Professional 1.6.01

11 June 2014 at 12:19 UTC

SHA256: {SHA FROM OPTION GOES HERE} MD5: {MD5 FROM OPTION GOES HERE}

This release contains various enhancements to existing functionality:

  • The Spider's link-discovery engine has been enhanced, and now achieves a WIVET score of 50%. There is more work to do in this area, and improved crawling of JavaScript-driven navigation is in the pipeline.
  • There are new hotkeyable actions to go back and forwards in the Repeater history for the currently displayed tab. Hotkeys can be assigned to these actions at Options / Misc / Hotkeys.
  • The "valid from" time on Proxy-generated CA-signed host certificates has been changed to be 30 days in the past, to reduce problems that can arise when using multiple test machines with different system times.
  • Handling of non-HTTP-compliant messages that use \n instead of \r\n as header delimiters has been improved.
  • A new option has been added to prevent access to the in-browser Proxy interface using a fully-qualified DNS name, to hinder DNS rebinding attacks against it.

Various bugs have been fixed, including:

  • A bug that resulted in a cryptic error message when attempting to restore state from an invalid file that wasn't generated by Burp's save state function.
  • A bug in the Proxy's generation of CA-signed host certificates when the Proxy listener is configured to do host redirection. Previously, the certificate was being generated for the redirected hostname, not the original one requested by the browser, causing a certificate error in the browser.
  • A bug in the Proxy's match/replace function where replacement strings containing regex metacharacters are wrongly handled when doing non-regex-based match/replace.
  • A bug where target host redirection performed by a Burp extension (by modifying the target details for the current request) is not honored when using SSL with an upstream proxy server. Previously, Burp made a CONNECT request using the original hostname, not the modified one.
  • A bug which caused some session handling rules to fail when processing multipart requests containing a file upload parameter.