Bug Reports

Report a bug

  • Burp proxy doesn't show responses with 1xx codes in HTTP history

    On a recent engagement, we encountered an application that uses websockets. The application upgrades the connection post-login. For example, (borrowed from Wikipedia) GET /test HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw== Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 Origin: http://example.com ...

    1 Agent Answer    1 Community Answer
    Sep 04, 2015 02:37PM UTC
  • Burp does not process cookies when initializing Intruder

    I am using a site which has multiple redirects after submitting a form. After the initial POST request, Burp does not use cookies on subsequent requests. Behavior from the browser: POST request sent with cookies => 302 Redirect GET request from 302 with cookies => Another 302 GET request from second 302 with cookies => Return to page with information reflected in page Behavior u...

    2 Agent Answers    1 Community Answer
    Sep 02, 2015 11:20PM UTC
  • XSS detection is inconsistent

    HI, I did Active scan for one request on form submission using burp pro v 1.6.17 . It didn't listed any XSS for one hidden parameter which is not encoded . It I do same thing using Intercept proxy XSS is listed . Later We have encoded the parameter and tested for same hidden parameter using manual scan .Its not listed XSS . Just to ensure how Automated scan is working again we removed...

    1 Agent Answer    0 Community Answer
    Aug 30, 2015 10:17AM UTC
  • Error while running Burp

    # # A fatal error has been detected by the Java Runtime Environment: # # EXCEPTION_UNCAUGHT_CXX_EXCEPTION (0xe06d7363) at pc=0x000007fefd97b3dd, pid=1172, tid=5828 # # JRE version: Java(TM) SE Runtime Environment (7.0_76-b13) (build 1.7.0_76-b13) # Java VM: Java HotSpot(TM) 64-Bit Server VM (24.76-b04 mixed mode windows-amd64 compressed oops) # Problematic frame: # C [KERNELBASE.dll+0xb3...

    1 Agent Answer    0 Community Answer
    Aug 27, 2015 09:20AM UTC
  • "Open redirection" issues share duplicite information with "Cross-domain Referer leak...

    After running Burp Active scan, I observed few Open redirection issues. However, when I check Cross-domain Referer leakage issues, there are many reported which I don't think should be there as they were caused by an Open redirection during active scan, for example: https://a40656bd271/a? https://a70b9fe5e59/a? https://a9662d67c39/a? https://aa0a4afcf8c/a? I'm not sure if it was...

    1 Agent Answer    0 Community Answer
    Aug 21, 2015 08:42AM UTC
  • off by one when saving intruder responses

    When you save server responses from the Intruder the files are labelled from 1 but looking at the requests in the Intruder panel they start at 0 with the baseline request. I think the file naming should match the request numbering.

    1 Agent Answer    0 Community Answer
    Aug 19, 2015 08:32AM UTC
  • Extender: isEnable called without proper context

    Hi, While writing new extension (IMessageEditorTabFactory) I've encountered a small bug. Code is available here: https://raw.githubusercontent.com/carstein/burp-extensions/master/Argonaut.py While loading extension I get NullPointerException but later on extension works fine. It seems to me that problem lies in line 64: req = self._helpers.analyzeRequest(self._controller.getRequ...

    3 Agent Answers    3 Community Answers
    Aug 12, 2015 09:55PM UTC
  • Burp restore state problem

    Hello, since the newer version of Burp Suite Professional (v1.6.23) i'm having problems restoring my burp save state. Here is a screenshot of the bug: http://i.imgur.com/lVdpnFx.png And the details: burp.eee: Failed to parse serialized data - expected closing tag '</scannerInfo>' but found '<item>' at burp.bmd.b(Unknown Source) at burp.bmd.a(Un...

    2 Agent Answers    0 Community Answer
    Aug 05, 2015 09:53AM UTC
  • Cacheable HTTPS Response

    Burp scanner reports that certain pages have a "Cacheable HTTPS Response". However, upon closer inspection it appears that these items are POST requests and the issue is reported because caching headers are missing rather than an explicit cache preference being set. The post here http://stackoverflow.com/q/626057/413180 indicates that POST is only cached by browsers if explicitely ...

    2 Agent Answers    1 Community Answer
    Aug 05, 2015 08:32AM UTC
  • "Go" button of Engagement tools/Search box is lost

    Hello, When you search long strings the "Go" button is lost after your first search. Well not completely lost but it is moved at the right when you search for 50+ char strings. Searching for 100 char make it disappear on a 1920x1200 screen. Not a big bug because you can still launch searches by pressing Enter but it would be better to keep the button ;) Davy

    2 Agent Answers    1 Community Answer
    Aug 04, 2015 04:19PM UTC