2015: Burp Suite Upgrades

First, what is Burp Suite?

This is a very cool penetration testing tool that requires skill and knowledge to use but is an extremely good asset to a company that wishes to protect their reputation, IT assets, data and other company information.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Burp Suite contains the following key components:

  • An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
  • An application-aware Spider, for crawling content and functionality.
  • An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
  • An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
  • A Repeater tool, for manipulating and resending individual requests.
  • A Sequencer tool, for testing the randomness of session tokens.
  • The ability to save your work and resume working later.
  • Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

What is included in the latest two upgrades to Burp Suite?

Wednesday, April 1, 2015

v1.6.14

This release fixes a bug introduced in yesterday’s release, v1.6.13, which prevented some state files from restoring.

  • MD5: 036055e4fa0e914b3e346b8661589603
  • SHA256: b6b6710de27df3124bb2c24d778cdfb9da74eff2bd913be733df977b4f03c0d4
  • Posted by Dafydd Stuttard at 1:53 AM
  • Tuesday, March 31, 2015

v1.6.13

This release contains various bug fixes and minor enhancements:

  • The previous release introduced some bugs into the Target site map, causing scope-based view filters to be sometimes misapplied, and orphaned tree nodes to occasionally appear. These have now been fixed.
  • In recent months, they have been extensively reworking the site map to support a number of planned new features.
  • Some Scanner issues that are reported on a per-host basis (for example, Flash cross-domain policy) were previously reported on the root host node of the Scanner results tree. These are now correctly reported at the node for a specific URL where applicable (e.g. /crossdomain.xml).
  • Relatedly, where a Scanner issue is created at a URL file node that does not exist in the Target site map, the corresponding item is added to the site map, including the actual request and response for that item. This change is useful in its own right, because the site map now contains more content that Burp has obtained from the target. It also paves the way for a planned enhancement to the site map, in which it will become a unified dashboard of both discovered content and Scanner issues. In the meantime, one behavioral quirk which arises is that if you restore a state file and select only to import Scanner issues, some new content corresponding to these issues may also be added to the site map. We believe that this interim behavioral change is relatively harmless, and will become fully desired behavior once the transition to the new site map is completed.
    Some users have reported problems with certain extensions that cause a deadlock in the Burp UI when they are reloaded on startup. Burp now tries to detect this situation, and on the subsequent startup will skip the automatic reload of extensions. (Note that a further, existing, workaround for this problem is to add “usedefaults” to the Burp command line, to prevent reloading of any saved settings.)
  • When Burp fails to delete its temporary files on shutdown, because the OS does not release locks on those files, Burp now remembers the affected items and automatically deletes them on the subsequent startup, without the need to prompt the user. The old prompt will still be shown if unexpected temporary files are detected on startup.
  • A bug which prevented column resizing in the Intruder results table has been fixed.
  • A bug which made certain configured options cause problems when saving state files has been fixed.
  • A bug where multiple Proxy history views shared the same underlying view filter, preventing the use of different filters on each view, has been fixed.

Burp Suite is not only affordable but it is a very effective tool to use in the ethical penetration of IT assets.

Jock

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s