Bug Reports - Page 140 - Burp Suite User Forum

Missing identification of response splitting vulnerability

We found a that Burp Suite it doesn't test response splitting vulnerability. For example: www.example.com/about.php?date=%0D%0ATest%3A%20no If the HTTP response get the additional header "Test: no" should be...

Extender API JavaDoc is Down

Hello, The Burp Extender API JavaDoc link (https://portswigger.net/burp/extender/api/index.html) currently returns a 404. Thanks, Robbie

Missing identification of SQL injection

Dear Sir, we identified a missing identification of Blind SQL injection on some specific parameter. The SQL injection is presented on a single parameter of a POST request. Like par=pluto par=pluto -> result...

Session Handling - determine session validity not working because of Redirect

Hello, I have an application which (by design) logs the user out (by redirecting to login page) when inputs don't have a valid value. I need to use the Session Handling to re-login. The log out detection in Burp is...

ITextEditor.getText() deadlock

Hi guys, First off, keep up the great work and I hope to meet you guys in Vegas for DC. I have a small issue with BurpSuite due to the way my plugin is making calls between the FX and Swing thread. I understand FX is not...

IMessageEditorController.getRequest() and .getResponse() race condition(?) in Intruder

Hi again, I am experiencing a strange race bug(?) in the Intruder result output window. For some reason, when viewing an HTTP response in a custom IMessageEditorTab, the .getRequest() and .getResponse() methods return a...

Collaborator External Service Interaction (DNS) - Mismatch in attack vector

There is a mismatch in the Collaborator External Service Interaction (DNS) between the URL inserted in the attack vector and the DNS request that Burp collaborator display in scanner result. One example...

indexOutOfBoundsException in BurpSuite

Hello, I am trying to use BurpSuite_free_V1.6.01 with jdk 1.7.0_80 with the accessbridge enabled so I can use the JAWS screenreader with it. After starting burpsuite and opening firefox 31.1.1 which has been configured...

Burp closed without confirmation box

Hi, Not sure this can be considered as a bug but the feature needed to be improved. I launched the burp from cmd command line ( java -jar etc ) to increase the RAM allocation for the software. At one point, I accidentally...

Content view not picking up resource

I noticed the Contents View in site map sometimes does not pick up specific resources under certain conditions. Ex : An item has been identified during a spider scan as a GET request to /content/script, gets added...

Different URLs in Target: Request, Raw and Site map URL

I recognized that the URL in Target, Site map is different from the URL in the Request, Raw window. Here is what is shown in the Site map window right above (list of all URLs): https://www._something_.com/ - GET -...

Exception on restore state

Trying to restore state on Burp Pro 1.6.18 the following exception occurred: java.lang.IndexOutOfBoundsException: Index: 3, Tab count: 1 at javax.swing.JTabbedPane.checkIndex(JTabbedPane.java:1768) at...

invalid macros

Hello, we are experiencing problem with stored macros in Option -> Sessions. Macros work fine immediately after being recorded. But after some time (even days), stored Requests become invalid and empty - full of...

Python extension unloading itself periodically

I have a toy Python extension that simply prints out all command-line arguments, and calls exitSuite if there were any to print. About 50% of the time that I run Burp Suite from the command prompt, there is no output and...

Extensions loading multiple times when restoring state

Whenever I restore a state file, it loads extensions multiple times. Burp 1.6.18, Java 8u45. Screenshot: https://imgur.com/sQ9EnMp

UI - custom shortcuts - not working in detached tabs

Hi, when I set up custom keyboard shortcuts in Options:Misc:Hotkeys, they do not work in windows I detach using the Window:'Detach XY' submenu. Regards, igor

Possible bug in concrete class of IScanQueueItem

Hi, I think I may have discovered a small bug with the concrete implementation of the IScanQueueItem returned by the doActiveScan methods. When I try to access a method, I get the following error: Exception in thread...

Bug in IRequestInfo.getUrl()

Hello, There is a bug in IRequestInfo.getUrl() that is related to how the hostname is retrieved. Currently getUrl() uses the hostname specified in the target options instead of the Host header in the HTTP request....

Burp goes into headless mode with open jdk version 1.7.0_79

Hi, Whenever I run Burp Suite on my system it prints following message and goes headless (no splash screen even). If i delete .java/.userPrefs/burp folder, then it even prints the license agreement on the...

Proxy Listeners aren't visible

Hi, When I add a proxy listener on Proxy / Options / Proxy Listeners, I can't see the added listener on Burp GUI. So I can't edit or remove it with mouse cursor (cursor keys can help the scene). Burp Suite...