Saving and Restoring State
[Pro version] The functions to save and
restore state can be accessed from the Burp menu.
The items that can be saved are as follows:
- The Target site map, which includes all of the content discovered via
the Proxy and Spider.
- The Proxy history.
- The issues identified by the
Scanner, and the active scan queue.
- The contents and histories of the Repeater tabs.
- The configuration of all suite tools.
Selecting "Save state" from the Burp menu launches a wizard where you can
choose which items you want to save the state and configuration of, and
select the output file. The following options are also available:
- Save in-scope items only - If this option is
selected, only in-scope items from
tools' state will be saved. This option is useful to remove superfluous
content from the state file, and reduce the file size.
- Passwords within configuration options - This lets
you configure whether any passwords contained in the tools'
configuration (for example, credentials for an upstream proxy server)
will be remembered, and if so whether they will be encrypted using a
master password. When the state file is restored, Burp will prompt you
to enter the passwords that were not saved, or to enter the master
password, as appropriate.
You can continue
using Burp while its state is being saved, although you may experience some brief delays
if you try to perform an operation on data that Burp is in the process of saving,
to prevent any data corruption.
Selecting "Restore state" from the Burp menu launches a wizard
where you can choose which items you want to restore the state and
configuration of. The first step is to select a state file that you
previously saved. Burp then analyses the file to determine its contents
(i.e., the tools whose state and configuration it contains). You can then
choose which tools' state and configuration you want to restore, and whether
to add to or replace each tool's existing state.
You can optionally tell Burp to pause the Spider and Scanner tools
following the restore. This option is on by default and is usually desirable
when restoring an old state file, to avoid inadvertently attacking any
targets which are in-scope for that state file and which have actions pending
in the Spider or Scanner queues.
continue using Burp while its state is being restored, although you may experience some
brief delays if you try to perform an operation on data that Burp is in the
process of restoring, to prevent any data corruption.
The ability to save and restore tool state and configuration is of huge benefit
to penetration testers:
- You can save your work at the end of each day and seamlessly resume
it the next morning.
- You can back up key test information throughout a job, in case of system
- At the end of an engagement, you can store a full archive of all accumulated
information, enabling you to re-open your work at a later point, to answer
a client question or re-test a fixed issue.
- The task of mapping out an application's content can be divided
up between consultants, and the resulting site maps can be merged incrementally
into one, for all consultants to share.
- Team leaders can optimize Burp's configuration for a particular
engagement, including fine-grained target scope definition,
and pass this configuration straight to other team members to begin testing.
- You can create configuration templates designed for different kinds
of task, save these for future use, and switch between them easily.
Thursday, March 12, 2015
This release contains various bugfixes and minor enhancements, including:
- In the site map table, the "Method" column previously always showed GET for requests without a body, and POST for requests with a body, even if the actual method was different. This bug has now been fixed and the table shows the correct method.
- A bug which prevented client SSL certificates from being used when an upstream proxy is configured has been fixed.
- A bug which caused Decoder to fail to decode hex number HTML entities containing an upper-case X has been fixed.
See all release notes ›