Monday, November 26, 2007

The new burp beta

The beta version of the new release of Burp Suite is now available.
This is a major release, containing several new tools and features. Highlights include:
  • Improved analysis and rendering of HTTP requests and responses wherever they appear.
  • Burp Sequencer, a new tool for analysing session token randomness.
  • Burp Decoder, a new tool for performing manual and intelligent decoding and encoding of application data.
  • Burp Comparer, a new utility for performing a visual diff of any two data items.
  • Support for custom client certificates (in all tools) and custom server certificates in Burp Proxy.
  • Ability to follow 3xx redirects in Burp Intruder and Repeater attacks.
  • Improved interception and match-and-replace rules in Burp Proxy.
  • A fix for the Intruder payload positions bug affecting some Linux users.
  • A "lean mode", for users who prefer less functionality and a smaller resource footprint.
I'm aiming to complete the final release fairly shortly, so if you have any problems or bugs, please let me know as soon as possible, either via email or in the comments. The new release requires Java version 1.5 or later, so make sure you have the latest JRE installed.

Tuesday, November 6, 2007

Hacker's Handbook - online materials

A few people have emailed me asking where is the online material promised in The Web Application Hacker's Handbook. Apologies for the slight delay on that front. I have now posted almost everything to the location below, including answers to questions, source code, and the checklist of methodology tasks. The only thing not yet ready is the hacker's challenge, of which more in due course. The book's page on the Wiley web site will be updated shortly to point here: