Bug Reports - Page 144 - Burp Suite User Forum

Character corruption in repeater

Whenever i am using the burp repeater, the response display in raw is garbled/corrupted characters, showing mixes of unrecognizable characters (white boxes etc). This does not happen on any other parts, just on the repeater....

Upgrading Burp doesn't keep extensions

Everytime I upgrade Burp, I have to set the environment paths, and re-download the BAPPs. Is there a config file somewhere that can be configured to avoid this?

Mystery URL tested as HTTP response header injection error

After upgrading to version 1.6.30, found 4 critical errors. After debugging the issue seems like to tool is arbitrarily has a bug. See below for more details. Severe error category: HTTP response header...

Remote host drops connection unless SSL passthrough is used?

This is a weird one. I'm working on an assessment over a VPN connection (:/) and am able to interact with the site directly from any browser at my disposal. I can also interact with the site if I'm proxying through Burp...

External service interaction finding masks XXE finding

Hey folks, Not sure if this would be considered a bug, but I'm running 1.6.30 and have a finding where an XXE payload is being used to tickle the collaborator, but only the latter is reported (External service interaction...

Open Redirection.

Even though you have shown complete disregard for my feature requests, and tell me to "write my own" (we're not all coders, ya know? And I'm not requesting dumb $h!t like a button), I'm surprised you missed such a simple,...

Self-signed certificate with CN=PortSwigger in invisible mode

Hi, When I'm using an proxy listener with "invisible proxying support" in "Per-host" certificate mode. I get a wrong self-certificate with CN=PortSwigger. It works as expected if I use a browser like firefox or...

Strange behaviour with XSS payloads in Active Scanner.

I am having a strange behaviour on doing an active scan on this particular request: https://cld.pt/dl/download/5b8963fe-6f9f-4e4a-970d-a788e776258e/http_request.JPG Burp only does 10 requests and does not identify the...

Scanner issue 0x00000000

Hello, Since v1.6.30 an issue with 0x00000000 index has been added which contains OS command injection description. I guess that's a mistake. Davy

Repeater and content-encoding

I think I have two issues: The first is that the settings in proxy for encoding/decoding compression don't seem to apply to repeater. The second is that if I send a HEAD method request via repeater, it tries to...

v 1.6.30 spider

I just downloaded/ran version 1.6.30. The when right clicking and selecting "Spider this host" the host above the selected item is spidered and the item that was actually selected is not spidered. I've restarted that app...

content-type: application/json

An application/json response is by definition unicode (utf-8 by preference, but any multibyte unicode is acceptable). However, if the content-type header does not also include a charset=utf-8 attribute (which is actually...

Intruder silently changes content type of request from application/json to text/plain

When using intruder to masticate a RESTful interface, it will silently change the content-type from the original request's application/json to text/plain. For RESTful interfaces that enforce type, this means that all the...

Problem with multihost angularjs site

We have an angularjs/REST web app (IE11) at a client that works fine (no proxy) but is broken when burp is in the middle. The web page normally pulls in several js and css files from a second domain, also owned by the...

Session handling with two rules

Hi, I have a web-app that have two issues when scanning or spidering. Sometimes app closes the session so I got a 302 redirect, other times, app malfunctions and all request ends with error 500 and I must re-auth. I...

Intruder: Remove several payloads at the same time

Hi, In intruder, when creating the list of payloads to be injected. If several entries are selected from the list (by using shift or ctrl button) and Remove options is clicked, it does not remove all the selected entries...

a couple of UI bugs

Hi, long time user and supporter :D Two small glitches that caught my eye today: 1. tool tips need to be updated with information that issues were moved to Target tab (and that Target is what you need to save in...

Dragger not showing after 200 requests

Dragger not showing after >200 requests. Check this https://www.dropbox.com/s/yu9bx9misf57b31/Untitled.png?dl=0

Probable bug: SQL injection avoidable false positive ?

"Issue detail The [...redacted...] cookie appears to be vulnerable to SQL injection attacks. The payload ' and '6143'='6143 was submitted in the Auth-Portal cookie, and a database error message was returned. You should...

Infinite .Null Files being created when using generateScanReport() with the file format "HTML"

As part of my extension, I am using the generateScanReport() to create both the XML file and the HTML file. However, when I use generateScanReport() with the HTML format, while the HTML file does get created, files with the...