View profile

What's happening in the Burp-verse - Issue #4

What's happening in the Burp-verse - Issue #4
By Burp Suite Guide • Issue #4 • View online
Hi 👋,
In this newsletter, we will go through the new update to Burp Suite, the new Burp extension - HackBar, and finally, talk about other exciting resources found in the Burp-verse recently.
But before you continue, do you know that Burp Suite Guide is on social media?
If you are not following Burp Suite Guide on Twitter or LinkedIn, you miss out on instant updates on Burp Suite - like answers to frequent questions, security fixes for Burp Suite, and more. 
Go ahead, click the “Follow” button and be the up-to-date hero of Burp Suite in your company/community.
Now let’s continue.

Blog Posts
Professional / Community 2021.4 and 2021.4.1 released!
Professional / Community 2021.4 | Releases
Professional / Community 2021.4.1 | Releases
Say hello to Logger !!
Good news for Early Adopters. The new 2021.4 release has a native Logger, which allows you to view HTTP traffic of all Burp tools (including Burp Scanner). As PortSwigger mentions, Logger is optimized for performance and limits the memory used.
Logger tab in Burp Suite
Logger tab in Burp Suite
So, should you chuck Logger++ / Flow extension and use Burp’s inbuilt Logger?
If you are a Burp user who uses the above extensions to see HTTP traffic alone, then yes.
However, the inbuilt logger has some downsides. 
  • You can’t search the messages in the Community version. Like that in Burp Proxy, the logger search functionality is only available in the Professional version.
  • You can’t have a log filter or grep values like the Logger++ extension.
  • You can’t see WebSockets requests in Logger even though it’s inbuilt in Burp.
Logger Capture Filter Settings
Logger Capture Filter Settings
The embedded browser remembers what sites you visited last time!
The embedded Chromium browser now saves your history, browser extensions, and any other changes to browser settings. 
This feature can be handy when you use browser extensions (like Wappalyzer, Shodan, etc.) in most of your pentest engagements.
If you want the embedded browser not to remember the past, head over to User Options -> Misc -> Embedded Browser and untick the “Allow the proxy embedded browser to store settings and history” option.
Setting to disable what browser remembers
Setting to disable what browser remembers
Extensions
HackBar, Payload Bucket by Abdul Wahab
HackBar extension is now available in the BApp store. 🎉
This extension helps pentesters to speed up their manual testing. It contains payloads (from the PayloadsAllTheThings GitHub repository) for vulnerabilities like SQLi, XSS, LFI, and more.
Once you have the HTTP request in the Repeater tab, right-click on a param and select a HackBar’s payload depending on the vulnerability type you are testing for.
You can read more about HackBar here.
HackBar extension
HackBar extension
There are a few updates to Backslash Powered Scanner, Autowasp, Reshaper, and more.
James Kettle on Twitter
GoSecure on Twitter
Tweets
Will Portswigger store my user info if I use Burp’s default Collaborator server?
This is a question I always had. Finally, Burp Suite’s Twitter account said it out loud and clear: “We do not track our users’ activity in any way.”
Burp Suite on Twitter
Using Hackvertor Burp extension to generate random IP
Bug Bounty Weekly on Twitter
Burp Suite + MacBooks with Apple M1 chip = Bad Performance
Burp Suite doesn’t seem to work fine on new MacBooks with Apple M1 chip. Burp Suite support team acknowledges that even when running Burp under Rosetta, Burp barely performs.
Rami Saleh on Twitter
Burp Suite on Twitter
Others
Update Burp Suite!!
If you are still using #BurpSuite 2020.11.3 or a lower version, it’s time to upgrade to v2021.2!! PortSwigger has patched an HTML Injection bug that can disclose netNTLM hash or cause DoS. 
HackerOne report with PoC: https://hackerone.com/reports/1054382
Burp Suite for Pentesters
This GitHub repository contains links to Burp Suite for Pentesters series in HackingArticles.in blog. The blog posts cover multiple Burp tools (Proxy, Scanner, Intruder, etc.) as well as Burp extensions (XSS Validator, Active Scan++, HackBar, etc.) 
Finally
That’s all for now.
If you learned something new about Burp Suite using this newsletter, please consider sharing it with your friends, hackers & pentester colleagues.
If you liked the newsletter, click the 👍 button below. If you have any specific feedback, shoot an email to [email protected].
Many thanks for considering my request.
Until next time 👋
Did you enjoy this issue?
Burp Suite Guide

Your guide to all things Burp Suite !

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue