cool new fuzzing method, goto the portswigger site and add it in there and others get to enjoy

PortSwigger said...


Heh, your requests #1 and #3 are pretty easy, as they already exist. Preferences in all tools are persisted by default (go to burp / remember settings ensure this is enabled). And the proxy does intercept responses - go to options / server responses and ensure that "intercept" is checked. You can also set rules determining what kind of responses are intercepted.

Re #4, yes it would be great to have a decent token analyser. It would be pretty trivial to repro what WebScarab has, but ideally I'd like to implement the deeper token analysis that the likes of AppScan do, plus the mathematical analysis of stompy. That's a fair bit of work, but it might make the next release if all goes well.

Anonymous said...

Fixing the Intruder under Debian would be great

Another Daniƫl said...

Hi, great tool. SSL client certs would indeed be great.

Another feuture that would be nice is a grep function in the repeater. So for example with SQL injections you can easily see the result. (or for command shell's ;))

Anonymous said...

Please implement a streaming mode and not only store and forward

Anonymous said...

Please implement a streaming mode and not only store and forward

Sean said...

It would be really helpful if the the proxy history were exportable.
Currently you can copy all URLs to the clipboard, but it would be great to be able to generate a log file similar to the one created through the "comms" tab (i.e., with the request/response flow).

stephendv said...

The ability to record and replay specific conversations would be great. Something like what Apache JMeter provides. Alternatively a free form scripting language and console so that testers can write their own tests, like what HtmlUnit provides in the functional testing space.

Badger said...


Any chance of adding a Paros-style "tree" view of the site(s) you're testing?

Also, any chance of including a "obsolete file scanner" (ref. Paros) that includes "friendly 404" detection?

Just saves running Paros now that you're implementing client-side SSL certs! :-)


Buben Razuma said...

Possibly, a nice feature would be configuration from the plain text files, including filters etc.

Anonymous said...

- wsdl parsing for automatic xml generation for intruder/repeater
- option to follow redirect (302 and or/meta) in intruder (for bruteforcing some 2-pass auth, like owa 2003, etc)
- more fleasable preset for payload (external file, import, export, etc.)
- web tree export (w/wo extensions, etc)
- web tree export to intruder payloads (for mutations, etc)

maluc said...

first off, i must say how much i love you for making the burp suite. Truly one of the most useful and most used tools i have. The proxy in particula, although there are many other proxies, i'm really fond of the UI for yours.
'd be interested in helping do a C++ port with MFC - which i know makes it windows only. Would you be against that?

When using the scrollwheel over the regular expressions lists in the options menus, it would be nice that if they weren't full enough to have a scrollbar of their own.. the main window would scroll instead - currently feels like it gets stuck..

Also on the proxies server response option, for the 'if content matches text' to default to unchecked.

Would also be nice for things to be tabbable .. and in a logical way

To run one component(s) of the suite without having the others opened (different than detached) and without having to download that component(s) by itself. perhaps done through command line arguments.

More thumbs up for token/cookie integration.

And a request to not add too many esoteric big features.. a big part of the greatness of the burp suite is that it has a great UI without the unnecessary crap added in for frills. More is not always better :/

my email is: arserbin3 at yahoo dot fr (not com)
.. if you're not against an .exe port.. which has a number of advantages imho


Keith said...

To echo several previous comments, it's the clean UI that sets Burp apart from the others, so I hope that isn't lost with the addition of new features. My only must-have new feature request would be the support for certs.

One minor bug I've noticed when capturing requests is that the 'param' option gets reset back to the default 'text' option if a response is captured. 'param' doesn't make sense for responses, so it's greyed out, but it would be nice if it remembered that I wanted the next request displayed in 'param' format.

Thanks for this great tool! It's where I spend 90% of my time with web assessments.

google said...

My wish list for a new burp version is:

- the ability to save and load a burp session (like Paros has)
- when implementing SSL certs add support for PKCS#11 based tokens
- better handling of binary data (burp can't repeat it currently)
- support for ActionScript Message Format used by Flash Remoting

Anonymous said...

intruder feature request:

The ability to execute client-side JavaScript to find DOM flaws
(currently unaware of any proxy that has this ability)

Buben Razuma said...

I tried Burp once again now, being inspired by RSnake's post and remembered why I stopped using it.
In the proxy configuration on the "comms" tab it's impossible to define hosts which must be accessed without proxy (as it is done in browsers or in WebScarab (Tools -> Proxies -> No Proxy field).

If to go further, it could be funny to have FoxyProxy-like config (have no idea, is that useful, however).

Chillman said...

Great to hear viewstate parsing will be in there!

Would really like to see:
* Ability to choose file types that are captured during logging(including binary files)
* Ability to recreate the web directory structure locally including local copies of the browsed files, on the fly as the site is browsed
* Suru-like "Reconnaissance engine" (
* On the fly extraction of comments and embedded javascript files for later analysis (ala Webscarab)
* Reloading a session from a log file, especially for replay/repeater purposes
* Encoder/Decoder - base64, md5, sha1, etc
* Cookie analysis
* Better rendering of server HTML responses from intruder & repeater or at least a "View in browser" button.

And finally a better way of buying the professional version than PayPal, so I can buy a few licenses on my corporate credit card and reward you for your great work.

Anonymous said...

The special character used by Intruder to mark URL parameters to inject user supplied input on Ubuntu is not recognised and does not work. You have to manually paste in the special character :(

Keith said...

I forgot to mention one other minor annoyance that I would love to see fixed in the next version... the resource type matching for request intercepts [ie resource type does not match (gif|jpg|png|css)] should be exact matching. Currently when I try to ignore javascript (js), then I also must ignore java server pages (jsp).


Anonymous said...

Maybe a small one:
Would be nice to have the requests in the proxy history numbered, helps to track where you are or helps to remember when you want to go back to a specific request.

dg said...


* Filter, delete, etc. on history
* Consider making the Intruder free for donations ;)
* Fuzzing capability
* Database support - log to MySQL, etc.

Thanks for the useful tool.

Anonymous said...

Support for NTLM?

terara said...

I'm a japanese pen tester. Me and many of our colleagues are using Burp almost every day. We all thank for your great tool!

My request for Burp is to support many character encodings (such as UTF-8, EUC-JP, Shift-JIS and so on), when showing HTTP response body data. Some proxy tools including Paros and Fiddler support various character encodings.

Tom said...
This comment has been removed by the author.
Anonymous said...

An easy way to specify an up stream proxy would be nice.

Anonymous said...

Intruder/Payloads/illegal unicode:

-Ability to have more than 1 character replace.
-Ability to delete or remove items added to the list (currently that's available from the 'preset list', 'character substitution' and others. looks like it was just overlooked)

General item:
-Integrated log parser (with features like: grep for 'xyz' returns a list of 'xyz' and corresponding request URI)
-stompy-like session token analysis (perhaps with 3d-graph)

I won't repeat other comments. There are some good suggestions above that I would also enjoy seeing written into burp.

FYI: Wonderful tool. Many thanks.

cutaway said...

It would be nice for organizations to have a good way to spider their sites and then analyze the responses for Social Security and Credit Card numbers and other regular expressions.

Although Cornell's Spider new .Net beta version for windows has the capability to spider and search it is not very robust and requires A LOT of manual, time consuming, interaction.

Being able to save a session would also help show what has been analyzed for baselining and validation.


nullbomb said...

Burp Spider: greater extensiability would be good. If plugins could:
1.Spider - Be able to decide what kind of requests/responses have what significance (404, 403, 200 etc) would be good. because some servers screw up HTTP code response or simply do redirects, so sometimes it is useful to have some finetuning here.

2. in Burp repeater - would be good to be able to add some response analyser automation (via scripting engine or plugin interface). I saw a 'grep' function was requested, but I guess we could do more than simple grep. Also maybe the plugins could be able to generate "next" request and write it into burp repeater user can simply do hand-mods if requred and then go 'next'..
in burp repeater sometimes it is neccessary to 'prefetch' fresh cookie (for example, or other session information) before you can go on with 'repeating' if previous data is expired. It would be able to have a possibility to do this automatically. maybe 'record sequence', 'replay sequence' and some variables for reusing cookies, or http parameters from sequence request/responses.
3. Spider - be able to save stuff into XML and then restart from saved point.
4. Spider - be able to write plugins that could generate new "urls to try" once spider gets a new url.
Be able to have multiple plugins working simultaneously (would be very nice feature! :), right now I have to re-integrate code if i wanted to have 2 plugins to work together)

for proxy and spider - be able to subscribe on urls of particular mime-type (or particular regex) during the initializtion phase would be very helpful.

for proxy - be able to automagically redirect requests to one HOST/IP to another HOST/IP. (right now only regex for URLs works, but sometimes theres a problem when all links in web app are pointing to non-existing/broken host or you're accessing it through a tunnel, so all links to X are in fact links to Y)..

for proxy - being able to 'record sequence' and then 'replay sequence' would be very helpful. 'replay sequence' could be even more helpful if could be used from spider, repeater, intruder for example. so spider before spidering could be requested to replay sequence first.

Having some inteproability with DB would be good. Maybe have something like "output plugins" so you can select to export data through plugin (from spider) for example. then plugin could take care of how to save the data into file in particular format or store in database.

the same thing backwards - aside from "restart from previously saved point" maybe it would be also good to have a possibility to read URLs from a file or DB via plugin interface and then restart spider.

A dream-like thing ;-)
if plugin interfaces are well established and standardized, maybe we can have something like a centralized plugin repository (similar to what they have in IntelliJ IDEA) so you can open list of existing plugins, request burp to install certain plugins etc.. I am ready to contribute plugins for the stuff for sure :)

I had a few more ideas,but I need to remember them cuz they usually flash up as you use the thing and then dissapear.. :)

btw, that's fyodor (I was buzzing you alot over email on the plugins bit ;-))

nullbomb said...

Oh.. another good thing is to have something like universal bruteforcer, which is kind of like repeater, but more automatic:
user specifies how the parameter is generated. (request with variables? script? plugin?)
specifies parameters to the request generattor (i.e. dictionary file or command line)

and then specifies (maybe in form of regex on response) which parameters match user's requrement. Different regexes could match different "requirement" specifications

Gabriele Giuseppini said...

It'd be awesome to have a "clear history" button or whatever, to wipe out the history when it contains a gazillion entries :-)

Keep up the good work BTW, I love Burp!

P.S.: I'm posting this comment while Burp is intercepting :-)

Seek3r said...

One thing I still like about Paros is that I can scroll thru the list of requests and see the raw request or response right away in that section of the window. With Burp I have to double click and view it in that popup. I like having the ability to have the popup and multiples of them, but I also like to be able to scroll thru and quickly see each.
This is basically like email clients that you can scroll thru the list of email headers on top and the bottom shows the content, but then you can double click and get a popup for specific ones, but then continue scrolling thru your other emails.

Anonymous said...

SOAP editor. Intercept the data, parse out the serialized portion. Deserialize the object, allow the user to edit the data, reserialize it and send it to the server.

Anonymous said...

Intruder: When you load a preset list payload, it would be nice if it would do more than import the file line by line. If it looked for and ignored lines that would be great. This would allow for the ability to add comments to your present payload sets. Of course, looking for a single specific character as the comment character would not be the best idea because your file may contain such a string as a valid payload. Looking for a series of characters would be ideal. This way, one could use the load feature with a commented file. I'm not sure how many other users use the load feature. I use it a lot and would really like to see this small change added to Intruder.

Anonymous said...

beanshell and/or jython support - for both repeater and request interception in the proxy. this will make burp unbeatable.

please also make the client ssl cert support work with as many formats of cert as possible (PEM and PKCS12 at a minimum) as i'm really sick of going through machinations with openssl just to be able to use the certs i already have.

Anonymous said...

I am also a japanese pen tester and would be very happy if there was a way to change the encoding. Something like "doorman" has.

-On windows, i can't view pages rendered as a browser. The window is just blank.

-On linux (gentoo), the character for specifying the payload doesn't get displayed right and turns into a box. So with the intruder it gives me warnings that no payload position is specified. It would be nice if there was a way to avoid this. (diff. char maybe?)

Anonymous said...

"On linux (gentoo), the character for specifying the payload doesn't get displayed right and turns into a box."

This can be fixed by setting your language properly. export LC_ALL="en_US" will do the trick depending on how you've got that set up.

Another request would be for the Intruder to have an option to understand 302 redirects. I've found many applications that perform 302s on receipt of any input. With Burp, you'd have to manually test each variable. Which is tedious and annoying. :) It would be great if there was an option in Intruder to understand the 302s.

Anonymous said...

>This can be fixed by setting your >language properly. export >LC_ALL="en_US" will do the trick >depending on how you've got that set up.

Thanks for the tip! That worked but it would be nice if there was a way so i didn't have to change my locale every time i want to run burp...

Anonymous said...

Session chaining would be a great feature.
For example in a SOAP environment logging in would return a session token in the response. Each request returns a new token in the response that is used in the next request.

Anonymous said...

Web Service component.
The ability to handle wsdl files.
Fuzzing of SOAP requests.

Anonymous said...

Table column sorter. Ascending/Descending.

nobody said...

for Scripts with URL Parameters, show them as table (not in a tree), like:

user=usr1 | pw=bla
user=usr2 | pw=blabla
user=usr2 | pw=bla | remember=1
user=usr1 | pw=gna | remember=0
user=usr3 | showerror=ugauga

That way, you can very easily see how the script was usually called; which combination of parameters are standard and what type the parameters are (string, number etc). Just show the same parameter combination like X times (X=2 in the above example). Automatically identify the type of parameters (for using in intruder).

I could code this myself, if there arent big changes in GUI code with you new version...

Anonymous said...

Currently I have not been able to proxy WebDAV requests. It would be great if the next version could.

Anonymous said...

automatic data manipulation/filtering: search a packet for x and replace it with y automatically.

keith said...

I would like be able to edit the intercept options while intercept id turned off. Currently if intercept is turned off, then all of it's options are greyed out and inaccessible.

Anonymous said...

Support for log file creation under Mac. Can only write to a log file if it already exists.

Paul said...

Seconding the request for automatic data manipulation/filtering: search a packet for x and replace it with y automatically.

Gerry said...

Support ActiveMQ ajax requests. They use Jetty continuations, and the extended timeout somehow escapes Burp Proxy.

Check here:

Anonymous said...

It would be great to have a (popup menu) option to re-send (a) single (or multiple selected) request/s in the intruder-attack-window, thereby exchanging the selected rows with the new results.

This would help to resolve partially invalid or errornous results which can appear e.g. due to an accidential DoS of the server during a test.

Anonymous said...

It would be great if Burpsuite could handle all traffic without being a proxy. Im not asking to write hooks for every library or whatever, but there are applications such as Ethereal (i think wireshark now) that capture every packet, I think this is done through WinPCap. Is it possible to use WinPCap to handle and intercept all packets, or is it just for capturing as it goes by?

Anonymous said...

I have been trying anything and everything to try and get my applications which do not support proxies to work with Burp proxy, and found that really the only solutions availble are programs like Freecap. However freecap only supports proxies that use the CONNECT method, and if you try to use it with Burp nothing works right. Support for the CONNECT method in the Burp proxy so we can use Freecap would be great.

Anonymous said...

Please add a 'buy now' button on your website.

Why not follow through with getting some direct information about how much a full blown version of your software costs?

A lot of potential customers probably would like to buy your full version tool, but if its not available on the website to buy its too much effort to follow up. I know there is a couple of licenses I can buy straight off the bat.

kanedaaa said...

"Clear" in many places will be useful.

Anonymous said...


It would be great if Burpsuite could handle all traffic without being a proxy. Im not asking to write hooks for every library or whatever, but there are applications such as Ethereal (i think wireshark now) that capture every packet, I think this is done through WinPCap. Is it possible to use WinPCap to handle and intercept all packets, or is it just for capturing as it goes by?


... that would be reallllyyy nice!

Kevin said...

Couple little things:

1. better support for gzip, i'm testing a site now that sends the header:

content-encoding: deflate

and burp doesn't interpret this as g-zipped data even though it is.

2. the ability to check or un-uncheck proxy options without having to check "intercept" sometimes i want to set it up to catch the next request/response but i dont want to look at the data going back and forth now.

I'm sure I can think of more things and i'll post them as I do, otherwise, awesome software, thanks :)

sos said...

Hi there,
A few suggestions-

Web Services explorer - allow user to point tool at a wsdl and have tool identify the services and allow fuzzing.

Would be very useful if the tool history could be cleared out by user selecting a button / menu option.

limiting spidering of a site to certain specific domains would also help. thanks

Anonymous said...

"quote-It would be really helpful if the the proxy history were exportable.
Currently you can copy all URLs to the clipboard, but it would be great to be able to generate a log file similar to the one created through the "comms" tab (i.e., with the request/response flow)"

yes would be cool

Anonymous said...

Would be great if your proxy-chain supported pointing to a PAC file. Its frustrating when you're doing stuff on your internal network and the internet, but all requests get forwarded to the internet proxy.

Anonymous said...

I would like to modify the response (HTML code) of the proxy, too. An API would be great to register your one plugins.
So I'm looking for a method like:
String modifyHtmlBody(String request, String responseBodyOrg)

Michiel said...

- the ability to time a forwarded http request

Anonymous said...

I'm not sure if burp suite is compatible with vista 64bit, if it isn't that would be awesome.

Anonymous said...

1) command line option:
that is, if I have request in burp format saved in file when I do this:
java burpsuite -noGUI fileToPost
burp will use burp reapeter on the file and store respnose on file (fileToPost.response).
2) Tool to convert request in burp format to requests in CURL format (curl enables command line usage)

Anonymous said...

I've seen a lot of Java apps recently that transmit data with serialized objects. Support for deserialization, manipulation,and serialization of these objects as they're transported over HTTP would be very helpful.

ark0n said...

Would love to be able to save sessions, much like Paros. I would like to be able to bring up the Spider results. What do most people do especially when pen testing large sites?


Anyone else use a Mac? (OS X - 10.4 or 10.5).

I keep getting "No payload positions define" error. The § character looks to be valid. I have tried the new Intruder and changing language locales - with no luck.
In the mean time I am using a Windoz box, but I want to stay on the Mac, all my scripts, tools, etc are on the Mac, would love to figure this out.

anniethesquidgy said...

Support for changing the outlet end port of the proxy.
That is, I'm running my development server system on 8080. It'd be nice if I could tell burpsuite to proxy 9090 to 8080 instead of just 9090 to 80 (what u can do now) - if that makes sense. As it is I need to run another proxy server or change my dev port.

Anonymous said...

Selecting more than one .xml in HTTP History tab and right clicking and send to intruder will be nice

Anonymous said...

I would really like a feature that would translate the Proxy History into CURL commands