Feature Requests - Page 60 - Burp Suite User Forum

Burp misses open redirect

Hey, I was testing an application which is listening on HTTP and does a redirect to HTTP/S, without a trailing /. Example HTTP Request: http://[victim]/XYZ Example HTTP Response: HTTP 301 Location:...

Burp Infiltrator JCR injection

Hi Burp team, I tried Burp Infiltrator for the first time, nice tool! I noticed that it is missing out on Java JCR injections, which often have much lower impact than SQL injection but not always (and probably a lot of...

Strict transport security not enforced -- misstatement of facts/lack of proof

I'm using Pro 1.7.22, and test a fairly normal web application I get an issue report 'Strict transport security not enforced', which from a general perspective is correct: the application does not provide a...

external service interaction -- https

I noticed Burp supports external service interaction -- DNS, http and SMPT. Do you have any plan to support external service interaction -- https? Recently we found our application is vulnerable (and exploitable) to external...

Clean up extender tabs

Good Morning, I just want to prefix by saying burp is fantastic, but i find all the tabs at the top really messy when i have like 10+ extensions loaded up at once. Would it be possible to add a feature/tickbox in the...

Grouping Threads for active scan

Hi, would be great if you could allow threads "per group". You dont want to burn one target down, but you might want to test other bits in parallel. An idea would be to allow an identifier set for a group per target...

NTLM Hash and kerberos ticket support for platform authentication

Currently NTLMv1/v2 platform authentication requires the plaintext password, but often the hash value cannot be cracked easily back into plaintext in an expedient manner. Additionally if the hash is generated based on a 2fa...

Active Scan configuration taken when scan request insered into the queue and not when scan start

Hi everybody, I did some test and seems that currently the active scan configuration is used to generate test cases when the scanner start to execute the tests on a specific request. That mean if you have a long queue and...

Show NTLM auth on requests

Currently NTLM authentication used in burp in not shown in any request and cannot be tracked/checked in anyway. A log should be usefull to check if there is problems. Maurizio

Require Confirmation for Clear History

Please add a confirmation dialog to clear history from the right click menu option. This is far to destructive to the project integrity and irreversible right now.

Burp supports Windows 2012 R2

Does Burp supports Windows 2012 R2 ?

Server down check

It would be very good to have some sort of keep-alive functionality to ping server whether it is still up, and depending on the pre-set response by user (e.g. custom error message), it would pause Active scanning until the...

Burp Infiltrator without DNS lookup

Dear Portswigger Team, Thanks for the brilliant work on Burp Infiltrator. I frequently run Burp Collaborator in internal environments without any outbound Internet connectivity, which means I have to set up Burp...

Post-Macro extracting parameter from last response

Hi, I am trying to run a request with a macro and post-macro to do this: Macro1 req1 / resp1 => extract param from rep1 Request get param from from last macro's response req / response (post)Macro2 ...

Support for Kerberos Auth.

Any chances this feature will be supported in the near future?

API to modify configuration of scanner via extension

It would be very useful to have API to modify the configuration of the scanner via an extension to run specific active scan with custom configuration (like run scan without cookie etc).

testing

?<iframe src=javascript:alert(419)>

"Resume" for Burp Collaborator Client

Hello, Why can't we restore Burp Colloborator Client? It should be possible for pentesters to also save the results of Burp Collaborator Client and then restore, as with any other Burp tools. Thanks

Separated Upstream proxy to Scan

Hi Guys! I have a situation running burp that requires a different upstream proxy for scanning. The idea is, basically allows you to select where the upstream proxy will be applied (Scan, Intruder, Repeater and stuff)....

Prevent Burp Proxy from recording some items based on the scope or other filter (e.g. regex)

Hi, I'm looking for a way to prevent Burp from recording some item in the Proxy history. The main reason is that I'm intercepting quite a lot of traffic from the intercepted device, which quickly increases Burp's memory...