Monday, November 26, 2007

The new burp beta

The beta version of the new release of Burp Suite is now available.
This is a major release, containing several new tools and features. Highlights include:
  • Improved analysis and rendering of HTTP requests and responses wherever they appear.
  • Burp Sequencer, a new tool for analysing session token randomness.
  • Burp Decoder, a new tool for performing manual and intelligent decoding and encoding of application data.
  • Burp Comparer, a new utility for performing a visual diff of any two data items.
  • Support for custom client certificates (in all tools) and custom server certificates in Burp Proxy.
  • Ability to follow 3xx redirects in Burp Intruder and Repeater attacks.
  • Improved interception and match-and-replace rules in Burp Proxy.
  • A fix for the Intruder payload positions bug affecting some Linux users.
  • A "lean mode", for users who prefer less functionality and a smaller resource footprint.
I'm aiming to complete the final release fairly shortly, so if you have any problems or bugs, please let me know as soon as possible, either via email or in the comments. The new release requires Java version 1.5 or later, so make sure you have the latest JRE installed.


Daniel said...

How would you prefer the bug reports, if any?

PortSwigger said...

@Daniel - via email or in the comments, I don't mind.

stephendv said...

Throws an exception on Mac OS X 10.5.1:
java -jar burpsuite_v1.1_beta.jar
Exception in thread "main" java.lang.NoSuchMethodError: java.lang.String.<init>([BLjava/nio/charset/Charset;)V
at burp.for.throw.return(Unknown Source)
at burp.return.String.if(Unknown Source)
at burp.extends.long.if(Unknown Source)
at burp.extends.long.<init>(Unknown Source)
at burp.extends.if.<init>(Unknown Source)
at burp.extends.return.class(Unknown Source)
at burp.else.throw.for(Unknown Source)
at burp.StartBurp.main(Unknown Source)
^C[~/Downloads]java -version
java version "1.5.0_13"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05-237)
Java HotSpot(TM) Client VM (build 1.5.0_13-119, mixed mode, sharing)

It hangs at this point.

Anonymous said...

burp in windows is fine at the moment for me, when is the final release due?


Michael said...

The server cert code works great. There is only one thing that I have encountered -- if the cert that you are trying to use does not have a password, the proxy returns a Java divide by 0 error.

Anonymous said...

I really like the new Burp, but of course will complain about a few things.

The hex views might be nicer if they only showed the body. This is almost always what someone looking at hex is interested in.

The SSL support is excellent, especially the easy configuration of the cert that burp presents to the browser. It would be very nice if you could add support for additional types of certificate containers. Converting certificates is a drag.

Anonymous said...

Bug Report with beta2 (and beta1).

Outlook Web Access chokes when run through the proxy.

When a request with the SEARCH method is sent through the proxy, it hangs.

The History tab shows the request with full headers, but no body or response.

The request has a non-zero Content-Length header, and the Content-Type of the request is "text/xml", unsure if this is a factor.

Anonymous said...

Responses for .js pages are still not saved in the logs. It'd be nice if you saved .js pages too. Makes it easier to parse the log files when they're complete. :)

Thanks for implementing the other requested changes! Burp rules. The sequencer is a nice touch. However, when adding to the sequencer it would be nice to be able to send the modified request to the sequencer instead of having to use the repeater as a middleman. But, hey, it works now, so...

kost said...

It would be useful to have option to force connecting of intercepted connections to some other IP in burpproxy. It's needed when IP address/hostname is fixed in client and you cannot change proxy (it's custom HTTP client).

Marcin said...

Playing with Burp Sequencer, I see on the summary tab for "manual load analysis" the following overall result:

At a significance level of 1%, the amount of effective entropy is estimated to be: 0 bits.

This is contradictory to the "character set" tab under "character-level analysis:"

Maximum entropy bits
The chart shows the maximum bits of entropy available at each position, given the size of the character set used at that position. The total amount of possible entropy is 95.32 bits.

For whatever reason, it seems like the summary tabs aren't displaying correct information.

I'm running Java(TM) SE Runtime Environment (build 1.6.0_03-b05) on Linux 2.6.22-14-generic #1 SMP Sun Oct 14 23:05:12 GMT 2007 i686 GNU/Linux... Ubuntu 7.10.

PortSwigger said...


It sounds like everything is working fine:

- The "maximum entropy bits" result on the "character set" tab shows the theoretical maximum entropy provided the contents of the token are randomly generated. It is purely an indication of the "size" of the token, and says nothing about its actual entropy.
- The "bits of effective entropy" on the overall summary tab reflects the actual randomness found in the token, based on all tests. Depending on the quality of the randomness, this value will be between zero bits and the "maximum entropy bits" value described above.

Hopefully all of this is clearly described in the Sequencer help.

Anonymous said...

I am unable to Beta 2 from link provided above

PortSwigger said...


This is the beta for last year's release. The full version was released in December 2007.

Nothing to see here, move along please.