Burp Suite User Forum

Login to post

AMF Deserialization

When an AMF response body contains a custom object, BURP can't seem to properly deserialize the body and return a "data - null" instead of the proper object. For the same request/response, Charles proxy seem to be able to...

Last updated: Apr 20, 2016 07:55AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Bug when adding or updating a PARAM_COOKIE parameter

Hello, I'm working on super basic extension which allows to edit the value of a specific cookie in its own Repeater display tab. But when I call updateParameter(..., buildParameter(..., PARAM_COOKIE)), the cookie line is...

Last updated: Apr 20, 2016 07:46AM UTC | 3 Agent replies | 2 Community replies | Bug Reports

Aggreated scanner issue for extensions shows issue name, not the extension name

Every issue that is created gets a first paragraph telling which extension it was: "Note: This issue was generated by the Burp extension: <extension name>" When an extension's issue gets more than one hit, a top-level...

Last updated: Apr 18, 2016 02:43PM UTC | 2 Agent replies | 0 Community replies | Bug Reports

options/ssl menu fails to load upon restore if client certificate

We are working as a small team and my colleague gave me his saved burp state. I restored it in my burp instance mostly without problem, but the options/ssl tab fails to load properly. The site we are testing requires a...

Last updated: Apr 18, 2016 02:43PM UTC | 4 Agent replies | 2 Community replies | Bug Reports

"Session token in URL" false positive

Hi, Burp Scanner v1.6.38 gave me false positive for "Session token in URL" without any reason, as I think. Take a look at following excerpt from...

Last updated: Apr 18, 2016 07:59AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

"Link manipulation (DOM-based)" false positive - local variable override

Hi, Burp Scanner v1.6.38 generated false positive for "Link manipulation (DOM-based)". Excerpt from report: Data is read from location and passed to the 'href' property of a DOM element via the following...

Last updated: Apr 18, 2016 07:58AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

1.7beta bug: disable proxy intercept at startup

I just downloaded 1.7beta (32-bit OS) I started it up and skipped changing the defaults (I did not load a config file, etc). I used the defaults. By default, Intercept was enabled. I looked for the following option to...

Last updated: Apr 13, 2016 07:40AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Coverage differences between public and private Collaborator instances

I recently tested Collaborator using different injection scenarios. I noticed that the vectors used are different, depending if Collbaorator is defined by its DNS name (public or private instance) or its IP address (private...

Last updated: Apr 12, 2016 07:50AM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Requests sent to upstream proxies are NOT transcoded to proxy-style requests

When "Options > Connections > Upstream Proxy Servers" is used to redirect all traffic to an upstream server, requests are _NOT_ encoded to the proxy format (with a fully qualified first line). That's OK when chaining Burp...

Last updated: Apr 11, 2016 08:53PM UTC | 1 Agent replies | 1 Community replies | Bug Reports

How to fix the burp suit jar files.

Getting the error while launching burpsuite_pro_v1.6.35.jar. Error Description: "Error Invalid or Corrupt jarfile"

Last updated: Apr 11, 2016 03:17PM UTC | 8 Agent replies | 8 Community replies | Bug Reports

Pro 6.36 and 6.37 will not start, corrupt

I can run the free version .32. I purchased Pro and it won't start. Invalid or corrupt jarfile burpsuite_pro_v1.6.36.jar Invalid or corrupt jarfile burpsuite_pro_v1.6.37.jar

Last updated: Apr 11, 2016 08:21AM UTC | 6 Agent replies | 5 Community replies | Bug Reports

Scrolling button dissapears

The last few versions of Burp Pro (apologies I cannot recall which version I firstly identified this) suffer from a quite annoying bug. The scroll button in most of the windows/features that requires this, disappears soon...

Last updated: Apr 06, 2016 10:04PM UTC | 2 Agent replies | 2 Community replies | Bug Reports

Simple SQLi identification failed

Hi, I found a little lack in SQLi identification, trying Burp on OWASP Bricks (https://www.owasp.org/index.php/OWASP_Bricks). In details, using active scan on "Login #4" page, Burp fails to identify the following...

Last updated: Apr 06, 2016 08:31PM UTC | 0 Agent replies | 1 Community replies | Bug Reports

Scanner unpaused scan of app1 when actively scanning a single page on app2 (SSO)

Here's the environment: - app1.example.com (SSO enabled app #1) - app2-stage.example.com (SSO enabled app #2) Here's the user story: 1.) Tester spiders app1 without SSO auth 2.) Tester does active scan of app1...

Last updated: Apr 04, 2016 10:44AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Bug with Extender self._callbacks.makeHttpRequest ?

When I use self._callbacks.makeHttpRequest in my extension and the target server responds with an SSL error such as "SSL received a record that exceeded the maximum permissible length. (Error code:...

Last updated: Apr 01, 2016 02:27AM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Burp triggers DNS queries despite using an upstream proxy

Hi, We are experiencing performance issues with Burp, with some web application pages taking over a minute to load. After investigation, we found out that Burp was issuing local DNS requests which could not be resolved...

Last updated: Mar 22, 2016 09:53AM UTC | 1 Agent replies | 5 Community replies | Bug Reports

burpsuite free crashes in kali linux

With the recent update in java, when i try to run burpsuite in kali linux 2.0, as soon as i try to use the application, burpsuite crashes. and the system crashes and logs me out. I have the following version of java in my...

Last updated: Mar 11, 2016 08:21PM UTC | 7 Agent replies | 11 Community replies | Bug Reports

Protocol and port missmatch in target - site map

Using burpsuite_pro_v1.6.39.jar (but had the problem in previous versions too) Brup Extender Plugins: Active Scan++, Error Message Checks, Java Deserialization Scanner, Software Version Reporter, Heartbleed I lately get...

Last updated: Mar 10, 2016 10:35AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Burp will not run if a directory within the path ends with an "!"

Burp will not run if a directory within the path ends with an "!". Burp was here: c:\!tools!\burp\burpsuite_pro_v1.6.38.jar. Moved the "burp" dir to the root directory and it runs fine. Tested by renaming the "burp" dir to...

Last updated: Mar 10, 2016 10:24AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

False positives due to non-encoded parameters

This is probably related to the new features implemented when http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html was written. It seems to be that some new features of the active scanner are incorrectly...

Last updated: Mar 08, 2016 01:51PM UTC | 0 Agent replies | 0 Community replies | Bug Reports

Page 75 of 82

Burp Suite Support Center

Your source for help and advice on all things Burp-related.

Burp Suite Support Center image