Saturday, September 15, 2007

Intruder bugfix - nonstandard charsets

Just to placate the salivating hordes who accost me on a daily basis demanding to know when the next release of burp will be available, here is some more evidence that I'm not bluffing and work is actually well underway on the new release.

One annoying bug in Intruder is that the payload positioning marker doesn't work when the JRE is set to use some unusual character sets. Instead of the § character, the payload marker appears as a red box or some other character altogether, which doesn't get recognised when you try to launch an attack. This affected Japanese, some Linux users and other subversives whose character set wasn't set to en-US:

Well, the good news is that this has been fixed in the next release. I'd be most grateful if anyone who experienced this problem could try it out and let me know whether it works for you. If this bug didn't affect you, don't bother with the download as it contains nothing else that differs from the current release version.

Wednesday, September 12, 2007

Hacker's Handbook - table of contents

[drum roll ...]

A mere six months after the first chapter was submitted, The Web Application Hacker's Handbook is now at the final stages of production, which is fortunate given that it will be in the shops in little over a month. I look forward to evenings not spent poring over galley pages looking for the next typesetting error.

Anyway, we now have a final table of contents for you to look at. It gives a fair idea of the subject matter covered - and how much of it there is!

Tuesday, September 11, 2007

Burp Suite feature requests - thank you

Thanks to everyone who responded to my request for suggestions. I've had over 100 messages in various forms, so there are plenty of ideas of what else to include. Here are just a few of the requests I will be aiming to incorporate (in addition to those I mentioned previously):

  • token analyser;

  • option for Intruder/Repeater to follow 3xx redirects;

  • back/forward buttons in Proxy history;

  • fixing the bug with the payload marker when some unusual character sets are used;

  • doing automated find/replace in the message body as well as headers.

Probably the most optimistic request was: "Can you write hooks into all common networking and SSL libraries to make a process use a proxy even if it is not configured to natively?" I already did this for WinINet. But sorry, Ollie, I doubt I'll have the energy to do all the others!

As well as all the good ideas for new features, I received many requests for things that are already there, including:

  • response interception;

  • function to search each request/response;

  • tree view of site being browsed;

  • saving of preferences;

  • NTLM authentication;

  • support for upstream proxy.

Plenty of people emailed me "Great tool, I use it every day, can you make it do X?", when X has been there since day one. May I respectfully suggest that anyone who is missing the above features should take a quick look at the help (or even just the options panels) to find what they are looking for!