login

Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Monday, 2 November 2009

Burp Suite - feature requests please

It's getting to that time of year again when all the hastily made promises about the next release of Burp need to be made good. So I'm pleased to announce that release 1.3 of Burp Suite will be available before Christmas*.

The free edition of Burp will get a roll-up of some of the new stuff that has been added to the pro edition over the past year. And the pro edition will get a bunch of cool new features of its own.

At this stage, it would be good to hear about any requests for new features that people have. Even if you've asked for them before, on several occasions, remind me again and I'll do my best to include them. You can email me or leave requests in the comments. Thanks!

*2009, hopefully.

56 comments:

Anonymous said...

Print/Save results from Sequencer please :)

Anonymous said...

Saving off all URLs in the history

Searching through all history contents

Anonymous said...

Better saving of intruder attacks.

Anonymous said...

Tabbed Intruder interface (just like what Repeater got in v1.2) would be nice.

Benjamin said...

Extend the Burp Extender interface so we can do more stuff with it :)

Daniel said...

- Community driven fuzz lists in intruder.

User creates account on portswigger.net and then uses it to add/download new fuzz lists to be used in intruder.

Allows the l33t peeps to show off their fuzzing skills and also allows the new kids to learn the benefits of fuzzing and use some of the updated lists.

- Search function in history

S. said...

SOAP/WebService tab with decoding/encoding like what WebScraba do !

Anonymous said...

1. The ability to partially scan a tree. Right now, I have to scan the whole tree, or delete nodes before I scan them. I'd like to be able to make things "out of scope" for an active scan.

2. A comprehensive list of items that are scanned from during the passive and active scans (i.e., as indicated by the TYPE tags in an XML output)

Anonymous said...

repeater time interval

ChrisJohnRiley said...

Looking forward to 1.3 already. Let me know if you need Beta testers.

Small nagging request, but in intruder it would be nice to highlight a value to be replaced (fuzz point) and have the § key select it completely (not just add a § at the start. Hard to explain, but it can be annoying ;)

I'd also like to see a cookie plot similar to Webscarab, and the ability to export URLs from history to a text, csv, or XML format to input into scripts etc.

Thanks for all the hard work, and look forward to the next version.

Hubert said...

Tabbed Intruder interface or some other way to save multiple attacks would be top of my list. Also URL encoding as you type.

Active scan could try to avoid scanning the same script many times if many base requests have been captured in the Target tree.

I was also going to mention renaming of Repeater tabs next but I just noticed that's already possible...

Anonymous said...

Simple real time scripting interface preferably in implemented in jython, but could be beanshell.

The jruby implementation (http://github.com/emonti/buby) is cool, but...well...it's ok if you like ruby.

You continue to publically advance the art in ways that have the potential to alter the entire web assessment space.

Keep up the good work!!!

Steve Pinkham said...

Levenshtein distance based difference calculation in Intruder ala crowbar, suru, and w3af.

Allows for a simple way to check for similar groups of responses at a glance.

Steve Pinkham said...

I'm going to have to disagree with ChrisJohnRiley about the need for a plot of sessionIDs. If you don't know enough about statistics to read the output of the current sessionID tester, rely on the burp recommendations because you're unqualified to comment on the strength. A graph only shows the very worst of problems, and can give a false sense of security.

I was working on my own cookie strength analyser before the burp one came out, so I've done enough research to tell you that Burp currently does the right thing in testing for strength.

Ty said...

Hey,

1.

Would be great to be able to enable/disable items within the include/exclude sections of the scope rather than having to delete them from the scope for one test, and then re-add them in again when you test the site again. (same for any of these type of boxes throughout burp)

2.

Burp Scanner found the ASP.NET request filter bypass XSS vuln, but didn’t detect the ASP.NET Unicode Conversion XSS vuln.

Egs;

Straight HTML/Javascript injection:

http://www.example.com/search.aspx?query=test%uFF1Cscript%uFF1Ealert(‘xss’)%uFF1C/script%uFF1E

or with double quotes to break out of tag:

http://www.example.com/search.aspx?query=test%uFF02%uFF1E%uFF02%uFF1Cscript%uFF1Ealert(‘xss’)%uFF1C/script%uFF1E

or with single quotes to break out of tag:

http://www.example.com/search.aspx?query=test%uFF07%uFF1E%uFF02%uFF1Cscript%uFF1Ealert(‘xss’)%uFF1C/script%uFF1E

3.

Scanner queue often doesn't get restored after a save.

Thanks,
Ty

Anonymous said...

I second the first comment -- a way to export/save the Burp Sequencer info would be great. You know, something to include with a report to prove token weaknesses to the customer.

Anonymous said...

Allow loading of payloads with newlines (or allow defining a character that gets translated to a newline).

Dave Hull said...

UTF8URL encoding in the decoder.
Export/save/print for the information in the sequencer.

Thanks for an awesome tool.

seere said...

I second the fuzzing lists for scanner/intruder. Oftentimes I worry about the thoroughness of my scans, or whether or not burp includes a new xss or scripting exploit I've just read about on a security blog. I would really appreciate the ability to manually add/edit the fuzzing lists.

I like the enhancements to the burp scanner interface and have been using them quite a bit.

It would be super useful when scanning sensitive servers to be able to throttle the bandwidth out to them from burp, so I don't cause an interruption of service. The only other solution I've come up with is to throttle all the bandwidth out of my computer, and that's very annoying.

Thanks so much!

JJ said...

The ability to update the cookie for all session-based sequences, for those applications that issue a new Set Cookie: header with each response.

Anonymous said...

ASP.Net Viewstate Decoder

Anonymous said...

- Sortable columns in "scan queue" list so you can easily find something to cancel scanning of.
- Quick search on scan queue so you can easily find things (like .pdf files) to cancel scanning of.

devadraco said...

Select which SSL protocol (SSLv2/SSLv3/TLS) to use to connect to server.

Anonymous said...

- ssl server security analysis built-in (like sslscan)

- the ability to search for keywords in all content of the burp proxy history

- put the fuzzing files in a separate folder, and not in the actual jar.

Anonymous said...

Well.. it is already a superb product.. but how about:
* Better support for testing web services - i.e. soapui
* Nikto/dirbuster functionality in a separate tab (although it's easy enough to do it in intruder manually, it would be nice to have it integrated).
* Doesn't crash on very large requests/responses.
* Better support for client application proxying - similar to echomirage.

Anonymous said...

ability to consistently copy/paste into any editable area. For example, the proxy window.

Anonymous said...

Able to edit more of the AMF structure. Such as changing the key in the key/value pairs. Right now you can only change the value.

Alex said...

More insight into NTLM authentication (failures), at a minimum showing the page it's trying access (in the pop-up) and possibly the NTLM challenge response. Autofilling the Domain & Hostname would be nifty.

Automation of blind SQL injection would be pretty slick. Obviously you can currently rig up the intruder to complete this task with some work, but it would be great to say, "the true or false statement goes here, the database is MSSQL, and a true statement has this text or is this length", and then have it pull back the database username. There are a lot of other ways to do similar things.

Maximum "scans" per URL in the scanner; just because a page has 100 different links to it doesn't mean I need to scan it 100 times.

Thanks for putting together a nearly perfect tool. It's very hard for me to think of features that burp is missing.

I second the user that suggested improved support for testing web services.

Steve Pinkham said...

Related to the SQL injection verification, I'd love to see functionality in Brup Extender to register a callback for a new menu item.

Then a "send to sqlmap" menu item would be easy to write as an extension.

Also, a way to add new issues to the burp scanner interface would be helpful, so there's only one place to manage findings instead of having to create a separate display with plugins.

Anonymous said...

Working with binary (Java RMI)-Data in HTTP-Requests: For every "0a" (LF) occuring in a request Burp repeater puts "0d" (CR) in front of it. Would be great if Burp could be configured not to insert any bytes automatically.

Pierre Nogues said...

The ability to automatically request backup extension (.bak, .BAK, ~,...) of discovered files, like Webscarab.

Anonymous said...

Please add the window again, which displayed where an object has been referenced from.

E.g. you've got a file abc.txt in your sitemap and want to know from where it has been referenced of.

Anonymous said...

In repeater, autocalc the content-length...

Anonymous said...

Sending a binary request from the Repeater to the Intruder doesn't work right. It changes characters.

Due to the missing hex view/editor it's not possible to repair this request ...

Anonymous said...

Ability to run Burp connections through a socks proxy.

S. Hamid Kashfi said...

Totally unrelated to web-app (what Burp us build for) but,
Implementing proxy support for raw binary traffic will open a new world to burp-suite capabilities!

Matasano`s PFI is a simple example of this work, but I imagine having all capabilities of Burp over binary data not just http.

Considering current features of suite (proxy,fuzz,intruder,etc...) raw binary traffic proxy support will probably make Burp the ultimate tool-set for many people out there :)

Alex said...

One more very minor thing: ability to turn on autoscroll in the proxy window.

Steve Pinkham said...

Re: autoscroll:
You can reverse sort by # field with a shift-click to get the same effect.

ark0n said...

For reporting it would be great if Burp used the WASC threat mappings, CVSS v2.

Paul said...

Seconding the Burp Extender interface request ;) I'd like to be able to add my own tabs to the request/response for parsing arbitrary protocols. In the same way that you have added the viewstate parsing tab to the normal "raw", "headers", "hex" tabs.

Failing that, some kind of flexible version of the "headers" tab, where you can use regex to specify your own name/value pairs.

Anonymous said...

pkcs11 support

Anonymous said...

Please add a button to clear the scanner's results.

Anonymous said...

Please add an enconding tool which can transform input to specified output like UTF-7/8, URL-encode, URL-double-encode, HEX, binary, octal, Base64, HTML, MS-SQL, MySQL, JavaScript, etc. and where you can send input it (requests from sequencer, proxy, etc.).

ark0n said...

More Mac friendly. Burp Suite Pro has the tendency to hang at the worst of times. In the meantime VMware is my best friend - but why can't I just do all my work on Mac OS X?

Anonymous said...

Enable the scanner to detect if the session has been terminated and re-authenticate before continuing the automated scanning

Anonymous said...

AMF decoding doesnt decode entire request properly for large requests. This would be nice to have fixed.

Anonymous said...

If possible, be able to tamper ViewState v2.0 as for v1.1. Hexadecimal modification is... difficult to perform before the server timeout ;-)

Anonymous said...

It would be great to be able to modify the active scan payload for SQL injection and XSS. This way, anyone can add personalized payloads for bypassing the reverse-proxies / WAF.

Anonymous said...

The copy / paste under Linux in the Pro version only works with the ctrl+c/v buffer. On the contrary of the free version which accept both highlighting/middle mouse button and ctrl+c/v.

It would be nice to have the highlighting / middle mouse button back in the Pro version. It is annoying if you want to copy / paste data from a terminal which do not support ctrl+c/v.

Anonymous said...

It would be nice to have "test again" option in scanner results, there are some false-positives when server respond takes longer than usual due to heavy traffic and this option would help to do quick verification.

Herman said...

Add a column 'HTTP Errors' to the display in the 'scan queue' tab. If I see a large number of HTTP 500 errors, I want to have a chance to stop the scans and investigate. Maybe even a configuration item (stop/or better pauze after X HTTP 50X errors?)

Hubert said...

Ability to rename the entire Burp session and having this show up in the taskbar (I have 2 or 3 separate Burp sessions open sometimes).

Seconding better Mac support.

Jo Are said...

- Real-time scripting. Use the scripting engine api to enable support for lots of languages. Make a simple / easy interface for entering / persisting scripts, like GreaseMonkey.

- HTTP streaming, eg. showing chunked encoding as the data becomes available, instead of timing out.

- General TCP / SSL proxy support, along the lines of the Grinder TCPProxy (or Matasano PFI.)

But most of all, I second the "keep up the good work". Merry Christmas :)

Steve Pinkham said...

Ability to share the same "Portswigger CA" cert across multiple installs of Burp. Probably means a way to import that cert to a new machine.

Rob V said...

The guys over at Corsaire have apparently figured out a way to make it more compatible with Apple's JRE. (http://research.corsaire.com/tools/) I plunked down the cash for the 1.3 pro version, without hesitation. Just wished it was more stable while running on my Mac.

Cr0hn said...

Hello,

I was released a plugin to sqlmap into burp with a right click: "Send to sqlmap".

I publish doc and plugin at:

http://blog.buguroo.com/?p=2471

Regards!


User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Copyright 2014 PortSwigger Ltd. All rights reserved.