View profile

What's happening in the Burp-verse - Issue #4

What's happening in the Burp-verse - Issue #4
By Burp Suite Guide • Issue #4 • View online
Hi đź‘‹,
In this newsletter, we will go through the new update to Burp Suite, the new Burp extension - HackBar, and finally, talk about other exciting resources found in the Burp-verse recently.
But before you continue, do you know that Burp Suite Guide is on social media?
If you are not following Burp Suite Guide on Twitter or LinkedIn, you miss out on instant updates on Burp Suite - like answers to frequent questions, security fixes for Burp Suite, and more. 
Go ahead, click the “Follow” button and be the up-to-date hero of Burp Suite in your company/community.
Now let’s continue.

Blog Posts
Professional / Community 2021.4 and 2021.4.1 released!
Professional / Community 2021.4 | Releases
Professional / Community 2021.4 | Releases
This release provides a native logging tool to Burp Suite. It also allows saving settings for Burp’s embedded browser and message editor’s search bar, and the ability to turn off Repeater’s line ending
portswigger.net  •  Share
Professional / Community 2021.4.1 | Releases
Professional / Community 2021.4.1 | Releases
This release provides logging for individual task traffic. It also provides a new hotkey action, support for multiple TXT DNS records in Burp Collaborator, and several bug fixes. Task logger You can n
portswigger.net  •  Share
Say hello to Logger !!
Good news for Early Adopters. The new 2021.4 release has a native Logger, which allows you to view HTTP traffic of all Burp tools (including Burp Scanner). As PortSwigger mentions, Logger is optimized for performance and limits the memory used.
Logger tab in Burp Suite
Logger tab in Burp Suite
So, should you chuck Logger++ / Flow extension and use Burp’s inbuilt Logger?
If you are a Burp user who uses the above extensions to see HTTP traffic alone, then yes.
However, the inbuilt logger has some downsides. 
  • You can’t search the messages in the Community version. Like that in Burp Proxy, the logger search functionality is only available in the Professional version.
  • You can’t have a log filter or grep values like the Logger++ extension.
  • You can’t see WebSockets requests in Logger even though it’s inbuilt in Burp.
Logger Capture Filter Settings
Logger Capture Filter Settings
The embedded browser remembers what sites you visited last time!
The embedded Chromium browser now saves your history, browser extensions, and any other changes to browser settings. 
This feature can be handy when you use browser extensions (like Wappalyzer, Shodan, etc.) in most of your pentest engagements.
If you want the embedded browser not to remember the past, head over to User Options -> Misc -> Embedded Browser and untick the “Allow the proxy embedded browser to store settings and history” option.
Setting to disable what browser remembers
Setting to disable what browser remembers
Extensions
HackBar, Payload Bucket by Abdul Wahab
HackBar extension is now available in the BApp store. 🎉
This extension helps pentesters to speed up their manual testing. It contains payloads (from the PayloadsAllTheThings GitHub repository) for vulnerabilities like SQLi, XSS, LFI, and more.
Once you have the HTTP request in the Repeater tab, right-click on a param and select a HackBar’s payload depending on the vulnerability type you are testing for.
You can read more about HackBar here.
HackBar extension
HackBar extension
There are a few updates to Backslash Powered Scanner, Autowasp, Reshaper, and more.
James Kettle on Twitter
James Kettle on Twitter
“I’ve just released Backslash Powered Scanner v1.20. This is a fairly big refactor to lay the foundation for future enhancements. It also adds support for bulk-scanning. https://t.co/JrjhMeU73S”
twitter.com  •  Share
GoSecure on Twitter
GoSecure on Twitter
“Our NTLM Challenge Decoder Burp plugin is now working on Burp’s latest version! An easy way to get the internal hostname and version from Windows servers! https://t.co/EoZ4nOsdre #burp #appsec #osint #windows https://t.co/t4JuaxO2ee”
twitter.com  •  Share
Tweets
Will Portswigger store my user info if I use Burp’s default Collaborator server?
This is a question I always had. Finally, Burp Suite’s Twitter account said it out loud and clear: “We do not track our users’ activity in any way.”
Burp Suite on Twitter
Burp Suite on Twitter
“@abh4t We do not track our users’ activity in any way, and there is no way for us to obtain this information. The subdomain strings in the test payloads are randomly generated by the instance of Burp doing the scanning, and we don’t have any way of mapping these back to a user.”
twitter.com  •  Share
Using Hackvertor Burp extension to generate random IP
Bug Bounty Weekly on Twitter
“You can use @hackvertor to generate random IP to bypass rate-limit when IP is spoofable. #burpsuite #bugbountytip #bugbountytips”
twitter.com  •  Share
Burp Suite + MacBooks with Apple M1 chip = Bad Performance
Burp Suite doesn’t seem to work fine on new MacBooks with Apple M1 chip. Burp Suite support team acknowledges that even when running Burp under Rosetta, Burp barely performs.
Rami Saleh on Twitter
Rami Saleh on Twitter
“Burp Suite Pro run noticeably slower on MacBook /Apple M1 chip….”
twitter.com  •  Share
Burp Suite on Twitter
Burp Suite on Twitter
“@ethicalhack3r When running under Rosetta, Burp does work but there is a noticeable impact on performance.
We’re working on official support, but don’t have a definitive date.”
twitter.com  •  Share
Others
Update Burp Suite!!
If you are still using #BurpSuite 2020.11.3 or a lower version, it’s time to upgrade to v2021.2!! PortSwigger has patched an HTML Injection bug that can disclose netNTLM hash or cause DoS. 
HackerOne report with PoC: https://hackerone.com/reports/1054382
Burp Suite for Pentesters
This GitHub repository contains links to Burp Suite for Pentesters series in HackingArticles.in blog. The blog posts cover multiple Burp tools (Proxy, Scanner, Intruder, etc.) as well as Burp extensions (XSS Validator, Active Scan++, HackBar, etc.) 
https://github.com/Ignitetechnologies/BurpSuite-For-Pentester
Finally
That’s all for now.
If you learned something new about Burp Suite using this newsletter, please consider sharing it with your friends, hackers & pentester colleagues.
If you liked the newsletter, click the đź‘Ť button below. If you have any specific feedback, shoot an email to [email protected].
Many thanks for considering my request.
Until next time đź‘‹
Did you enjoy this issue?
Burp Suite Guide

Your guide to all things Burp Suite !

Tweet     Share
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue