Bug Reports

Report a bug

  • Intruder silently changes content type of request from application/json to text/plain

    When using intruder to masticate a RESTful interface, it will silently change the content-type from the original request's application/json to text/plain. For RESTful interfaces that enforce type, this means that all the requests that are changed thus will fail.

    1 Community Answer
    Oct 31, 2015 07:23PM UTC
  • Problem with multihost angularjs site

    We have an angularjs/REST web app (IE11) at a client that works fine (no proxy) but is broken when burp is in the middle. The web page normally pulls in several js and css files from a second domain, also owned by the client. When we look at the target page, the foreign domain host is listed along with the paths to the included files, but they are in gray, indicating they were never fetched (and...

    1 Agent Answer    1 Community Answer
    Oct 28, 2015 06:03PM UTC
  • content-type: application/json

    An application/json response is by definition unicode (utf-8 by preference, but any multibyte unicode is acceptable). However, if the content-type header does not also include a charset=utf-8 attribute (which is actually not as per standard, but is expected by some web services) then burp seems to decode the response in the viewer incorrectly as ASCII or latin-1. Screen shots available if re...

    1 Agent Answer    0 Community Answer
    Oct 28, 2015 07:06AM UTC
  • v 1.6.30 spider

    I just downloaded/ran version 1.6.30. The when right clicking and selecting "Spider this host" the host above the selected item is spidered and the item that was actually selected is not spidered. I've restarted that app from scratch and experienced the same behavior. In addition the first time selecting to stop the spider and clear the queue did not function. I had to actually clos...

    2 Agent Answers    2 Community Answers
    Oct 26, 2015 04:37PM UTC
  • Session handling with two rules

    Hi, I have a web-app that have two issues when scanning or spidering. Sometimes app closes the session so I got a 302 redirect, other times, app malfunctions and all request ends with error 500 and I must re-auth. I have a valid macro to perform an authentication but I can't configure Burp to handle two session rules. First I try to do two separate rules with two separate action rule...

    1 Agent Answer    0 Community Answer
    Oct 22, 2015 09:39PM UTC
  • Intruder: Remove several payloads at the same time

    Hi, In intruder, when creating the list of payloads to be injected. If several entries are selected from the list (by using shift or ctrl button) and Remove options is clicked, it does not remove all the selected entries but only one. Regards, Carlos

    1 Agent Answer    0 Community Answer
    Oct 21, 2015 09:14AM UTC
  • a couple of UI bugs

    Hi, long time user and supporter :D Two small glitches that caught my eye today: 1. tool tips need to be updated with information that issues were moved to Target tab (and that Target is what you need to save in order to save the issues of a project). Currently, the information is misleading, it says to save the scanner tab to save issues. New users will be confused. 2. Report a bug th...

    2 Agent Answers    1 Community Answer
    Oct 12, 2015 01:04PM UTC
  • Software caused connection abort: recv failed

    Hi I get this error message while running BurpSuite: Software caused connection abort: recv failed Would you please help me resolve the problem? Thank you

    1 Agent Answer    2 Community Answers
    Oct 07, 2015 09:03AM UTC
  • Higher unicode characters mangled when pasting

    When pasting text into Burp Suite, with the text containing unicode characters with a codepoint higher than 255, Burp Suite will mangle the characters. For characters with a unicode code point lower than 65536, the result is that the higher byte of each code point is discarded. To reproduce: * select the following text and copy it to the clipboard: ňťŬŬůĠŗůŲŬŤġ * in Burp Suite, paste the text...

    2 Agent Answers    3 Community Answers
    Sep 30, 2015 12:37PM UTC
  • Probable bug: SQL injection avoidable false positive ?

    "Issue detail The [...redacted...] cookie appears to be vulnerable to SQL injection attacks. The payload ' and '6143'='6143 was submitted in the Auth-Portal cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present. The database ...

    1 Agent Answer    0 Community Answer
    Sep 28, 2015 08:54AM UTC