Monday, November 30, 2009

[V13P] Pro beta version now available

A beta version of the new release of Burp is now available for Professional users. The free edition will be available in two or three weeks time. If you don't have a Pro license and are eager to try out the new features, why not treat yourself here?

As always, any help flushing out bugs will be much appreciated. Please email these directly, so that I can easily get back to you for more details if required.

The final edition will be released just as soon as we are happy with it, but the beta release is highly stable and suitable for day-to-day working right away. Have fun!

Sunday, November 29, 2009

[V13P] Other bits and pieces

I've described most of the major additions to Burp's functionality that are arriving in v1.3. There are a few other smaller tweaks that are worth drawing attention to:

  • The tables in the site map and search results now include a timestamp column. Sorting the results on this column lets you easily see when new items are added. This is handy when you are running spidering or content discovery exercises, or when performing dynamic searches, all of which add new entries to these tables periodically.

  • The background autosave feature now optionally performs a final autosave on exit, so that you will always have a current snapshot of your work provided Burp closes down gracefully.

  • Repeater now shows a response timer in milliseconds, which can help you verify time-delay-based tests for code injection bugs.

  • Scope rules can be individually toggled on and off, so you can easily switch between different targets which you have configured.

  • Scanner and Spider now support request throttling with optional random variations, to help you avoid overwhelming flimsy applications, and avoid alerting pattern-based intrusion detection systems.

Apologies to the many people whose requests haven't been met on this occasion - there will be further development efforts fairly early in 2010.

Friday, November 27, 2009

[V13P] Target analyser

For Pro users, Burp now includes a function to analyse a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes. This can help you assess how much effort a penetration testing engagement is likely to involve, and can help you decide where to focus your attention during the test itself.

To access this feature, you select one or more hosts or branches within the site map, and launch it using the context menu. The summarised information looks like this:

And you can drill down into more detail about individual URLs:

You can also export all of this information as an HTML report, which you can attach to client proposals and reports to show the attack surface you have covered.

A couple of caveats should be noted. Firstly, this function only analyses the content already captured within the site map, so you should ensure that you have fully browsed or spidered all of the application's content and functionality before running it. Secondly, URLs are deemed to be "static" if they no not take any parameters in the URL or message body; however the responses from these URLs may still be dynamically generated by the application.

Thursday, November 26, 2009

[V13P] Exporting of request information

In the new release, Burp lets you export full details of interesting requests and responses in XML format, including all relevant metadata such as response length, HTTP status code and MIME type. For example:

If you have annotated any of the exported items, your comments will also be included within the XML.

You can access this feature via the context menu anywhere in Burp that you see requests and responses, and you can include individual items or multiple selections. The raw data and analysis captured within Burp is thereby available for any external tools that can process the XML export.

Wednesday, November 25, 2009

[V13P] Manual testing simulator

This feature won't exactly enhance your productivity, but you may sometimes find it useful nonetheless. In the new release, lazy Pro users can make Burp simulate manual testing activities, by sending common test payloads to random URLs and parameters within a target application, at irregular intervals. Burp doesn't do anything with the responses, so you won't find out about any bugs in this way. But if you think that someone might be reviewing the application's logs to confirm that you are working, you can use this feature while you nip out for a long lunch, gym session, drinking binge, or whatever happens to be your preferred diversion.

Regarding the obvious feature request, for you to be able to configure your day-rate, and have Burp calculate how much the simulation has cost your client; no, I don't think that would be appropriate, do you?

[V13P] Laser-guided scanning

To my great pride, nearly everyone who has tried out Burp Scanner absolutely loves it. But people still helpfully come back with tons of feature requests for it.

One of the biggest complaints is the relatively crude way in which Burp lets you send items for active scanning from the site map. For example, when you have mapped out all of the content and functionality within your target application, you can select the relevant host (or branch within the host), and choose "actively scan selected items" from the context menu. Currently, when you do this, Burp will perform an active scan on every single item within this selection, which often is not quite what you want: your selection may include multiple superfluous submissions to the same form handlers, items you have scanned already, items with irrelevant file extensions or MIME types, and specific items which you have excluded from the target scope, such as logout or administrative functions. Currently, the only workarounds for this limitation are to go through the site map individually selecting the specific items which you do actually want to scan, or to send everything for scanning and then cancel the irrelevant items within the scan queue. Neither option is painless.

The new release gives you much easier and fine-grained control over what gets scanned in this situation. Any time you select multiple items for active scanning, Burp launches a brief wizard which lets you fine-tune your selection. The first screen of the wizard offers you various intuitive filters to remove potentially unnecessary items (duplicates, already scanned items, media content, etc.), and shows you how many items will be affected by each filter:

The second screen of the wizard shows you a list of the remaining items, and lets you sort the table by various relevant properties, view the full requests and responses, and delete individual items:

The wizard then completes and the selected items are sent for scanning in the usual way.

Hopefully this feature will let you make much more effective use of Burp's scanning capabilities, avoid filling the scan queue with junk, and find more bugs more quickly than before.

Tuesday, November 24, 2009

[V13P] New display filters

The display filters used in the proxy history and site map are now more powerful, and allow you to filter on:

  • Simple and regex search terms (Pro version only) - this is often handier than using the suite-wide search function.

  • File extension - this supplements the MIME type filter, and is useful for unusual content types, and when HTTP 304 responses do not contain any content.

  • Annotations made by the user.

The new filter configuration panel looks like this:

[V13P] Scripts and comments search

Pro users can now search part or all of the site map for scripts and comments. This feature is accessed by selecting relevant branches within the site map, and using the context menu.

The search results window shows responses from all Burp tools containing either scripts or comments. Selecting an individual item shows the full request and response in a preview pane, with relevant items automatically highlighted, and also extracted into their own tab:

You can use the "export" button to save all of the scripts or comments to file or to the clipboard, optionally consolidating duplicated items. I know a lot of people have been grepping Burp's log files to get this kind of information. Hopefully the new feature will make this task a lot easier.

Monday, November 23, 2009

[V13P] Content discovery

Burp now includes a content discovery function, similar in concept to OWASP's DirtBuster. You can access this feature by selecting a request or URL anywhere within Burp, and using the context menu to start content discovery.

Burp uses various techniques to discover content, including name guessing, web spidering, and extrapolation from naming conventions observed in use within the application. The feature is highly configurable, as shown by the available options which are explained below:

Target - These options control which directory to begin discovery from. Only items within this path and its subdirectories will be requested during the session. You can choose to discover files or directories or both, and how deep to recurse into discovered subdirectories.

Test case generation - These options control which file and directory names Burp will use when making requests to discover content. As well as built-in lists, Burp can harvest names used elsewhere within an application, and retry them at other locations, and can construct names based on discovered items, for example by cycling values in filenames containing numbers.

File extensions - You can specify a list of file extensions with which to test each possible filename. Burp can harvest file extensions observed in use within the application, and test these with every filename. When a file has been confirmed, Burp can also try a specific list of variant extensions with that filename, for example to check for old or backup versions of the same file.

Discovery engine - You can control how many threads are used for content discovery and spidering, whether file names are handled case sensitively, and how the discovery session interacts with Burp's main site map (in the target tab of the suite).

When you have configured your discovery session, you can start it from the control tab, which also provides runtime information about the actions being performed. The work is divided into numerous discrete tasks, which are prioritised according to their likelihood of quickly discovering new content, and new tasks are generated recursively as content is confirmed:

The discovery session employs its own site map, showing all of the content which has been discovered within the defined scope. If you have configured Burp to do so, newly discovered items will also be added to Burp's main site map.

Sunday, November 22, 2009

[V13P] SSL pain relief

In v1.2.11, Burp introduced a new method of generating the server SSL certificates which are presented to your browser when you connect via Burp Proxy. This involved creating a root CA certificate (per user), which you can install into your browser, and using this to sign each host certificate, thus enabling you to eliminate SSL certificate errors. Read more here.

Unfortunately, in v3.5 Firefox changed the way it handles root CA certificates, which stopped Burp's root CA certificate from working. This problem has now been fixed, and Firefox should accept Burp's certificates again:

Note that if you have previously installed Burp's CA certificate into any of your browsers, you may need to remove this before you can install the new root certificate, as described here.

Another occasional source of SSL pain happens when Burp fails to negotiate connections using the combination of protocols offered by the destination web server. The Java SSL stack contains a few gremlins, and fails to work with certain unusual server configurations. To help you troubleshoot this problem, Burp now lets you specify which protocols should be offered to servers during SSL negotiations:

Note that Burp already implements a few workarounds for SSL issues, and if a negotation fails with the protocols you have configured, Burp will still try some alternative combinations of protocols which often work. So you shouldn't use this new feature as a method of testing which protocols are actually supported by the server. People often ask if Burp can perform these checks, but Java is a bit too far removed from the SSL action for this to be done reliably, so you are better off sticking to a dedicated tool for investigating server SSL configurations.

Saturday, November 21, 2009

[V13P] Upstream proxy rules

If I had a beer for every time someone has requested this feature, I'd have been way too wasted to implement it.

Burp already supports upstream web proxies, but only as a global configuration which affects all outgoing traffic. In the new release, Burp allows you to configure rules specifying different proxy settings for different (ranges of) destination hosts.

The following configuration will make Burp talk directly to, use an internal proxy server without authentication for everything else on *, and use an authenticated gateway web proxy for everything else, including the public internet:

You can use standard wildcards in the destination host specification. Rules are applied in sequence, and the first rule which matches the web server you are communicating with will be used. If no rule is matched, Burp defaults to direct, non-proxy connections.

Friday, November 20, 2009

[V13P] Request annotation

You can now add comments and coloured highlights to items in the site map and proxy history:

You can highlight individual items using a drop-down menu on the left-most table column:

And you can comment individual items in-place by double-clicking and editing the table cell:

Alternatively, if you want to annotate several items at once, you select the relevant items and use the context menu to add comments or apply highlights:

When you have annotated interesting requests, you can use column sorting and display filters to quickly find these items later.

[V13P] Improved search

The suite-wide search function has had a revamp, with a number of useful features added:

  • regex mode;

  • optional restriction to target scope;

  • optional dynamic updating of existing search results as new requests are made;

  • ability to search selected hosts/branches within the site map, via the site map context menu.

Here's an example of using a regex search term with dynamic updating, to monitor all responses containing HTML comments as they are received from the server:

The searchable text viewer/editor used throughout Burp also now supports regex and case sensitive searches. These features are accessed via a new pop-up panel at the left of the search bar:

When you are viewing items found in a suite-wide search, the relevant options which you used in that search are automatically copied to the text viewer, so that the correct items are highlighted.

Burp Suite v1.3 preview

Work on the next release of Burp is inching forwards, and over the next two weeks I'll be posting regularly with previews of some of the cool new features to look forward to. Then I'll release a beta version for Pro users to play with. Everyone with a current license will receive an automatic upgrade to v1.3.

Many thanks to everyone who has submitted feature requests. A lot of these have been implemented in v1.3, though many will need to wait for next time. Hopefully I've pleased more people than I've disappointed.

Monday, November 2, 2009

Burp Suite - feature requests please

It's getting to that time of year again when all the hastily made promises about the next release of Burp need to be made good. So I'm pleased to announce that release 1.3 of Burp Suite will be available before Christmas*.

The free edition of Burp will get a roll-up of some of the new stuff that has been added to the pro edition over the past year. And the pro edition will get a bunch of cool new features of its own.

At this stage, it would be good to hear about any requests for new features that people have. Even if you've asked for them before, on several occasions, remind me again and I'll do my best to include them. You can email me or leave requests in the comments. Thanks!

*2009, hopefully.

If politicians were HTTP status codes

401 Not Authorized

George W. Bush

416 Not Satisfiable

Bill Clinton

417 Expectation Failed

Barack Obama

302 Found

Saddam Hussein

404 Not Found

Osama Bin Laden

410 Gone

John F Kennedy

500 Internal Error

Donald Rumsfeld

415 Unsupported Media Type

Tony Blair

203 Non-Authoritative Information

Sarah Palin

306 Unused

Al Gore

408 Timeout

John McCain

303 See Other

Nicolas Sarkozy

100 Continue

Vladimir Putin

405 Method Not Allowed

Richard Nixon

402 Payment Required

Silvio Berlusconi

413 Too Large

Helmut Kohl

414 Too Long

Fidel Castro

411 Length Required

Cristina Fernández de Kirchner

300 Multiple Choices

Lech & Jaroslaw Kaczynski

403 Forbidden

Geert Wilders

409 Conflict

Adolf Hitler

406 Not Acceptable

Muammar Gaddafi

503 Service Unavailable

Kim Yong Il

GIAC paper on Burp Intruder

Karl Dawson has written a nice paper about using Burp Intruder for discovering login credentials, and how you can use various tricks to reveal other useful information and anomalies, as well as actually guessing valid passwords. Download it here.