Burp Suite User Forum

Create new post

cannot use input fields for entries on OS X (El Capitan)

I'm having trouble using input fields in Burp suite pro (latest version). For instance when actively scanning a wensite with a user/login area and burp suite asks me to enter the login credentials for a form, I cannot put...

Last updated: Jan 11, 2016 04:31PM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Typo in trial email

Hi, this isn't a bug as such with the software itself but the wording of the trial email that gets sent out. In the 'How to purchase a full license' section where it lists the payment options it says: You can pay by credit...

Last updated: Jan 07, 2016 03:05PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Client certificate authentication, java exception.

I found that using the latest version of Burp (1.6.32) the authentication to a webserver with a client certificate fails due to an java exception. This error does not occur using version 1.6.01

Last updated: Jan 05, 2016 01:22PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Correctly sort Issue Definitions

When sorting by Name, the list is incorrectly being sorted. Capital letters are sorted before lower case letters. For example: PHP code injection comes before Password field with autocomplete enabled.

Last updated: Dec 28, 2015 07:39AM UTC | 0 Agent replies | 1 Community replies | Bug Reports

Remove duplicates from output of "Copy URLs in this host" (Site map)

The output of this menu option contains exact duplicates, including matching (or blank) query strings. Please deduplicate the list of URLs before output.

Last updated: Dec 23, 2015 09:47AM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Small Bug - onload instead of onerror

Burp is generating the following attack string: GET /asdf/cf941%3cimg%20src%3da%20onload%3dalert(1)%3e HTTP/1.1 URL decoded: <img src=a onload=alert(1)> When it should be using the following attack string: GET...

Last updated: Dec 22, 2015 10:10AM UTC | 2 Agent replies | 0 Community replies | Bug Reports

Missing legal value in "Frameable responce (potential Clickjacking)"

The "Remediation detail" claims: "The X-Frame-Options header should only have one of the expected values: DENY or SAMEORIGIN." That used to be the case, but today even: "ALLOW-FROM <url>" is allowed, as described in the...

Last updated: Dec 16, 2015 11:44AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Filtering of long extension doesn't seem to work

Burp doesn't seem to be hidding extension as expected when the extension is long like ".woff2" file. (Tested with 1.6.31)

Last updated: Dec 15, 2015 08:47AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

making repeater request with session handling rule changes request body

I've set up a session handling rule to fetch csrf token and place valid value in request I wish to test. I've placed XSS code into one of the POST params. Unfortunatelly, after the request was issued and response received,...

Last updated: Dec 11, 2015 12:23PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Content type incorrectly stated

Somewhere in the last couple of updates the scanner has started flagging responses as "Content type incorrectly stated", when they appear correct. Something to do with the response being encoded with gzip? GET...

Last updated: Dec 10, 2015 08:07PM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Decoder hash buttons broken?

Are the decoder Hash buttons working? text would put of MD5 hash of 'Foobar' shows as '?Õs?ª»¾e¾5Ëæ?àm' instead of '89D5739BAABBBE65BE35CBE61C88E06D'. I'm on Burp v1.6.31

Last updated: Dec 10, 2015 09:27AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

request in browser feature missing proxy port

Since the port is missing a copy and paste will not work without the user modifying the link. Perhaps this is intentional (I realize there could be more than one proxy listener on different ports). If there is multiple proxy...

Last updated: Dec 10, 2015 09:21AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Character corruption in repeater

Whenever i am using the burp repeater, the response display in raw is garbled/corrupted characters, showing mixes of unrecognizable characters (white boxes etc). This does not happen on any other parts, just on the repeater....

Last updated: Dec 07, 2015 03:06PM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Upgrading Burp doesn't keep extensions

Everytime I upgrade Burp, I have to set the environment paths, and re-download the BAPPs. Is there a config file somewhere that can be configured to avoid this?

Last updated: Dec 07, 2015 08:55AM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Mystery URL tested as HTTP response header injection error

After upgrading to version 1.6.30, found 4 critical errors. After debugging the issue seems like to tool is arbitrarily has a bug. See below for more details. Severe error category: HTTP response header...

Last updated: Nov 24, 2015 03:53PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Remote host drops connection unless SSL passthrough is used?

This is a weird one. I'm working on an assessment over a VPN connection (:/) and am able to interact with the site directly from any browser at my disposal. I can also interact with the site if I'm proxying through Burp...

Last updated: Nov 18, 2015 04:23PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

External service interaction finding masks XXE finding

Hey folks, Not sure if this would be considered a bug, but I'm running 1.6.30 and have a finding where an XXE payload is being used to tickle the collaborator, but only the latter is reported (External service interaction...

Last updated: Nov 18, 2015 03:51PM UTC | 1 Agent replies | 2 Community replies | Bug Reports

Open Redirection.

Even though you have shown complete disregard for my feature requests, and tell me to "write my own" (we're not all coders, ya know? And I'm not requesting dumb $h!t like a button), I'm surprised you missed such a simple,...

Last updated: Nov 16, 2015 10:00AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Self-signed certificate with CN=PortSwigger in invisible mode

Hi, When I'm using an proxy listener with "invisible proxying support" in "Per-host" certificate mode. I get a wrong self-certificate with CN=PortSwigger. It works as expected if I use a browser like firefox or...

Last updated: Nov 16, 2015 09:55AM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Strange behaviour with XSS payloads in Active Scanner.

I am having a strange behaviour on doing an active scan on this particular request: https://cld.pt/dl/download/5b8963fe-6f9f-4e4a-970d-a788e776258e/http_request.JPG Burp only does 10 requests and does not identify the...

Last updated: Nov 13, 2015 04:38PM UTC | 3 Agent replies | 3 Community replies | Bug Reports

Page 134 of 139

Burp Suite Support Center

Your source for help and advice on all things Burp-related.

Burp Suite Support Center image