PortSwigger Web Security Blog
Monday, November 30, 2009
A beta version of the new release of Burp is now available for Professional users. The free edition will be available in two or three weeks time. If you don't have a Pro license and are eager to try out the new features, why not treat yourself here?
As always, any help flushing out bugs will be much appreciated. Please email these directly, so that I can easily get back to you for more details if required.
The final edition will be released just as soon as we are happy with it, but the beta release is highly stable and suitable for day-to-day working right away. Have fun!
Sunday, November 29, 2009
I've described most of the major additions to Burp's functionality that are arriving in v1.3. There are a few other smaller tweaks that are worth drawing attention to:
Apologies to the many people whose requests haven't been met on this occasion - there will be further development efforts fairly early in 2010.
Friday, November 27, 2009
For Pro users, Burp now includes a function to analyse a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes. This can help you assess how much effort a penetration testing engagement is likely to involve, and can help you decide where to focus your attention during the test itself.
To access this feature, you select one or more hosts or branches within the site map, and launch it using the context menu. The summarised information looks like this:
And you can drill down into more detail about individual URLs:
You can also export all of this information as an HTML report, which you can attach to client proposals and reports to show the attack surface you have covered.
A couple of caveats should be noted. Firstly, this function only analyses the content already captured within the site map, so you should ensure that you have fully browsed or spidered all of the application's content and functionality before running it. Secondly, URLs are deemed to be "static" if they no not take any parameters in the URL or message body; however the responses from these URLs may still be dynamically generated by the application.
Thursday, November 26, 2009
In the new release, Burp lets you export full details of interesting requests and responses in XML format, including all relevant metadata such as response length, HTTP status code and MIME type. For example:
If you have annotated any of the exported items, your comments will also be included within the XML.
You can access this feature via the context menu anywhere in Burp that you see requests and responses, and you can include individual items or multiple selections. The raw data and analysis captured within Burp is thereby available for any external tools that can process the XML export.
Wednesday, November 25, 2009
This feature won't exactly enhance your productivity, but you may sometimes find it useful nonetheless. In the new release,
Regarding the obvious feature request, for you to be able to configure your day-rate, and have Burp calculate how much the simulation has cost your client; no, I don't think that would be appropriate, do you?
To my great pride, nearly everyone who has tried out Burp Scanner absolutely loves it. But people still helpfully come back with tons of feature requests for it.
One of the biggest complaints is the relatively crude way in which Burp lets you send items for active scanning from the site map. For example, when you have mapped out all of the content and functionality within your target application, you can select the relevant host (or branch within the host), and choose "actively scan selected items" from the context menu. Currently, when you do this, Burp will perform an active scan on every single item within this selection, which often is not quite what you want: your selection may include multiple superfluous submissions to the same form handlers, items you have scanned already, items with irrelevant file extensions or MIME types, and specific items which you have excluded from the target scope, such as logout or administrative functions. Currently, the only workarounds for this limitation are to go through the site map individually selecting the specific items which you do actually want to scan, or to send everything for scanning and then cancel the irrelevant items within the scan queue. Neither option is painless.
The new release gives you much easier and fine-grained control over what gets scanned in this situation. Any time you select multiple items for active scanning, Burp launches a brief wizard which lets you fine-tune your selection. The first screen of the wizard offers you various intuitive filters to remove potentially unnecessary items (duplicates, already scanned items, media content, etc.), and shows you how many items will be affected by each filter:
The second screen of the wizard shows you a list of the remaining items, and lets you sort the table by various relevant properties, view the full requests and responses, and delete individual items:
The wizard then completes and the selected items are sent for scanning in the usual way.
Hopefully this feature will let you make much more effective use of Burp's scanning capabilities, avoid filling the scan queue with junk, and find more bugs more quickly than before.
Tuesday, November 24, 2009
The display filters used in the proxy history and site map are now more powerful, and allow you to filter on:
The new filter configuration panel looks like this:
Pro users can now search part or all of the site map for scripts and comments. This feature is accessed by selecting relevant branches within the site map, and using the context menu.
The search results window shows responses from all Burp tools containing either scripts or comments. Selecting an individual item shows the full request and response in a preview pane, with relevant items automatically highlighted, and also extracted into their own tab:
You can use the "export" button to save all of the scripts or comments to file or to the clipboard, optionally consolidating duplicated items. I know a lot of people have been grepping Burp's log files to get this kind of information. Hopefully the new feature will make this task a lot easier.
Monday, November 23, 2009
Burp now includes a content discovery function, similar in concept to OWASP's DirtBuster. You can access this feature by selecting a request or URL anywhere within Burp, and using the context menu to start content discovery.
Burp uses various techniques to discover content, including name guessing, web spidering, and extrapolation from naming conventions observed in use within the application. The feature is highly configurable, as shown by the available options which are explained below:
Target - These options control which directory to begin discovery from. Only items within this path and its subdirectories will be requested during the session. You can choose to discover files or directories or both, and how deep to recurse into discovered subdirectories.
Test case generation - These options control which file and directory names Burp will use when making requests to discover content. As well as built-in lists, Burp can harvest names used elsewhere within an application, and retry them at other locations, and can construct names based on discovered items, for example by cycling values in filenames containing numbers.
File extensions - You can specify a list of file extensions with which to test each possible filename. Burp can harvest file extensions observed in use within the application, and test these with every filename. When a file has been confirmed, Burp can also try a specific list of variant extensions with that filename, for example to check for old or backup versions of the same file.
Discovery engine - You can control how many threads are used for content discovery and spidering, whether file names are handled case sensitively, and how the discovery session interacts with Burp's main site map (in the target tab of the suite).
When you have configured your discovery session, you can start it from the control tab, which also provides runtime information about the actions being performed. The work is divided into numerous discrete tasks, which are prioritised according to their likelihood of quickly discovering new content, and new tasks are generated recursively as content is confirmed:
The discovery session employs its own site map, showing all of the content which has been discovered within the defined scope. If you have configured Burp to do so, newly discovered items will also be added to Burp's main site map.
Sunday, November 22, 2009
In v1.2.11, Burp introduced a new method of generating the server SSL certificates which are presented to your browser when you connect via Burp Proxy. This involved creating a root CA certificate (per user), which you can install into your browser, and using this to sign each host certificate, thus enabling you to eliminate SSL certificate errors. Read more here.
Unfortunately, in v3.5 Firefox changed the way it handles root CA certificates, which stopped Burp's root CA certificate from working. This problem has now been fixed, and Firefox should accept Burp's certificates again:
Note that if you have previously installed Burp's CA certificate into any of your browsers, you may need to remove this before you can install the new root certificate, as described here.
Another occasional source of SSL pain happens when Burp fails to negotiate connections using the combination of protocols offered by the destination web server. The Java SSL stack contains a few gremlins, and fails to work with certain unusual server configurations. To help you troubleshoot this problem, Burp now lets you specify which protocols should be offered to servers during SSL negotiations:
Note that Burp already implements a few workarounds for SSL issues, and if a negotation fails with the protocols you have configured, Burp will still try some alternative combinations of protocols which often work. So you shouldn't use this new feature as a method of testing which protocols are actually supported by the server. People often ask if Burp can perform these checks, but Java is a bit too far removed from the SSL action for this to be done reliably, so you are better off sticking to a dedicated tool for investigating server SSL configurations.
Saturday, November 21, 2009
If I had a beer for every time someone has requested this feature, I'd have been way too wasted to implement it.
Burp already supports upstream web proxies, but only as a global configuration which affects all outgoing traffic. In the new release, Burp allows you to configure rules specifying different proxy settings for different (ranges of) destination hosts.
The following configuration will make Burp talk directly to staging.intranet.corp.com, use an internal proxy server without authentication for everything else on *.intranet.corp.com, and use an authenticated gateway web proxy for everything else, including the public internet:
You can use standard wildcards in the destination host specification. Rules are applied in sequence, and the first rule which matches the web server you are communicating with will be used. If no rule is matched, Burp defaults to direct, non-proxy connections.
Friday, November 20, 2009
You can now add comments and coloured highlights to items in the site map and proxy history:
You can highlight individual items using a drop-down menu on the left-most table column:
And you can comment individual items in-place by double-clicking and editing the table cell:
Alternatively, if you want to annotate several items at once, you select the relevant items and use the context menu to add comments or apply highlights:
When you have annotated interesting requests, you can use column sorting and display filters to quickly find these items later.
The suite-wide search function has had a revamp, with a number of useful features added:
Here's an example of using a regex search term with dynamic updating, to monitor all responses containing HTML comments as they are received from the server:
The searchable text viewer/editor used throughout Burp also now supports regex and case sensitive searches. These features are accessed via a new pop-up panel at the left of the search bar:
When you are viewing items found in a suite-wide search, the relevant options which you used in that search are automatically copied to the text viewer, so that the correct items are highlighted.
Work on the next release of Burp is inching forwards, and over the next two weeks I'll be posting regularly with previews of some of the cool new features to look forward to. Then I'll release a beta version for Pro users to play with. Everyone with a current license will receive an automatic upgrade to v1.3.
Many thanks to everyone who has submitted feature requests. A lot of these have been implemented in v1.3, though many will need to wait for next time. Hopefully I've pleased more people than I've disappointed.
Monday, November 2, 2009
It's getting to that time of year again when all the hastily made promises about the next release of Burp need to be made good. So I'm pleased to announce that release 1.3 of Burp Suite will be available before Christmas*.
The free edition of Burp will get a roll-up of some of the new stuff that has been added to the pro edition over the past year. And the pro edition will get a bunch of cool new features of its own.
At this stage, it would be good to hear about any requests for new features that people have. Even if you've asked for them before, on several occasions, remind me again and I'll do my best to include them. You can email me or leave requests in the comments. Thanks!
401 Not Authorized
Karl Dawson has written a nice paper about using Burp Intruder for discovering login credentials, and how you can use various tricks to reveal other useful information and anomalies, as well as actually guessing valid passwords. Download it here.