tag:blogger.com,1999:blog-8503755746105415394Thu, 24 May 2012 13:03:29 +0000beerscannerslawauthenticationburpsocketsbooksajaxhacktoolsinputmemoryburp intruderMoBPsql injectionASP.NETblack hatPortSwiggingfirefoxV13Pencryptionsession tokensldapnull bytes2.0browser securityxpathburp extenderpen testingwindowsdeflatedns pinningxssviewstatexsrfthick clientsautomationnonsensetrainingblogssnake oilhttp://blog.portswigger.net/noreply@blogger.com (PortSwigger)Blogger116125tag:blogger.com,1999:blog-8503755746105415394.post-7733126110934641879Thu, 24 May 2012 12:41:00 +00002012-05-24T12:41:41.403ZThere is now an official forum for Burp Suite users: http://forum.portswigger.net/ You can use the forum to ask for help, request new features, report bugs, and talk generally with other Burp users (including me). It's hosted on ProBoards, and there is a mobile app available, if you're into that sort of thing.http://blog.portswigger.net/2012/05/burp-suite-user-forum.htmlnoreply@blogger.com (PortSwigger)0tag:blogger.com,1999:blog-8503755746105415394.post-6539370493389726547Thu, 10 Nov 2011 09:06:00 +00002011-11-10T09:40:06.074ZhacktoolsburpEvery couple of years, SecTools.org carries out a survey of the most popular security tools, as voted for by thousands of users. The latest results are out and Burp has done pretty well:Burp is number one in web scanners, out of the 20 tools that were surveyed.Burp is number 13 in all security tools, out of the 125 tools that were surveyed.Needless to say, I'm pretty happy with this result, http://blog.portswigger.net/2011/11/burp-is-voted-1-web-scanner.htmlnoreply@blogger.com (PortSwigger)7tag:blogger.com,1999:blog-8503755746105415394.post-8348672705088348058Wed, 12 Oct 2011 10:05:00 +00002011-10-12T13:51:52.689Zsession tokensburp intruderencryptionA while ago, Burp Intruder added a bit flipping payload type, suitable for automatic testing for vulnerable CBC-encrypted session tokens and other data. If you aren't familiar with this vulnerability, take a look at The Web App Hacker's Handbook, 2nd Edition, pages 227-233, and also check out this exercise (login required) in the MDSec online training labs.Burp Intruder now has a further payload http://blog.portswigger.net/2011/10/breaking-encrypted-data-using-burp.htmlnoreply@blogger.com (PortSwigger)2tag:blogger.com,1999:blog-8503755746105415394.post-91825079484658475Wed, 21 Sep 2011 13:58:00 +00002011-09-21T14:08:18.799ZbooksKindle schmindle. You can't quite beat a kilo and a half of dead tree landing on your desk. Should make an ample paperweight / doorstop if nothing else.http://blog.portswigger.net/2011/09/its-biggie.htmlnoreply@blogger.com (PortSwigger)4tag:blogger.com,1999:blog-8503755746105415394.post-8476652716350768574Tue, 20 Sep 2011 12:23:00 +00002011-09-20T12:46:18.817ZNow that the second edition of The Web Application Hacker's Handbook is being shipped, it's time to start talking about the online training labs that accompany the new book. These labs are:Written by the authors of WAHH.Available online and on-demand, for you to use as you work through the book.Very extensive, containing over 300 individual examples demonstrating almost every kind of web http://blog.portswigger.net/2011/09/mdsec-online-training-labs.htmlnoreply@blogger.com (PortSwigger)3tag:blogger.com,1999:blog-8503755746105415394.post-4014615413838826531Wed, 17 Aug 2011 07:42:00 +00002011-08-18T08:26:44.184ZHere's an extract from The Basics of Hacking and Penetration Testing by Patrick Engebretson, which was published earlier this month:I guess it's a testament to Burp's popularity that Peter is getting around so much. Remember, if you do want to change the default Burp Spider settings to submit a different name in your forms, the configuration details are here.Update:It seems Peter's fame continueshttp://blog.portswigger.net/2011/08/fame-of-peter-wiener.htmlnoreply@blogger.com (PortSwigger)1tag:blogger.com,1999:blog-8503755746105415394.post-1303080374458763796Fri, 03 Jun 2011 16:35:00 +00002011-06-03T16:52:37.202ZBurp Suite Free Edition v1.4 is now available for download.This is a major upgrade with numerous new features, including:The ability to compare site mapsFunctions to help with testing access controls using your browserSupport for preset request macrosSession handling rules to help you work with difficult situationsIn-browser rendering of responses from all Burp toolsAuto recognition and renderinghttp://blog.portswigger.net/2011/06/burp-suite-free-edition-v14-released.htmlnoreply@blogger.com (PortSwigger)4tag:blogger.com,1999:blog-8503755746105415394.post-4762071602771948087Wed, 11 May 2011 09:01:00 +00002011-05-11T13:13:19.428ZbooksThe first draft of the new edition of WAHH is now completed, and the lengthy editing and production process is underway. Just to whet everyone's appetite, I'm posting below an exclusive extract from the Introduction, describing what has changed in the second edition.(And in a vain attempt to quell the tidal wave of questions: the book will be published in October; there won't be any more extractshttp://blog.portswigger.net/2011/05/web-app-hackers-handbook-2nd-edition.htmlnoreply@blogger.com (PortSwigger)7tag:blogger.com,1999:blog-8503755746105415394.post-8797150019127190336Fri, 25 Mar 2011 11:44:00 +00002011-03-25T14:59:10.516ZburpA beta version of the new release of Burp is now available to Professional users. Although this is a beta release it is highly stable and suitable for normal day-to-day use.There are probably a few bugs to flush out, and I'll hopefully be adding a few more things during the beta period. Any feedback and bug reports would be much appreciated. Please email these directly so I can get back to you http://blog.portswigger.net/2011/03/burp-v14-beta-now-available.htmlnoreply@blogger.com (PortSwigger)1tag:blogger.com,1999:blog-8503755746105415394.post-5285236320103404934Fri, 25 Mar 2011 09:46:00 +00002011-03-25T10:18:44.697ZThe functionality needed to let Burp automatically handle a wide variety of session handling challenges is necessarily complex, and often requires a lot of careful configuration. The best way to illustrate the power of the new features, and show how the configuration works in practice, is via an example. Let's look at an application function which can only be accessed within an authenticated http://blog.portswigger.net/2011/03/burp-v14-preview-session-handling_25.htmlnoreply@blogger.com (PortSwigger)5tag:blogger.com,1999:blog-8503755746105415394.post-3308300390902187544Thu, 24 Mar 2011 14:44:00 +00002011-03-24T14:52:17.713ZburpA key part of Burp's new session handling functionality is the ability to run macros, as defined in session handling rules. A macro is a predefined sequence of one or more requests. Typical use cases for macros include:Fetching a page of the application (such as the user's home page) to check that the current session is still valid.Performing a login to obtain a new valid session.Obtaining a http://blog.portswigger.net/2011/03/burp-v14-preview-macros.htmlnoreply@blogger.com (PortSwigger)7tag:blogger.com,1999:blog-8503755746105415394.post-1830301283380904431Wed, 23 Mar 2011 17:02:00 +00002011-03-23T17:15:59.825ZSome problems commonly encountered when performing any kind of fuzzing or scanning of web applications are:The application terminates the session being used for testing, either defensively or for other reasons, and the remainder of the testing exercise is ineffective.Some functions use changing tokens that must be supplied with each request (for example, to prevent request forgery attacks).Some http://blog.portswigger.net/2011/03/burp-v14-preview-session-handling.htmlnoreply@blogger.com (PortSwigger)5tag:blogger.com,1999:blog-8503755746105415394.post-7191171422137213806Tue, 22 Mar 2011 09:45:00 +00002011-03-22T15:43:51.846ZburpIn the previous post, we described how the "compare site maps" feature can be used to automate much of the laborious work involved in testing access controls. In some situations, however, performing a wholesale comparison like this may not meet your needs. It may be that you prefer to work in a more piecemeal way, individually testing the controls over a small number of key requests. Further, http://blog.portswigger.net/2011/03/burp-v14-preview-testing-access.htmlnoreply@blogger.com (PortSwigger)8tag:blogger.com,1999:blog-8503755746105415394.post-2745067060002911428Mon, 21 Mar 2011 13:22:00 +00002011-03-21T13:49:17.824ZburpSomewhat later than planned, as is customary, Burp v1.4 is nearly ready, and it's time to share with you the highlights of what is coming. This release focuses on a small number of frequently requested features which, though you may not use them every day, can in some situations really make your life easier. Over the next few days, I'll be blogging about different features, to whet your appetite.http://blog.portswigger.net/2011/03/burp-v14-preview-comparing-site-maps.htmlnoreply@blogger.com (PortSwigger)6tag:blogger.com,1999:blog-8503755746105415394.post-7934411741335744117Mon, 28 Jun 2010 08:52:00 +00002010-06-28T14:56:08.349ZburpscannersA new paper has been published by UCSB analysing the performance of various web application vulnerability scanners, which the authors say is "the largest evaluation of web application scanners in terms of the number of tested tools ... and the class of vulnerabilities analyzed".The authors created their own test application containing a wide variety of vulnerabilities and crawling challenges, andhttp://blog.portswigger.net/2010/06/comparing-web-application-scanners-part.htmlnoreply@blogger.com (PortSwigger)6tag:blogger.com,1999:blog-8503755746105415394.post-3838685202095781201Tue, 22 Jun 2010 13:37:00 +00002010-06-22T14:06:32.309ZburpscannersEarlier this year, Larry Suto published a paper comparing web application vulnerability scanners. It contained plenty that was worthy of discussion, but I was particularly interested in what he said about Burp Scanner. Rather belatedly (I've been busy), here are my thoughts about this. Larry ran each scanner against various test applications developed by other scan vendors for the purpose of http://blog.portswigger.net/2010/06/comparing-web-application-scanners.htmlnoreply@blogger.com (PortSwigger)7tag:blogger.com,1999:blog-8503755746105415394.post-2083962343891863866Fri, 16 Apr 2010 14:37:00 +00002010-04-16T14:53:55.504ZtrainingThis is a brand new training course written and presented by the authors of The Web Application Hacker's Handbook. While the book itself provides a solid basis in the theory and practice of exploiting today’s enterprise web applications, this course is a practical opportunity to take the skills and theory taught in the book to the next level, experimenting with all of the tools and techniques http://blog.portswigger.net/2010/04/web-application-hackers-handbook-live.htmlnoreply@blogger.com (PortSwigger)3tag:blogger.com,1999:blog-8503755746105415394.post-2006464155468460853Mon, 22 Mar 2010 15:33:00 +00002010-03-22T16:13:58.603Zburp intruderI'll shortly be releasing to Burp Suite Pro users a new beta version of Burp Intruder, which contains a bunch of frequently-requested enhancements:You can now configure multiple attacks indepedently in separate tabs (as with Burp Repeater). You can copy attack configurations between tabs, or save configurations for later use.Payload positioning now uses the same feature-rich editor as other toolshttp://blog.portswigger.net/2010/03/intruder-botox.htmlnoreply@blogger.com (PortSwigger)5tag:blogger.com,1999:blog-8503755746105415394.post-4573797607172565342Thu, 07 Jan 2010 16:56:00 +00002010-01-07T17:19:30.013ZburpBurp Suite v1.3 is now available to download. This is a major upgrade with a host of new features.New features in Burp Suite free edition include:A new message editor/viewer optimised for HTTP requests and responses, with colourised syntax, mouse-over decoding, and quick conversion functions.Facility to add comments and highlights to the proxy history and site map.Support for AMF-encoded http://blog.portswigger.net/2010/01/burp-suite-v13-released.htmlnoreply@blogger.com (PortSwigger)9tag:blogger.com,1999:blog-8503755746105415394.post-8674264634800116487Mon, 14 Dec 2009 22:03:00 +00002009-12-14T22:10:19.292Z2.0This little chap showed up a couple of weeks ago, somewhat earlier than expected. Needless to say, this event has thrown my meticulous plans for the final release of Burp v1.3 into disarray. Many thanks to everyone who has emailed with bugs and suggestions from the beta release, and apologies for the lack of responses. Normal service will be resumed in January.http://blog.portswigger.net/2009/12/milkswigger.htmlnoreply@blogger.com (PortSwigger)14tag:blogger.com,1999:blog-8503755746105415394.post-6225778599190657826Mon, 30 Nov 2009 10:15:00 +00002009-11-30T10:19:18.338ZV13PA beta version of the new release of Burp is now available for Professional users. The free edition will be available in two or three weeks time. If you don't have a Pro license and are eager to try out the new features, why not treat yourself here?As always, any help flushing out bugs will be much appreciated. Please email these directly, so that I can easily get back to you for more details if http://blog.portswigger.net/2009/11/v13p-pro-beta-version-now-available.htmlnoreply@blogger.com (PortSwigger)6tag:blogger.com,1999:blog-8503755746105415394.post-106881407277420498Sun, 29 Nov 2009 09:06:00 +00002009-11-29T09:06:00.636ZV13PI've described most of the major additions to Burp's functionality that are arriving in v1.3. There are a few other smaller tweaks that are worth drawing attention to:The tables in the site map and search results now include a timestamp column. Sorting the results on this column lets you easily see when new items are added. This is handy when you are running spidering or content discovery http://blog.portswigger.net/2009/11/v13p-other-bits-and-pieces.htmlnoreply@blogger.com (PortSwigger)0tag:blogger.com,1999:blog-8503755746105415394.post-3417236661635561953Fri, 27 Nov 2009 13:41:00 +00002009-11-27T13:41:00.440ZV13PFor Pro users, Burp now includes a function to analyse a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes. This can help you assess how much effort a penetration testing engagement is likely to involve, and can help you decide where to focus your attention during the test itself. To access this feature, you select one or morehttp://blog.portswigger.net/2009/11/v13p-target-analyser.htmlnoreply@blogger.com (PortSwigger)2tag:blogger.com,1999:blog-8503755746105415394.post-7208742856822728059Thu, 26 Nov 2009 16:10:00 +00002009-11-26T16:14:21.667ZV13PIn the new release, Burp lets you export full details of interesting requests and responses in XML format, including all relevant metadata such as response length, HTTP status code and MIME type. For example:If you have annotated any of the exported items, your comments will also be included within the XML.You can access this feature via the context menu anywhere in Burp that you see requests andhttp://blog.portswigger.net/2009/11/v13p-exporting-of-request-information.htmlnoreply@blogger.com (PortSwigger)1tag:blogger.com,1999:blog-8503755746105415394.post-4096559240133725129Wed, 25 Nov 2009 17:20:00 +00002009-11-25T17:20:36.877ZV13PThis feature won't exactly enhance your productivity, but you may sometimes find it useful nonetheless. In the new release, lazy Pro users can make Burp simulate manual testing activities, by sending common test payloads to random URLs and parameters within a target application, at irregular intervals. Burp doesn't do anything with the responses, so you won't find out about any bugs in this way. http://blog.portswigger.net/2009/11/v13p-manual-testing-simulator.htmlnoreply@blogger.com (PortSwigger)5