Burp Suite User Forum

Report on CSRF Vulnerabilities

Hello. I am trying to learn Burp Pro after one of my colleagues left without leaving much information around the Burp testing he had done. I have an application with a known CRSF vulnerability AND an older Burp report...

Last updated: May 06, 2015 10:20AM UTC | 1 Agent replies | 0 Community replies | How do I?

Command line commands

We installed Carbonator and want to execute commands in "headless" mode. What are the commands to set a target, set a proxy, scan (active and passive), spider, etc.? Thanks!

Last updated: Apr 30, 2015 07:46AM UTC | 2 Agent replies | 1 Community replies | How do I?

Interception of Citrix Netscaler traffic

I am testing an application that tunnels traffic through a Citrix NetScaler connection and so far have had no success in defeating certificate validation. Evidently, Citrix requires a certificate with the "serverAuth"...

Last updated: Apr 27, 2015 04:57PM UTC | 0 Agent replies | 0 Community replies | How do I?

Manually reproduce Cross-site scripting (DOM-based) vulnerability using info from Burp report

Hi, Ran test to look for “Cross-site request forgery” & Burp came back with issue. How can we use the info in the report to reproduce this manually so as to confirm that it's not a false positive? Thx.

Last updated: Apr 24, 2015 07:54AM UTC | 1 Agent replies | 0 Community replies | How do I?

Collaborator Server issues "expected record not found"

I've got a private collaborator server up and running. It has it's own domain, it's resolving fine, wildcard certs are installed and confirmed working on both interaction and collaboration ports. When I run a health check in...

Last updated: Apr 24, 2015 07:41AM UTC | 2 Agent replies | 2 Community replies | How do I?

no details for proxy history

In my case, the proxy history are logged correctly for each internet request. But when I click on the request, there is no Request Raw(or Hex) showing in the bottom panel. The filter is "showing all items". Can someone help?

Last updated: Apr 23, 2015 04:42PM UTC | 2 Agent replies | 2 Community replies | How do I?

TLSv1 Connection issue

How do I make Burp connect to a TLSv1, 256 bits, AES256-SHA only website?

Last updated: Apr 22, 2015 09:13PM UTC | 1 Agent replies | 1 Community replies | How do I?

Add Proxy Listener to listen to Terminal (Linux)

How would I add a proxy listener so that if I were running a tool in my terminal I could have burp scan all websites that are run through it?

Last updated: Apr 22, 2015 08:27AM UTC | 1 Agent replies | 0 Community replies | How do I?

Collaborator Server with private address

My collaborative server has a private address. My configuration is "dns": { "interfaces" : [{ "name":"ns1", "localAddress":"172.31.10.5", "publicAddress":"50.0.1.4" }], ...

Last updated: Apr 20, 2015 09:21AM UTC | 1 Agent replies | 0 Community replies | How do I?

Collaborator Server behind cloudflare

How do I setup a Collaborator Server in a subdomain? My DNS is managed by Cloudflare. For example I want it to be: burp.domain.com I understand that I need an A record for burp.domain.com Also a NS record that...

Last updated: Apr 20, 2015 09:19AM UTC | 1 Agent replies | 0 Community replies | How do I?

Scanning a "POST" causes a "GET" with no parameters

I'm doing an active scan of a POST that has parameters for session ID, which is also stored in the cookie jar. However the attacks created by that scan produce "GET"s that have no parameters (no session ID) which causes my...

Last updated: Apr 20, 2015 08:41AM UTC | 1 Agent replies | 0 Community replies | How do I?

Proxy history without intercept

Hi, the documentation does not say whether it is possible to record proxy history with the intercept feature turned off. For my research project we only need the history, we'll never use the intercept feature and it would...

Last updated: Apr 17, 2015 08:36AM UTC | 1 Agent replies | 0 Community replies | How do I?

How to insert Intruder payloads before original parameter value

Hello, I'd like to insert Intruder payloads before original parameter value. The purpose of this is to assess an application which checks the first fixed numbers of letters in a parameter value. Could you give me any...

Last updated: Apr 17, 2015 07:19AM UTC | 1 Agent replies | 1 Community replies | How do I?

Scan errors in Burp

I ran an active scan using Burp. The scan was abandoned due to multiple errors. I would like view the error logs so that I could figure out what went wrong. How do I check these errors?

Last updated: Apr 16, 2015 07:55AM UTC | 1 Agent replies | 0 Community replies | How do I?

Detection of Cross Site Scripting

I recently used Burp Suite to perform a XSS scan. A reflected XSS vulnerability was reported. When I reviewed the request and response I noticed that the supplied input is exactly echoed in the output. Case 1 Two inputs...

Last updated: Apr 15, 2015 08:36AM UTC | 1 Agent replies | 0 Community replies | How do I?

Form Submission

I am spidering a website and opted for manual form submission. Question 1: In the submit form dialog, I can see hidden fields also expecting an input from us (there is no default value as well). In a typical browser...

Last updated: Apr 15, 2015 08:28AM UTC | 1 Agent replies | 0 Community replies | How do I?

Utterly unclear on the purpose of spider

My impression is that spider expands the sitemap as it crawls, aided by its form submission abilities, etc. But after I spider my entire host, I notice that manual active scanning the entire host does not make a...

Last updated: Apr 15, 2015 08:20AM UTC | 1 Agent replies | 0 Community replies | How do I?

replace text in websocket operations

I want to match and replace text in (outgoing) websockets. But it seems that match-and-replace only works on HTTP, not WebSockets. How can I edit WebSockets? Is there a way to do it with Burp that I haven't noticed? ...

Last updated: Apr 14, 2015 01:50PM UTC | 2 Agent replies | 2 Community replies | How do I?

save proxy message

is it possible to save request and response contents into file programmatically ? like manually we can do by HTTPHISTORY tab->right click and select save item to save the message contents into specified file can it be done...

Last updated: Apr 13, 2015 08:10AM UTC | 1 Agent replies | 0 Community replies | How do I?

Scanner Starts Fast But Slows to a Crawl

I have a small website for which I'm attempting an active scan. There are about 120 items in the scan queue. It starts out quite fast for the first few minutes. But after about 10-15 minutes, the scan requests slow to a...

Last updated: Apr 13, 2015 07:58AM UTC | 2 Agent replies | 1 Community replies | How do I?

Page 93 of 95

Burp Suite Support Center

Your source for help and advice on all things Burp-related.

Burp Suite Support Center image