The "Analysis options" tab lets you configure how tokens are
handled, and which types of tests are performed
during the analysis.
These settings control how tokens are handled during analysis. The
following options are available:
- Pad short tokens at start / end - If the tokens
produced by the application have variable length, these will need to be
padded to enable the statistical tests to be performed. You can choose
whether the padding should be applied at the start or the end of each
token. In most cases, padding tokens at the start is most appropriate.
- Pad with - You can specify the character that will
be used for padding. In most cases, for numeric or ASCII hex-encoded
tokens, padding with the "0" character is most appropriate.
- Base64-decode before analyzing - If the tokens are
Base64-encoded, you can configure Burp to decode these before analyzing,
which will generally improve the accuracy of the analysis.
These options control the types of analyses that are performed. You can
individually enable or disable each type of character-level and bit-level
test. Sometimes, after performing an initial analysis with all tests
enabled, you may want to disable certain tests to reflect your better
understanding of the tokens' characteristics, or to isolate the effects of
any unusual characteristics manifested by your sample.
In the results window, after modifying any of the analysis options you
can click the "Redo analysis" button to re-perform the analysis with your
new settings, and update the results.
Thursday, March 12, 2015
This release contains various bugfixes and minor enhancements, including:
- In the site map table, the "Method" column previously always showed GET for requests without a body, and POST for requests with a body, even if the actual method was different. This bug has now been fixed and the table shows the correct method.
- A bug which prevented client SSL certificates from being used when an upstream proxy is configured has been fixed.
- A bug which caused Decoder to fail to decode hex number HTML entities containing an upper-case X has been fixed.
See all release notes ›