Bug Reports

Report a bug

  • Issue Definitions

    Not properly sorted by name. Capital letters should not make a difference. Findings should be mapped to OWASP Top 10 and WASC.

    1 Agent Answer    0 Community Answer
    Sep 13, 2015 10:55PM UTC
  • Issues not visible if related to 404 resources

    Hello, the scanner found a XSS in the referer header, and the answer is a custom 404 page with the XSS in the answer. However in the Target tab, the XSS is not visible if "Hide not-found items" is not disabled. Maybe vulnerabilities in the issues tab/window should be always visible... what you think? Thank you

    2 Agent Answers    2 Community Answers
    Sep 11, 2015 10:31AM UTC
  • Failure to open a Macro Recorder dialog

    Hi, Sometimes Burp fails to open a Macro Recorder dialog ( Options / Sessions / Macros > Add > Record macro ). I confirmed that it happens when Burp Proxy receive requests frequently (1req/5sec or more, I'm testing web application with Ajax). When it occurs I can't close a Macro Editor dialog (frozen or there is an invisible modal dialog?). So I have to kill the burp instance ...

    2 Agent Answers    0 Community Answer
    Sep 09, 2015 07:19AM UTC
  • Cmd Key on mac not working within Burp v1.6.26 (Java 1.8.0_60)

    The Cmd key on Mac OS 10.10.5 does not seem to be working within Burp (attempted on multiple Burp versions <=1.6.26), thus hampering the use of copy / paste / select all functions. Below are env details: java version "1.8.0_60" Java(TM) SE Runtime Environment (build 1.8.0_60-b27) Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode) Any suggestions or workarounds...

    1 Agent Answer    2 Community Answers
    Sep 08, 2015 10:22PM UTC
  • Hydra (http-get-form) + Burp = Missing GET parameters

    ## Issue * When using `http-get-form` with `HYDRA_PROXY_HTTP` set and using Burp as the proxy, the GET parameters are not being passed on. * Using other proxies (such as ZAP), or not using a proxy at all, the GET requests are correct. The issue only happens when you use burp. **Summary** ``` export HYDRA_PROXY_HTTP=http://127.0.0.1:8080 hydra -l admin -p password -e ns -F -t 1 -w 5 -v ...

    2 Agent Answers    1 Community Answer
    Sep 08, 2015 04:39PM UTC
  • Burp proxy doesn't show responses with 1xx codes in HTTP history

    On a recent engagement, we encountered an application that uses websockets. The application upgrades the connection post-login. For example, (borrowed from Wikipedia) GET /test HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw== Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 Origin: http://example.com ...

    1 Agent Answer    1 Community Answer
    Sep 04, 2015 02:37PM UTC
  • Burp does not process cookies when initializing Intruder

    I am using a site which has multiple redirects after submitting a form. After the initial POST request, Burp does not use cookies on subsequent requests. Behavior from the browser: POST request sent with cookies => 302 Redirect GET request from 302 with cookies => Another 302 GET request from second 302 with cookies => Return to page with information reflected in page Behavior u...

    2 Agent Answers    1 Community Answer
    Sep 02, 2015 11:20PM UTC
  • XSS detection is inconsistent

    HI, I did Active scan for one request on form submission using burp pro v 1.6.17 . It didn't listed any XSS for one hidden parameter which is not encoded . It I do same thing using Intercept proxy XSS is listed . Later We have encoded the parameter and tested for same hidden parameter using manual scan .Its not listed XSS . Just to ensure how Automated scan is working again we removed...

    1 Agent Answer    0 Community Answer
    Aug 30, 2015 10:17AM UTC
  • Error while running Burp

    # # A fatal error has been detected by the Java Runtime Environment: # # EXCEPTION_UNCAUGHT_CXX_EXCEPTION (0xe06d7363) at pc=0x000007fefd97b3dd, pid=1172, tid=5828 # # JRE version: Java(TM) SE Runtime Environment (7.0_76-b13) (build 1.7.0_76-b13) # Java VM: Java HotSpot(TM) 64-Bit Server VM (24.76-b04 mixed mode windows-amd64 compressed oops) # Problematic frame: # C [KERNELBASE.dll+0xb3...

    1 Agent Answer    0 Community Answer
    Aug 27, 2015 09:20AM UTC
  • "Open redirection" issues share duplicite information with "Cross-domain Referer leak...

    After running Burp Active scan, I observed few Open redirection issues. However, when I check Cross-domain Referer leakage issues, there are many reported which I don't think should be there as they were caused by an Open redirection during active scan, for example: https://a40656bd271/a? https://a70b9fe5e59/a? https://a9662d67c39/a? https://aa0a4afcf8c/a? I'm not sure if it was...

    1 Agent Answer    0 Community Answer
    Aug 21, 2015 08:42AM UTC