Bug Reports

Report a bug

  • Bug when adding or updating a PARAM_COOKIE parameter

    Hello, I'm working on super basic extension which allows to edit the value of a specific cookie in its own Repeater display tab. But when I call updateParameter(..., buildParameter(..., PARAM_COOKIE)), the cookie line is incorrectly modified. Raw tab, before edition: Cookie: authtoken=aaaaaaaaaaaaaa Switch to the extension-provided tab, edit the cookie value to "xxx" and s...

    3 Agent Answers    2 Community Answers
    Apr 07, 2016 11:51PM UTC
  • Requests sent to upstream proxies are NOT transcoded to proxy-style requests

    When "Options > Connections > Upstream Proxy Servers" is used to redirect all traffic to an upstream server, requests are _NOT_ encoded to the proxy format (with a fully qualified first line). That's OK when chaining Burp instances (using the "invisible proxy" mode on the upstream instance) but it breaks nearly every other upstream proxy servers (tested with Polip...

    1 Agent Answer    1 Community Answer
    Apr 06, 2016 09:45PM UTC
  • Coverage differences between public and private Collaborator instances

    I recently tested Collaborator using different injection scenarios. I noticed that the vectors used are different, depending if Collbaorator is defined by its DNS name (public or private instance) or its IP address (private only). Given the injection point "http://_HERE_:31337/yolo", only a private instance defined by its IP address will trigger a "Out-of-band resource load (HTTP...

    2 Agent Answers    1 Community Answer
    Apr 06, 2016 09:03PM UTC
  • Scanner unpaused scan of app1 when actively scanning a single page on app2 (SSO)

    Here's the environment: - app1.example.com (SSO enabled app #1) - app2-stage.example.com (SSO enabled app #2) Here's the user story: 1.) Tester spiders app1 without SSO auth 2.) Tester does active scan of app1 without SSO auth (it cannot be actively scanned with auth because it would be disruptive) 3.) Tester pauses active scan for app1 (basically done with testing) 4.) Test...

    1 Agent Answer    0 Community Answer
    Apr 03, 2016 03:17AM UTC
  • options/ssl menu fails to load upon restore if client certificate

    We are working as a small team and my colleague gave me his saved burp state. I restored it in my burp instance mostly without problem, but the options/ssl tab fails to load properly. The site we are testing requires a client side ssl certificate, we suspect, that the certificate's different paths on the two computers cause the error. He uses windows 7, I'm on debian. We're both usi...

    4 Agent Answers    2 Community Answers
    Mar 24, 2016 08:58AM UTC
  • Protocol and port missmatch in target - site map

    Using burpsuite_pro_v1.6.39.jar (but had the problem in previous versions too) Brup Extender Plugins: Active Scan++, Error Message Checks, Java Deserialization Scanner, Software Version Reporter, Heartbleed I lately get a lot of the following kind of URLs in the site map tab: http://example.com http://example.com:443 https://example.com While the first and the last entry make sense and...

    1 Agent Answer    0 Community Answer
    Mar 08, 2016 01:04PM UTC
  • Burp will not run if a directory within the path ends with an "!"

    Burp will not run if a directory within the path ends with an "!". Burp was here: c:\!tools!\burp\burpsuite_pro_v1.6.38.jar. Moved the "burp" dir to the root directory and it runs fine. Tested by renaming the "burp" dir to "burp!" and burp crashes/will not run. Have not tried any other chars, just "!".

    1 Agent Answer    0 Community Answer
    Mar 07, 2016 07:05PM UTC
  • Filter window reopens right after closing by clicking on the filter bar since 1.6.37

    Clicking on the filter bar in previous versions closed the filter window. In 1.6.37 and .38 it reopens it, and it only closes if the mouse clicks somewhere else in the main Burp window (outside the filter window). Here's a video I made about the bug: https://www.youtube.com/watch?v=aIsITCJ_mYQ I'm running OpenJDK 1.8.0_72 on Debian GNU/Linux amd64.

    1 Agent Answer    0 Community Answer
    Mar 02, 2016 06:29PM UTC
  • Bug with Extender self._callbacks.makeHttpRequest ?

    When I use self._callbacks.makeHttpRequest in my extension and the target server responds with an SSL error such as "SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)" I get an alert from Burp in the alerts tab saying "Attempting to auto-slect SSL parameters" as expected. However, the extension seems to hang indefini...

    1 Agent Answer    1 Community Answer
    Feb 25, 2016 07:45PM UTC
  • Burp Pro Crashes Immediately Upon Start

    java version "1.8.0_73" Java(TM) SE Runtime Environment (build 1.8.0_73-b02) Java HotSpot(TM) Client VM (build 25.73-b02, mixed mode, sharing) Latest version of Burp Pro. Upon launch, splash screen displays briefly and disappears but the java process is still running. Have tried several versions of Java and several versions of Burp Pro with the same results. Anyone else experie...

    5 Agent Answers    10 Community Answers
    Feb 24, 2016 11:25PM UTC