Bug Reports - Page 149 - Burp Suite User Forum

Scheme-relative URL are treated as root-relative ones

Tested on v1.6.26 / Linux / Oracle 1.8.0_45-b14 In Repeater (at least), a header like "Location: //nicob.net" is treated as a redirection to "//nicob.net" on the same host. However, browsers will redirect to...

Burp Closes Randomly.

Hi There! I'm a user of Burp Pro, I have recently switched to a Virtualized Environment (VirtualBox) running Kali Linux. Every so often Burp will randomly close. It can happen from using the Intruder or just capturing...

Issue Definitions

Not properly sorted by name. Capital letters should not make a difference. Findings should be mapped to OWASP Top 10 and WASC.

Hydra (http-get-form) + Burp = Missing GET parameters

## Issue * When using `http-get-form` with `HYDRA_PROXY_HTTP` set and using Burp as the proxy, the GET parameters are not being passed on. * Using other proxies (such as ZAP), or not using a proxy at all, the GET...

Issues not visible if related to 404 resources

Hello, the scanner found a XSS in the referer header, and the answer is a custom 404 page with the XSS in the answer. However in the Target tab, the XSS is not visible if "Hide not-found items" is not disabled. Maybe...

Failure to open a Macro Recorder dialog

Hi, Sometimes Burp fails to open a Macro Recorder dialog ( Options / Sessions / Macros > Add > Record macro ). I confirmed that it happens when Burp Proxy receive requests frequently (1req/5sec or more, I'm testing web...

Burp doesn't properly parse a website which has AngularJS

Many of our websites incorporate AngularJS now. However the content isn't always properly parsed or stays in an loop where it is impossible to input anything through the browser. Has anyone seen this behaviour and has a...

XSS detection is inconsistent

HI, I did Active scan for one request on form submission using burp pro v 1.6.17 . It didn't listed any XSS for one hidden parameter which is not encoded . It I do same thing using Intercept proxy XSS is listed . Later...

Error while running Burp

# # A fatal error has been detected by the Java Runtime Environment: # # EXCEPTION_UNCAUGHT_CXX_EXCEPTION (0xe06d7363) at pc=0x000007fefd97b3dd, pid=1172, tid=5828 # # JRE version: Java(TM) SE Runtime Environment...

"Open redirection" issues share duplicite information with "Cross-domain Referer leakage"

After running Burp Active scan, I observed few Open redirection issues. However, when I check Cross-domain Referer leakage issues, there are many reported which I don't think should be there as they were caused by an Open...

Extender: isEnable called without proper context

Hi, While writing new extension (IMessageEditorTabFactory) I've encountered a small bug. Code is available here: https://raw.githubusercontent.com/carstein/burp-extensions/master/Argonaut.py While loading extension I...

off by one when saving intruder responses

When you save server responses from the Intruder the files are labelled from 1 but looking at the requests in the Intruder panel they start at 0 with the baseline request. I think the file naming should match the request...

Target Analyzer - Parameters - specific POST request - not showing correct data when opened

When I go to Target Analyzer - Parameters, I can see all occurrences of a specific parameter that Burp discovered. When I want to search e.g. for the parameter with name "parameter1", I can see all occurrences in the middle...

Multi monitore issue

Hi, I am using the current release of your Burp Suite with the following issue. Having two more screens left of my default screen the application hangs as soon as I put it onto any other than the default screen. Having...

Burp restore state problem

Hello, since the newer version of Burp Suite Professional (v1.6.23) i'm having problems restoring my burp save state. Here is a screenshot of the bug: http://i.imgur.com/lVdpnFx.png And the details: burp.eee:...

Duplicate extensions in Burp

On restoring a saved state, extensions were duplicated. Ideally burp should be taking care of preventing duplicates in extensions.

java.io.IOException: Unicode String

Dear, I'm getting inconsistent results, and I'm afraid Burp is the cause. When I modify a request in the repeater window , the following error is shown. java.io.IOException: Unicode String at...

Missing identification of response splitting vulnerability

We found a that Burp Suite it doesn't test response splitting vulnerability. For example: www.example.com/about.php?date=%0D%0ATest%3A%20no If the HTTP response get the additional header "Test: no" should be...

Extender API JavaDoc is Down

Hello, The Burp Extender API JavaDoc link (https://portswigger.net/burp/extender/api/index.html) currently returns a 404. Thanks, Robbie

Missing identification of SQL injection

Dear Sir, we identified a missing identification of Blind SQL injection on some specific parameter. The SQL injection is presented on a single parameter of a POST request. Like par=pluto par=pluto -> result...