This tab contains settings for SSL negotiation, Java SSL options, and client and server SSL certificates.
Note: Some of these options can be defined at both the user and project level. For these options, you can configure your normal options at the user level, and then override these if required on a per-project basis. The move
These settings control the SSL protocols and ciphers that Burp will use when performing SSL negotiation with upstream servers. You can configure Burp to use the default protocols and ciphers of your Java installation, or override these defaults and enable specific protocols and ciphers as required.
Sometimes, you may have difficulty negotiating SSL connections with certain web servers. The Java SSL stack contains a few gremlins, and fails to work with certain unusual server configurations. To help you troubleshoot this problem, Burp lets you specify which protocols and ciphers should be offered to servers during SSL negotiations.
The following other options are available:
These settings can be used to enable certain SSL features that might be needed to successfully connect to some servers.
The following options are available:
These settings let you configure the client SSL certificates that Burp will use when a destination host requests one. You can configure multiple certificates, and specify the hosts for which each certificate should be used. When a host requests a client SSL certificate, Burp will use the first certificate in the list whose host configuration matches the name of the host being contacted.
You can use wildcards in the destination host specification (* matches zero or more characters, and ? matches any character except a dot). To use a single certificate whenever any host requests one, use * as the destination host.
The following types of client certificates are supported:
Note: Java does not currently support PKCS#11 on 64-bit versions of Windows.
This information-only panel contains details of all X509 certificates received from web servers. Double-click an item in the table to display the full details of the certificate.
Get help and join the community discussions at the Burp Suite Support Center.
This release adds a new scan check for client-side template injection.
It is very common for applications that use AngularJS to incorporate user input into HTML responses within the client-side template. AngularJS has a long history of sandbox escapes that permit execution of arbitrary JavaScript via template expressions. Hence, when user input is echoed within AngularJS templates, it is frequently possible to perform XSS attacks using minimal syntax that is not usually sufficient to perform XSS, and so not blocked by input filters.