BurpSuite Professional 2.1.05 Released

BurpSuite Web Application Security
BurpSuite Web Application Security

In this new BurpSuite Professional 2.1.05 release adds experimental support for using Burp’s embedded Chromium browser to perform all navigation while scanning.

New BurpSuite release also includes various other bug fixes. The embedded JRE that is included in Burp’s installer has been updated to Java 12.

This new approach will provide a robust basis for future capabilities in Burp Scanner, enabling it to eventually deal with any client-side technologies and navigational structures that a modern browser is able to deal with. It has the potential to dramatically improve coverage of the scan, during both the crawling and auditing phases.

Many Infosec people are using BurpSuite for personally or corporate level. Using Burp to Test for the OWASP Top Ten vulnerabilities.

Burp Suite is a graphical suite for testing Web application security and written in Java and developed by PortSwigger Web Security.

In this initial release, Burp Scanner now correctly deals with:

  • Applications that dynamically construct the navigational UI (links and forms) using JavaScript.
  • Applications that dynamically mutate the request when a link is clicked or a form is submitted, using JavaScript event handlers.

There are numerous caveats at this stage:

  • Performance is poor and will be improved considerably over the next few releases.
  • Navigational elements other than links and forms are not yet supported (such as DIV elements with an onclick handler that makes a request).
  • Asynchronous requests such as XHR are honored during navigation but are not audited.
  • Navigational actions that mutate the existing DOM without causing a request to the server are not properly handled.
  • Frames and iframes are not properly supported.
  • File uploads are not supported.

Also Read- Burpsuite Payloads

The new feature is currently experimental, and is being released to gather feedback from users who want to play with the new capability and assess its effectiveness.

The new feature is not currently a suitable replacement for the existing default scanning mode: you are likely to gain some coverage of JavaScript-heavy applications, but also lose some coverage and experience poor performance.

Rest assured that over the coming months the new feature will be considerably enhanced until it becomes a robust and superior replacement to the existing scanning mode.

To enable experimental support for browser-based scan navigation, create a new scan, add a crawl configuration, and under “Miscellaneous” select “Use embedded browser for navigation”. You can also configure whether to allow the browser to fetch page resources that are out-of-scope.

Burp Suite Features are as follow-

  • HTTP Proxy – It operates as a web proxy server, and sits as a man-in-the-middle between the browser and destination web servers. This allows the interception, inspection and modification of the raw traffic passing in both directions.
  • Scanner – A web application security scanner, used for performing automated vulnerability scans of web applications.
  • Intruder – It can perform automated attacks on web applications and offers a configurable algorithm that can generate malicious HTTP requests. The intruder can test and detect SQL Injections, Cross Site Scripting, parameter manipulation and vulnerabilities susceptible to brute-force attacks.
  • Spider – It is for automatically crawling web applications. It can be used in conjunction with manual mapping techniques to speed up the process of mapping an application’s content and functionality.
  • Repeater – A simple function that can be used to manually test an application. It can be used to modify requests to the server, resend them, and observe the results.
  • Decoder – For transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.
  • Comparer – For performing a comparison (a visual “diff”) between any two items of data.
  • Extender – Allows the security tester to load Burp extensions, to extend Burp’s functionality using the security testers own or third-party code (BAppStore)
  • Sequencer – For analyzing the quality of randomness in a sample of data items. It can be used to test an application’s session tokens or other important data items that are intended to be unpredictable, such as anti-CSRF tokens, password reset tokens, etc.
For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

Leave a Reply
Related Posts