Feature Requests - Page 67 - Burp Suite User Forum

ASP.NET ValidateRequest bypass + tuning

According to my experience Burp Suite doesn't check for this type of ValidateRequest filter bypass: http://www.jardinesoftware.net/2011/07/17/bypassing-validaterequest/ Would it be possible to add this to the...

Hide from view based on MIME type

Hi, recently I came across a web server where certain categories of files (images, css) were having a filename of the format "_x-y" with no extension, where x and y is a alphanumeric value of a varying length of characters,...

Match -> Match/Replace.

I would like to beg this request again, as there is a need for feature. Here the use case. I would like to be able to Match/Replace based on Matching a different value. I have been told to write it myself, but that...

Provide option to pass unaltered response back to client

Recently we conducted an application assessment for an android application. The application communicated using gzip / deflate content encoding. Burp Suite was initially configured to unpack gzip/deflate encoded traffic via...

Burp Porxy Features- Replay Request

Hi I would like to propose the following features in Burp. 1) Burp loads default profile:- Burp should allow users to specify the default template location. 2) Requests Replay :- We would like feed the requests...

Burp signed SSL certificates throw warning in Chrome

When burp generates CA-signed per-host certificates, Google Chrome marks these sites as having "Weak Security configuration (SHA-1 signatures), so your connections may not be private. Screenshot:...

UI - Scanner:Results - tag resolved findings

Hi, I would love to be able to tag findings as 'already worked on and resolved' or 'read'. Helps in case I go through findings while the active scan is still on (reason being lack of time). In current state new findings are...

UI - shortcuts - 'set Severity, Confidence', global 'enable/disable Proxy Intercept'

I would like to have possibility to: - assign keyboard shortcuts to more actions, e.g.: in Scanner:Results - set Severity, Confidence level (I would use numkeys) - use global windows shortcut for some actions (e.g....

Good XSS detection

I'm somewhat disappointed. I conducted an nessus scan on a host, without entering any information. It found an XSS. When I did an active scan of the same host with Burp, Burp did not. It is a really easy to find XSS. I'm...

UI - Scanner - selected tab persistence (like in Proxy)

Hi, I would like selected tab persistence when browsing through findings (exactly like in Proxy tab) - I select tab Response and it stays the selected one when I click on a different finding. A small thing, would help a lot...

Reflected input monitor for passive scanning

A new check should be introduced to passive scanner which will monitor all the requests and report if any of the input parameters get reflected in the response. This will be very useful in determining which parameters to...

Repeater and intruder for pentesting WebSockets

Hi, I'd love to see mentioned features implemented for pentesting WebSockets. Those features would be useful for testing both WS client and server. Also it would save me some time writing my own set of...

Find and replace in intruder

It would be nice to have a find and replace within intruder, saving the tester from burp <-> notepad copy & paste kung foo. Sometimes the HTTP requests are so massive that makes impossible to set each entry point one by one.

Repeater UI - Fixed Placement of Tabs

I would like for repeater to not move the location of tabs when selecting new repeater tabs. This occurs when the user has a large number of repeater tabs open (which happens to me when testing API calls where we make one...

Open multiple links in a browser

Target > Site map > expand tree. 1. Select a grey link that has not been visited. Right click. Instead of Copy URL, add option to Open URL. 2. Select multiple links that have not been visited. Right click. Instead...

encoder stuff

Url encoding, would be nice if two options exist; one that encodes everything. and one that encodes just the characters that are necessary. I keep seeing apps that are microsoft stacks that seem to dislike characters that...

Configure the parameter separator on GET and POST reponses

Actually the parameter separator is the & symbol, but sometimes the applications use different character as parameter separators, for example a lot of tomcat applications use the | character. It could be very very useful...

Hide viewstate

I would like to have a native function to hide huge viewstates from ASP.NET web applications. Or even better, if it could be possible to toggle the visibility for any variable

API to update Requests as presented in UI in Proxy, Repeater, etc.

Hi, I have written some custom extensions using both the java API and jython. Typically, it is for things like setting custom headers. While they work (they do send the custom headers) it's hard to see exactly what was...

XML formatting

Would it be possible for Burp Suite to properly format XML requests in the 'Params' tab? Cheers.