tag:blogger.com,1999:blog-8503755746105415394.post4012921294052569494..comments2008-05-06T08:10:02.380ZPortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-8503755746105415394.post-75279254843047866452008-05-06T08:10:00.000Z2008-05-06T08:10:00.000Z

@alex.As an absolute minimum, set your browser to use 127.0.0.1:8080 as a proxy and run Burp (you will need Java installed). But I strongly recommend you consult the online help and The Web Application Hacker's Handbook for the full story.

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-24759206532356968922008-05-06T07:28:00.000Z2008-05-06T07:28:00.000Z

hello sir plz help me to operate this tool, m unable to work on tool.plz tell me what should i do first after installing the tool Burp Suite .

Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-54168022411246863882008-05-06T07:06:00.000Z2008-05-06T07:06:00.000Z

Hello sir, plz help me to work on this Burp Suite tool.i am unable to operate this tool what should i do after proper installation of Burp Suite.

alexhttp://www.blogger.com/profile/05879936050238484258noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-68465768214177833552008-01-09T19:21:00.000Z2008-01-09T19:21:00.000Z

your book is great, congratulations.I'm hoping for a way to persist your proxy/spider session soon, It would be very nice to have that.

Ingohttp://www.blogger.com/profile/06640560326354221579noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-87615566381445176722007-12-29T10:46:00.000Z2007-12-29T10:46:00.000Z

@Jacky - Thanks for the report. Perhaps your office proxy changed from NTLM v1 to v2? Burp currently only supports v1, but that will hopefully change in future.@Anonymous - There still isn't any way to persist your proxy/spider session, unfortunately. Keep your fingers crossed and this feature will arrive in the next release. I'm glad you enjoyed the book!

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-39197784057281883612007-12-27T19:33:00.000Z2007-12-27T19:33:00.000Z

Hi, first of all, your book is awesome -- by far the most comprehensive, clear, and practical guide to web application testing I've come across. Thanks for writing it, and thanks for writing Burp! I've started looking at Burp Suite v.1.1, and I'm crossing my fingers that there's now some way to save and then reload session data. I know it's possible to create a text log of activities, but

Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-65366900327095286032007-12-26T09:24:00.000Z2007-12-26T09:24:00.000Z

So great tool, thank you so much.I report a strange condition, The burp worked very well in my office in the past time.Due to our proxy was ran under NTLM authentication, I chose the burp for my first proxy.But it has authentication fail today.I try to find out what problem could be ? I made a test, I try to use NTLMAPS, but it doesn't work by default config(NTLM_FLAGS=LM) until I change to

Jackynoreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-17229880826714454002007-12-19T10:17:00.000Z2007-12-19T10:17:00.000Z

Burp Suite is a great tool, but i have a recomendation.In proxy, history, it will be interesting a filtering option. For example, i put a filter for gif files and these lines doesn't show in list. With this filter was more easy to find a request.Thanks and good job.

Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-40099974540652607282007-12-18T20:55:00.000Z2007-12-18T20:55:00.000Z

@rotemmonThanks for your comments. I'm glad you enjoyed the book - yes, it's big, and feels even bigger when you're writing it!I don't want to do myself out of business, but I must say that Burp itself isn't capable of "going over all of your scripts" and "finding the problems". (But nor, in my opinion, is any fully automated tool.) What Burp does is provide a skilled tester with a ton of

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-17772366603539732982007-12-18T13:14:00.000Z2007-12-18T13:14:00.000Z

thank you for your help... it isencouraging to hear from someonewho really liked the product I amabout to buy... it makes me thinkI will be doing the right choice tobuy itthe book we are all talking aboutwas HUGE... I have bought severalbooks regarding security, and noneof them was so advanced, especiallyregarding Web technologies I amfamiliar with and working with allthe time. Actually it scared

rotemmonnoreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-83961790047159159782007-12-17T23:08:00.000Z2007-12-17T23:08:00.000Z

Rote m,I by no means want to speak for D. but having used Burp for quite some time, I was overjoyed to read this book. If you follow the examples in the help files in addition to going over the material in the book, this will really go far in getting you a testing methodology for web security. You may want to go over to owasp.org and read up their material in addition to getting WebGoat, a dummy

ark0nhttp://www.blogger.com/profile/00220146672034129971noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-60280487849020050472007-12-17T22:57:00.000Z2007-12-17T22:57:00.000Z

hiI have bought your book, and it isamazing as well as frightening...I am working on a CMS to offer somefriends, and I want to use yourBurp package, including the burpintruder...I want to find a manual that tellsme everything I can do using it...the book had a portion of a chapterthat explains some of the possible uses of the program, but I reallywant something more comprehensivethat will let me

rotemmonnoreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-8744617470686090722007-12-17T09:44:00.000Z2007-12-17T09:44:00.000Z

what about the commercial version?

Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-5384664797434240252007-12-15T19:36:00.000Z2007-12-15T19:36:00.000Z

Yeah, I was referring to modification of the data without having tointercept. Basically, building the ruleset to make changes(to theheader) and automatically forward the modified requests.I assumed that if I turn off interception it .. turns off interceptionand does transparently pass the packets without modification. Badwording on my part. I checked out the extender functionality and whileI'm

gimnoreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-70873827863269295932007-12-13T22:12:00.000Z2007-12-13T22:12:00.000Z

@gimmicMessages that aren't matched in the intercept rules will be transparently forwarded. To make all messages transparently forwarded, toggle the "interception is on/off" in the "intercept" tab.

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-86881187315951742122007-12-13T00:23:00.000Z2007-12-13T00:23:00.000Z

Something I've run into, with the proxy once you have some manipulated rules set up- is there a way to make the proxying transparent(auto forward)?I find this app much more useful than scarab except the dealbreaker is kind of the ability to auto forward.

Gimmichttp://www.blogger.com/profile/02834388206458906318noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-17304871043566750612007-12-11T17:53:00.000Z2007-12-11T17:53:00.000Z

@ark0n - thanks. The pro version is out too.

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-10727395064253423232007-12-11T11:02:00.000Z2007-12-11T11:02:00.000Z

First, great job on this release. I am even closer to standardizing on a sole tool set, and as anyone who does web app testing for a living, what a time saver that would be. Any idea when you will release the Pro version?Cheers!

ark0nhttp://www.blogger.com/profile/00220146672034129971noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-55756820756893446612007-12-10T22:42:00.000Z2007-12-10T22:42:00.000Z

Actually, I correct myself -- I've done several more test runs, and intruder doesn't block itself -- but it does seem to slow down a lot. I'm wondering if this is because of the confusion I am causing on the server doing this.I'll follow up the rest in email (assuming the mail on the about page for this works), just wanted to state for the record that that part of my initial findings wer wrong.

Doug Whttp://www.blogger.com/profile/17702723290744032171noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-12615897934747208102007-12-10T22:24:00.000Z2007-12-10T22:24:00.000Z

@dougActually, that's a usage scenario I've never really thought about.There isn't currently any way to manipulate certificates programmatically. Your proposed workaround should be ok - in fact, I'm surprised to hear that multiple instances of the Intruder demo interfere with each other - are you sure? In any event, you can definitely run multiple instances of the pro version very fast indeed!

PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-9241429556208836962007-12-10T22:08:00.000Z2007-12-10T22:08:00.000Z

D -- one of your former students here. The book is great (though I haven't finished it yet), and was checking out the new version of burp.My question/use case is thus -- I have a case where I have an application that I am trying to test transition of SSL information to application session information, and thus want to do requests with different client certificates on each request. Currently, I

Doug Whttp://www.blogger.com/profile/17702723290744032171noreply@blogger.com