Feature Requests - Page 57 - Burp Suite User Forum

Ability to import traffic from .HAR files

It would be great to have a feature that allowed us to import HTTP Archive (HAR) files to help facilitate automated testing and integration with other tools....

payload in the "target" tab of the intruder

Hello, Could be possible for further releases, an option to specify the payload to be part of the IP address to connect to? For example, if I have a list of IP address to which I want to send an specific HTTP packet,...

Intruder Column for Response Length Independent of Payload Size

When looking for web application behavior in response to fuzzing, I'm often looking for changes in the response length. The problem is that reflected input could obscure minor variations in the response that is separate from...

Stricter validation on Intruder payload "Dates"

When configuring "Dates" payloads in Intruder, non-digits characters like whitespace produce surprising behaviors that are hard to debug (no visual feedbacks outside of the "Request count"). For exemple, from 20 July 2017...

Burp Suite Enquiry about settings

In proxy options, there is bind address option in which there is specific address option. In free edition, I cannot give a specific address manually, there is a list of addresses, we cannot give any specific address. So I...

Extension release dates in BApp Store

An extension's version number is useful however it would be really useful to see the release dates for the extensions available in the BApp Store. Links to the extension and version history would also be useful. This way we...

Purge out of scope requests from proxy history

I like the new feature to allow me to not save out of scope requests to the proxy history and target tab. What I'd like is to also have the ability to purge out of scope requests that are already stored in history. Back in...

UI change

Dark theme/something that colours your history based on certain values, be it regex, host or whether the request is get or post.

Add "Extension provided checks" to "Active / Passive Scanning Areas"

Currently, active and passive checks initiated by extensions are run for every scan (i.e. even if no "Scanning Areas" are selected). Having new Scanning Areas (one for passive, one for active) dedicated to...

Add a "Response Received" column in Proxy History

As discussed ~ 1 year ago: https://support.portswigger.net/customer/portal/questions/16241817-add-a-response-received-column-in-proxy-history

Use long/verbose parameters for curl command

At the moment the tool generates the following curl command: curl -i -s -k -X $'GET' $'https://10.10.10.10/' If using the long version of the parameters it will be presented as: curl --include --silent --insecure...

search results value extraction

I couldn't find a way to do this in the current gui. Would it be possible to add a grep value extractor, similar to what we have in intruder, to the overall search window? eg. I may search for all requests with a certain...

After injecting the payload via POST/GET request, check if a specific string is present

Hello, I'm trying to figure out if it's present an extension or a native Burp function to check if a string (or the payload by itself) is present on multiple (or individual) specified webpages after the payload gets...

UI Changes on Repeater Tab

the top tab list in Burp Repeater (the multiple web requests) is terrible for when you have tens of tabs open. Please consider replacing the top tab with a left side list of requests that could be reordered (sort of like...

Add test for HTTP Strict Transport Security (HSTS) and update the Cacheable HTTPS Response test

In the most recent version 1.6.21 - I see that under the Scanner tab you have added the "Issue" Listing - Thank you for that !!! However, I do not see any test for the absence of the HTTP Strict Transport Security (HSTS)...

Burp misses open redirect

Hey, I was testing an application which is listening on HTTP and does a redirect to HTTP/S, without a trailing /. Example HTTP Request: http://[victim]/XYZ Example HTTP Response: HTTP 301 Location:...

Burp Infiltrator JCR injection

Hi Burp team, I tried Burp Infiltrator for the first time, nice tool! I noticed that it is missing out on Java JCR injections, which often have much lower impact than SQL injection but not always (and probably a lot of...

Strict transport security not enforced -- misstatement of facts/lack of proof

I'm using Pro 1.7.22, and test a fairly normal web application I get an issue report 'Strict transport security not enforced', which from a general perspective is correct: the application does not provide a...

external service interaction -- https

I noticed Burp supports external service interaction -- DNS, http and SMPT. Do you have any plan to support external service interaction -- https? Recently we found our application is vulnerable (and exploitable) to external...

Clean up extender tabs

Good Morning, I just want to prefix by saying burp is fantastic, but i find all the tabs at the top really messy when i have like 10+ extensions loaded up at once. Would it be possible to add a feature/tickbox in the...