It's getting to that time of year again when all the hastily made promises about the next release of Burp need to be made good. So I'm pleased to announce that release 1.3 of Burp Suite will be available before Christmas*.
The free edition of Burp will get a roll-up of some of the new stuff that has been added to the pro edition over the past year. And the pro edition will get a bunch of cool new features of its own.
At this stage, it would be good to hear about any requests for new features that people have. Even if you've asked for them before, on several occasions, remind me again and I'll do my best to include them. You can email me or leave requests in the comments. Thanks!
*2009, hopefully.
55 comments:
Print/Save results from Sequencer please :)
Saving off all URLs in the history
Searching through all history contents
Better saving of intruder attacks.
Tabbed Intruder interface (just like what Repeater got in v1.2) would be nice.
Extend the Burp Extender interface so we can do more stuff with it :)
- Community driven fuzz lists in intruder.
User creates account on portswigger.net and then uses it to add/download new fuzz lists to be used in intruder.
Allows the l33t peeps to show off their fuzzing skills and also allows the new kids to learn the benefits of fuzzing and use some of the updated lists.
- Search function in history
SOAP/WebService tab with decoding/encoding like what WebScraba do !
1. The ability to partially scan a tree. Right now, I have to scan the whole tree, or delete nodes before I scan them. I'd like to be able to make things "out of scope" for an active scan.
2. A comprehensive list of items that are scanned from during the passive and active scans (i.e., as indicated by the TYPE tags in an XML output)
repeater time interval
Looking forward to 1.3 already. Let me know if you need Beta testers.
Small nagging request, but in intruder it would be nice to highlight a value to be replaced (fuzz point) and have the § key select it completely (not just add a § at the start. Hard to explain, but it can be annoying ;)
I'd also like to see a cookie plot similar to Webscarab, and the ability to export URLs from history to a text, csv, or XML format to input into scripts etc.
Thanks for all the hard work, and look forward to the next version.
Tabbed Intruder interface or some other way to save multiple attacks would be top of my list. Also URL encoding as you type.
Active scan could try to avoid scanning the same script many times if many base requests have been captured in the Target tree.
I was also going to mention renaming of Repeater tabs next but I just noticed that's already possible...
Simple real time scripting interface preferably in implemented in jython, but could be beanshell.
The jruby implementation (http://github.com/emonti/buby) is cool, but...well...it's ok if you like ruby.
You continue to publically advance the art in ways that have the potential to alter the entire web assessment space.
Keep up the good work!!!
Levenshtein distance based difference calculation in Intruder ala crowbar, suru, and w3af.
Allows for a simple way to check for similar groups of responses at a glance.
I'm going to have to disagree with ChrisJohnRiley about the need for a plot of sessionIDs. If you don't know enough about statistics to read the output of the current sessionID tester, rely on the burp recommendations because you're unqualified to comment on the strength. A graph only shows the very worst of problems, and can give a false sense of security.
I was working on my own cookie strength analyser before the burp one came out, so I've done enough research to tell you that Burp currently does the right thing in testing for strength.
Hey,
1.
Would be great to be able to enable/disable items within the include/exclude sections of the scope rather than having to delete them from the scope for one test, and then re-add them in again when you test the site again. (same for any of these type of boxes throughout burp)
2.
Burp Scanner found the ASP.NET request filter bypass XSS vuln, but didn’t detect the ASP.NET Unicode Conversion XSS vuln.
Egs;
Straight HTML/Javascript injection:
http://www.example.com/search.aspx?query=test%uFF1Cscript%uFF1Ealert(‘xss’)%uFF1C/script%uFF1E
or with double quotes to break out of tag:
http://www.example.com/search.aspx?query=test%uFF02%uFF1E%uFF02%uFF1Cscript%uFF1Ealert(‘xss’)%uFF1C/script%uFF1E
or with single quotes to break out of tag:
http://www.example.com/search.aspx?query=test%uFF07%uFF1E%uFF02%uFF1Cscript%uFF1Ealert(‘xss’)%uFF1C/script%uFF1E
3.
Scanner queue often doesn't get restored after a save.
Thanks,
Ty
I second the first comment -- a way to export/save the Burp Sequencer info would be great. You know, something to include with a report to prove token weaknesses to the customer.
Allow loading of payloads with newlines (or allow defining a character that gets translated to a newline).
UTF8URL encoding in the decoder.
Export/save/print for the information in the sequencer.
Thanks for an awesome tool.
I second the fuzzing lists for scanner/intruder. Oftentimes I worry about the thoroughness of my scans, or whether or not burp includes a new xss or scripting exploit I've just read about on a security blog. I would really appreciate the ability to manually add/edit the fuzzing lists.
I like the enhancements to the burp scanner interface and have been using them quite a bit.
It would be super useful when scanning sensitive servers to be able to throttle the bandwidth out to them from burp, so I don't cause an interruption of service. The only other solution I've come up with is to throttle all the bandwidth out of my computer, and that's very annoying.
Thanks so much!
The ability to update the cookie for all session-based sequences, for those applications that issue a new Set Cookie: header with each response.
ASP.Net Viewstate Decoder
- Sortable columns in "scan queue" list so you can easily find something to cancel scanning of.
- Quick search on scan queue so you can easily find things (like .pdf files) to cancel scanning of.
Select which SSL protocol (SSLv2/SSLv3/TLS) to use to connect to server.
- ssl server security analysis built-in (like sslscan)
- the ability to search for keywords in all content of the burp proxy history
- put the fuzzing files in a separate folder, and not in the actual jar.
Well.. it is already a superb product.. but how about:
* Better support for testing web services - i.e. soapui
* Nikto/dirbuster functionality in a separate tab (although it's easy enough to do it in intruder manually, it would be nice to have it integrated).
* Doesn't crash on very large requests/responses.
* Better support for client application proxying - similar to echomirage.
ability to consistently copy/paste into any editable area. For example, the proxy window.
Able to edit more of the AMF structure. Such as changing the key in the key/value pairs. Right now you can only change the value.
More insight into NTLM authentication (failures), at a minimum showing the page it's trying access (in the pop-up) and possibly the NTLM challenge response. Autofilling the Domain & Hostname would be nifty.
Automation of blind SQL injection would be pretty slick. Obviously you can currently rig up the intruder to complete this task with some work, but it would be great to say, "the true or false statement goes here, the database is MSSQL, and a true statement has this text or is this length", and then have it pull back the database username. There are a lot of other ways to do similar things.
Maximum "scans" per URL in the scanner; just because a page has 100 different links to it doesn't mean I need to scan it 100 times.
Thanks for putting together a nearly perfect tool. It's very hard for me to think of features that burp is missing.
I second the user that suggested improved support for testing web services.
Related to the SQL injection verification, I'd love to see functionality in Brup Extender to register a callback for a new menu item.
Then a "send to sqlmap" menu item would be easy to write as an extension.
Also, a way to add new issues to the burp scanner interface would be helpful, so there's only one place to manage findings instead of having to create a separate display with plugins.
Working with binary (Java RMI)-Data in HTTP-Requests: For every "0a" (LF) occuring in a request Burp repeater puts "0d" (CR) in front of it. Would be great if Burp could be configured not to insert any bytes automatically.
The ability to automatically request backup extension (.bak, .BAK, ~,...) of discovered files, like Webscarab.
Please add the window again, which displayed where an object has been referenced from.
E.g. you've got a file abc.txt in your sitemap and want to know from where it has been referenced of.
In repeater, autocalc the content-length...
Sending a binary request from the Repeater to the Intruder doesn't work right. It changes characters.
Due to the missing hex view/editor it's not possible to repair this request ...
Ability to run Burp connections through a socks proxy.
Totally unrelated to web-app (what Burp us build for) but,
Implementing proxy support for raw binary traffic will open a new world to burp-suite capabilities!
Matasano`s PFI is a simple example of this work, but I imagine having all capabilities of Burp over binary data not just http.
Considering current features of suite (proxy,fuzz,intruder,etc...) raw binary traffic proxy support will probably make Burp the ultimate tool-set for many people out there :)
One more very minor thing: ability to turn on autoscroll in the proxy window.
Re: autoscroll:
You can reverse sort by # field with a shift-click to get the same effect.
For reporting it would be great if Burp used the WASC threat mappings, CVSS v2.
Seconding the Burp Extender interface request ;) I'd like to be able to add my own tabs to the request/response for parsing arbitrary protocols. In the same way that you have added the viewstate parsing tab to the normal "raw", "headers", "hex" tabs.
Failing that, some kind of flexible version of the "headers" tab, where you can use regex to specify your own name/value pairs.
pkcs11 support
Please add a button to clear the scanner's results.
Please add an enconding tool which can transform input to specified output like UTF-7/8, URL-encode, URL-double-encode, HEX, binary, octal, Base64, HTML, MS-SQL, MySQL, JavaScript, etc. and where you can send input it (requests from sequencer, proxy, etc.).
More Mac friendly. Burp Suite Pro has the tendency to hang at the worst of times. In the meantime VMware is my best friend - but why can't I just do all my work on Mac OS X?
Enable the scanner to detect if the session has been terminated and re-authenticate before continuing the automated scanning
AMF decoding doesnt decode entire request properly for large requests. This would be nice to have fixed.
If possible, be able to tamper ViewState v2.0 as for v1.1. Hexadecimal modification is... difficult to perform before the server timeout ;-)
It would be great to be able to modify the active scan payload for SQL injection and XSS. This way, anyone can add personalized payloads for bypassing the reverse-proxies / WAF.
The copy / paste under Linux in the Pro version only works with the ctrl+c/v buffer. On the contrary of the free version which accept both highlighting/middle mouse button and ctrl+c/v.
It would be nice to have the highlighting / middle mouse button back in the Pro version. It is annoying if you want to copy / paste data from a terminal which do not support ctrl+c/v.
It would be nice to have "test again" option in scanner results, there are some false-positives when server respond takes longer than usual due to heavy traffic and this option would help to do quick verification.
Add a column 'HTTP Errors' to the display in the 'scan queue' tab. If I see a large number of HTTP 500 errors, I want to have a chance to stop the scans and investigate. Maybe even a configuration item (stop/or better pauze after X HTTP 50X errors?)
Ability to rename the entire Burp session and having this show up in the taskbar (I have 2 or 3 separate Burp sessions open sometimes).
Seconding better Mac support.
- Real-time scripting. Use the scripting engine api to enable support for lots of languages. Make a simple / easy interface for entering / persisting scripts, like GreaseMonkey.
- HTTP streaming, eg. showing chunked encoding as the data becomes available, instead of timing out.
- General TCP / SSL proxy support, along the lines of the Grinder TCPProxy (or Matasano PFI.)
But most of all, I second the "keep up the good work". Merry Christmas :)
Ability to share the same "Portswigger CA" cert across multiple installs of Burp. Probably means a way to import that cert to a new machine.
The guys over at Corsaire have apparently figured out a way to make it more compatible with Apple's JRE. (http://research.corsaire.com/tools/) I plunked down the cash for the 1.3 pro version, without hesitation. Just wished it was more stable while running on my Mac.
Post a Comment