Friday, October 4, 2013

Burp through the ages

Here is a brief tour of the major releases of Burp from over the years. I can't believe it's been over 10 years already!

Burp v1.0

  • Released June 2003
  • First incarnation of Intruder tool
  • Includes burp sound effects you can't turn off

Burp Proxy v1.0 

  • Released August 2003
  • Basic intercepting proxy
  • Text / hex views
  • History feature


  • Released August 2003
  • First incarnation of Repeater tool
  • So-called because it simply opens a socket and sends a request to it

Burp Proxy v1.1

  • Released January 2004
  • Tons more options!
  • Supports chained proxy, authentication, match-and-replace
  • Getting pretty sophisticated now

Burp Spider v1.0

  • Released March 2004
  • Application-aware spider
  • Can follow links and submit forms

Burp Repeater v1.1

  • Released July 2005
  • New name for the sock tool
  • Adds chained proxy and authentication options

Burp Suite v1.0

  • Released August 2005
  • All four Burp tools together
  • Items can be easily sent between tools to speed up testing
  • Supports passive spidering as you browse
  • Extensibility
  • A huge breakthrough!

Burp Suite v1.1

  • Released November 2007
  • New Sequencer, Decoder and Comparer tools
  • New analysis of HTTP messages

Burp Suite v1.2

  • Released December 2008
  • Burp Scanner arrives
  • New site map
  • Tons of cool new features: scope control, view filters, search, invisible proxying
  • The infamous Month of Burp Pr0n is published
  • This is the big leap forwards!

Burp Suite v1.3

  • Released January 2010
  • Improved rendering and analysis of HTTP messages
  • Content discovery
  • Target analysis
  • The crucial manual testing simulator

Burp Suite v1.4

  • Released June 2011
  • New logo (still home-made)
  • Session handling rules and macros
  • New ways to test access controls
  • Works properly on OS X now

Burp Suite v1.5

  • Released October 2012
  • Another new logo (a proper one this time)
  • New UI, with bells, whistles and capital letters.
  • In-tool documentation
  • Lots of cool new features

Tuesday, September 10, 2013

Burp support for Firefox Plug-n-Hack

The Firefox browser has recently added support for a new way of easily configuring the browser to work with intercepting proxy tools like Burp. To use this, you need to install a Firefox plugin called Plug-n-Hack:

The plugin is currently beta and also requires the latest beta version of Firefox, but when it is stabilized it will be available on the Firefox Marketplace.

If you have installed the Plug-n-Hack plugin, configuring a clean installation of Firefox to work with Burp is pretty straightforward. First, in your browser, enter the URL to connect directly to your Burp Proxy listener (by default

On the Burp welcome page, follow the Plug-n-Hack link:

Click on the "Configure your browser" button, and accept the warning displayed by the plugin:

If everything worked, you will see a "Configuration succeeded" message:

The configuration will have carried out two tasks. Firstly, it will configure your browser to use Burp as its proxy server, via a proxy auto-configuration file created by Burp:

Secondly, it will install Burp's SSL CA certificate as a trusted root in your browser, to eliminate SSL warnings when intercepting traffic to SSL web sites:

Hopefully the new Plug-n-Hack support might make life a bit easier next time you are setting up Burp on a new machine.

Monday, September 9, 2013

SSL pass through in Burp

The latest version of Burp has a new feature: SSL pass through. You can use this feature to specify destination web servers for which Burp Proxy will directly pass through SSL connections:

This feature can be useful in cases where it is not straightforward to eliminate SSL errors on the client - for example, in mobile applications that perform SSL certificate pinning. Of course, if you pass through SSL connections, then Burp will not break the SSL tunnel, and no details about requests or responses made via these connections will be available in the Proxy intercept view or history. Nonetheless, using SSL pass through can sometimes enable you to perform some limited testing. If the application uses multiple domains, or uses a mix of HTTP and HTTPS connections, then passing through SSL connections to specific problematic servers still enables you to work on other traffic using Burp in the normal way.

As an example, suppose you encounter a domain where you are not able to get your client device to negotiate SSL correctly. This should be obvious enough in the client, and Burp will also alert you:

To work around this problem, you can add the problematic server to Burp's SSL pass through list:

Requests to this server will now pass straight through Burp, and your client can connect in the normal way.

The option to automatically add entries to the SSL pass through list on client SSL negotiation failure can be useful if you aren't sure exactly which domains the application is using, and don't want to have to manually populate the list. If you enable this option, then if your client fails to negotiate SSL connections with any other servers, these will be automatically added to the list, and Burp will alert you:

It is not recommended to generally enable the automatic addition of pass through servers automatically, because if your client happens to encounter a one-off problem that causes it to fail an negotiation, then no further SSL connections to that host will be intercepted, until you remove the server from the pass through list.

Tuesday, June 25, 2013

Burp Suite confirmed as best value web security scanner

As part of this year's Hack Miami conference, a large number of independent security researchers conducted a "Pen-Test Tools Shootout", evaluating several leading web security scanners and comparing their performance against a range of targets and benchmarks. The results are now in:

Product Cost User
Reporting Overall
Acunetix $1,400 - $13,000 5 4 4.5 4
Appscan $20,000 3.5 4 4.8 3
Burp Suite $299 4 4 3.5 5
Nexpose $20,000 5 5 4.8 5
NTO Spider $10,000 4 3 4 3

The authors' overall conclusion is: "Burp Suite and Nexpose/Metasploit Pro currently provide the most value to the independent security consultant in terms of discovered vulnerabilities, ease of use, licensing flexibility, and range of functionality".

Since Nexpose costs 66 times the price of Burp Suite, getting the joint top rating is a pretty good result for Burp. The only area where we were significantly marked down was in only being able to generate reports in HTML format, not as PDF. Now, I've always used an external "save as PDF" conversion when this is needed, but maybe this is something we need to look at to get even better.

Read the full whitepaper here.

Tuesday, May 21, 2013

We are hiring!

The development team that brings you Burp Suite is expanding. Why? We're brimming with great ideas for features that we want to add to Burp, and we just can't add them quickly enough. With more people, we'll be able to deliver the next generation of amazing features even faster than we have done in the past.

We are looking for a mix of experienced developers, web security testers, and novice programmers to work on Burp. The common denominator: you must be outstanding at what you do and set the highest possible standards for your work.

  • Have you worked for a year or two as a software developer, or looking to start soon? Read more.
  • Are you an experienced Java software developer who is looking for a new challenge helping a growing team to continue delivering an exceptional product? Read more.
  • Are you a web security tester who loves writing great tools? Read more.

Lots of regular Burp users fit that last bullet - great hackers who are already writing Burp extensions or their own tools to use alongside Burp. If that pretty much sums you up, we'd love to hear from you.

If you aren't sure whether we're right for you, read why you should work at PortSwigger Web Security.

For more information, please contact:

Tuesday, March 12, 2013

Burp Suite is on a feature roll!

Over the past month, we've added a wealth of new features to Burp Suite Professional. The most notable of these additions are:
  • A new cross-site request forgery (CSRF) technique using cross-domain XmlHttpRequest, to enable CSRF file upload, and other attacks.
  • DNS tunnelling over a SOCKS proxy (to access TOR hidden services, etc.).
  • Support for automatic decompression of compressed request bodies.
  • Support for .NET DeflateStream compression.
  • Summary of parameter values in Target Analzyer.
  • Ability to load scope configuration items from a text file.
  • Ability to import and export Burp Proxy's CA certificate.
  • Fine-grained options for configuring SSL protocols and ciphers.
  • Auto-selection of compatible SSL parameters on negotiation failure.
  • Optional re-enabling of SSL algorithms blocked by Java 7 security policy.
  • Per-host SSL certificates in invisible proxy mode, via the server_name extension in the Client Hello message.
  • Workaround to prevent OS X from deleting Burp's temporary files when Burp is left running for long periods.
  • Fast-reload of extensions (via ctrl+click) to facilitate development.
  • Several new Burp Extender APIs.
  • Command-line license activation for use in headless mode.
  • Numerous important bugfixes.
All of these changes were directly requested by Burp users, via the user forum, email, or Twitter. Now, we need more meat for the feature request sausage machine, so we encourage everyone who uses Burp to send us your own wish list.
Our queue of items for development uses a highly complex algorithm based on a fusion of FIFO, LIFO and can-we-be-arsed technologies. If you've asked for something before and it hasn't appeared yet, please ask us again. Even if you think something is too trivial or too complex, ask us anyway. The more people who request something, the more likely it will be to happen.

Burp is only as awesome as it is today because of feedback from our users. Thanks to everyone for your help!