Sunday, December 9, 2007

Burp Suite v1.1 released

I'm pleased to announce that the release version of Burp Suite v1.1 is now available. You can download the software and read about what is new here.

Thanks to everyone who downloaded the beta version and gave me their feedback - this was much appreciated. Burp should hopefully work properly in many kinds of usage scenarios and platforms that I'm unable to test myself.


Doug W said...

D -- one of your former students here. The book is great (though I haven't finished it yet), and was checking out the new version of burp.

My question/use case is thus -- I have a case where I have an application that I am trying to test transition of SSL information to application session information, and thus want to do requests with different client certificates on each request.

Currently, I can supply one client cert for authentication, but I don't see a way to programatically manipulate that in the interface. Without going to the extender (as I'm not that much of a coder), is there a way to do that in 1.1 (swap out client certs on different requests?).

Also, one workaround I found was to launch several instances of burp at the same time, running on different ports. Each one is then using a different client cert. However, in the "free" version, the limitations on intruder stem across all instances, and you can't run simultaneous instances of it.

If I got the professional version, would intruder allow you to run several instances at a time at speed (each instance impersonating a single client certificate holder)? Or can you not run more than one instance at a time effectively?

Let me know if this discussion would be better conducted over email.

PortSwigger said...


Actually, that's a usage scenario I've never really thought about.

There isn't currently any way to manipulate certificates programmatically. Your proposed workaround should be ok - in fact, I'm surprised to hear that multiple instances of the Intruder demo interfere with each other - are you sure? In any event, you can definitely run multiple instances of the pro version very fast indeed!

Feel free to switch to email if you want.

Doug W said...

Actually, I correct myself -- I've done several more test runs, and intruder doesn't block itself -- but it does seem to slow down a lot. I'm wondering if this is because of the confusion I am causing on the server doing this.

I'll follow up the rest in email (assuming the mail on the about page for this works), just wanted to state for the record that that part of my initial findings wer wrong.

ark0n said...

First, great job on this release. I am even closer to standardizing on a sole tool set, and as anyone who does web app testing for a living, what a time saver that would be. Any idea when you will release the Pro version?


PortSwigger said...

@ark0n - thanks. The pro version is out too.

Gimmic said...

Something I've run into, with the proxy once you have some manipulated rules set up- is there a way to make the proxying transparent(auto forward)?

I find this app much more useful than scarab except the dealbreaker is kind of the ability to auto forward.

PortSwigger said...


Messages that aren't matched in the intercept rules will be transparently forwarded. To make all messages transparently forwarded, toggle the "interception is on/off" in the "intercept" tab.

gim said...

Yeah, I was referring to modification of the data without having to
intercept. Basically, building the ruleset to make changes(to the
header) and automatically forward the modified requests.

I assumed that if I turn off interception it .. turns off interception
and does transparently pass the packets without modification. Bad
wording on my part. I checked out the extender functionality and while
I'm sure that would work it just seems like excess complication for
what could be a simple toggle "auto-forward" or such.

Anonymous said...

what about the commercial version?

rotemmon said...


I have bought your book, and it is
amazing as well as frightening...
I am working on a CMS to offer some
friends, and I want to use your
Burp package, including the burp
I want to find a manual that tells
me everything I can do using it...
the book had a portion of a chapter
that explains some of the possible
uses of the program, but I really
want something more comprehensive
that will let me check my web site
against most security defects

if the program can do everything I
think it can, I will be very happy
to buy it and tell all my friends
about it

please email me and tell me how can
I proceed


Rote m

ark0n said...

Rote m,
I by no means want to speak for D. but having used Burp for quite some time, I was overjoyed to read this book. If you follow the examples in the help files in addition to going over the material in the book, this will really go far in getting you a testing methodology for web security. You may want to go over to and read up their material in addition to getting WebGoat, a dummy web site to practice security testing on.

rotemmon said...

thank you for your help... it is
encouraging to hear from someone
who really liked the product I am
about to buy... it makes me think
I will be doing the right choice to
buy it
the book we are all talking about
was HUGE... I have bought several
books regarding security, and none
of them was so advanced, especially
regarding Web technologies I am
familiar with and working with all
the time. Actually it scared me...
there are so many ways to hack web
sites, and I must programm now so
many security funtions I did not
know I needed before...
basically I want to use the program
to go over all of my scripts and
web sites... I am not a company at
all, but making web sites for
friends, but I owe it to them to
make their web sites reliable
as an amateur, the program costs a
lot to me, so I must know in
advance it will worth it... I want
to know everything I can before I
buy the program, and after buying
the program I will have to know
everything I can to use it

Thank you

PortSwigger said...


Thanks for your comments. I'm glad you enjoyed the book - yes, it's big, and feels even bigger when you're writing it!

I don't want to do myself out of business, but I must say that Burp itself isn't capable of "going over all of your scripts" and "finding the problems". (But nor, in my opinion, is any fully automated tool.) What Burp does is provide a skilled tester with a ton of functions and tricks which they can use to probe the application, but they need to use their own intelligence and knowledge of web app vulnerabilities to use it effectively.

In terms of resources to help you use Burp, I would suggest reading all of the online help thoroughly. Also, it's not just Chapter 13 of the Web Application Hacker's Handbook that will help you - the whole book is geared towards manual testing of applications, and will provide tips for using Burp or your own scripts to automate many common tasks.

It sounds like you have the inclination and initiative to find the problems that might exist in your own code, so good luck!

Anonymous said...

Burp Suite is a great tool, but i have a recomendation.

In proxy, history, it will be interesting a filtering option. For example, i put a filter for gif files and these lines doesn't show in list. With this filter was more easy to find a request.

Thanks and good job.

Jacky said...

So great tool, thank you so much.

I report a strange condition, The burp worked very well in my office in the past time.Due to our proxy was ran under NTLM authentication, I chose the burp for my first proxy.
But it has authentication fail today.I try to find out what problem could be ? I made a test, I try to use NTLMAPS, but it doesn't work by default config(NTLM_FLAGS=LM) until I change to NTLM_FLAGS=NT. Just report for your reference.

Anonymous said...

Hi, first of all, your book is awesome -- by far the most comprehensive, clear, and practical guide to web application testing I've come across. Thanks for writing it, and thanks for writing Burp! I've started looking at Burp Suite v.1.1, and I'm crossing my fingers that there's now some way to save and then reload session data. I know it's possible to create a text log of activities, but unfortunately this can get difficult to manage, especially when working with a group of testers who need to review each others' test results. Is there a session-saving feature I'm missing? Or is this something that is available in the commerical version?

PortSwigger said...

@Jacky - Thanks for the report. Perhaps your office proxy changed from NTLM v1 to v2? Burp currently only supports v1, but that will hopefully change in future.

@Anonymous - There still isn't any way to persist your proxy/spider session, unfortunately. Keep your fingers crossed and this feature will arrive in the next release. I'm glad you enjoyed the book!

Ingo said...

your book is great, congratulations.

I'm hoping for a way to persist your proxy/spider session soon, It would be very nice to have that.

alex said...

Hello sir,
plz help me to work on this Burp Suite tool.i am unable to operate this tool what should i do after proper installation of Burp Suite.

Anonymous said...

hello sir
plz help me to operate this tool, m unable to work on tool.plz tell me what should i do first after installing the tool Burp Suite .

PortSwigger said...


As an absolute minimum, set your browser to use as a proxy and run Burp (you will need Java installed).

But I strongly recommend you consult the online help and The Web Application Hacker's Handbook for the full story.