Feature Requests

Post a feature request

  • ASP.NET ValidateRequest bypass + tuning

    According to my experience Burp Suite doesn't check for this type of ValidateRequest filter bypass: http://www.jardinesoftware.net/2011/07/17/bypassing-validaterequest/ Would it be possible to add this to the Persistens XSS checks? (Sorry if I missed something) On a related note: Since ValidateRequest throws an exception when encountering typical XSS patterns many apps terminate the ...

    1 Agent Answer    0 Community Answer
    Jun 16, 2015 07:19AM UTC
  • Burp signed SSL certificates throw warning in Chrome

    When burp generates CA-signed per-host certificates, Google Chrome marks these sites as having "Weak Security configuration (SHA-1 signatures), so your connections may not be private. Screenshot: http://i.imgur.com/B5XcMF9.png It looks like Chrome is actively trying to sunset SHA-1 (https://blog.filippo.io/the-unofficial-chrome-sha1-faq/) So, I'm guessing this message can be removed i...

    1 Agent Answer    0 Community Answer
    Jun 10, 2015 07:28PM UTC
  • Automatic backup prefix

    Hi, it would nice to have an option to set prefix for automatic backup file name. When I am working on project1, I would like easy to set up prefix 'project1'. Then I can switch i.e. to project2 etc. Thanks Frantisek Uhrecky

    2 Agent Answers    1 Community Answer
    Jun 01, 2015 01:22PM UTC
  • Good XSS detection

    I'm somewhat disappointed. I conducted an nessus scan on a host, without entering any information. It found an XSS. When I did an active scan of the same host with Burp, Burp did not. It is a really easy to find XSS. I'm pretty amazed about this, since Burp is my choice for Web Testing. Please do have at least the level of accuracy as a regular nessus engine does when it comes to web...

    1 Agent Answer    0 Community Answer
    May 29, 2015 03:06PM UTC
  • Match -> Match/Replace.

    I would like to beg this request again, as there is a need for feature. Here the use case. I would like to be able to Match/Replace based on Matching a different value. I have been told to write it myself, but that would be like you trusting me to operate on you.....I can't perform that function. I don't code. if Match Request Header: POST /path/to/file then Match Request He...

    1 Agent Answer    2 Community Answers
    May 25, 2015 11:48PM UTC
  • UI - shortcuts - 'set Severity, Confidence', global 'enable/disable Proxy Intercept&#...

    I would like to have possibility to: - assign keyboard shortcuts to more actions, e.g.: in Scanner:Results - set Severity, Confidence level (I would use numkeys) - use global windows shortcut for some actions (e.g. enable/disable Proxy Intercept) Thanks, igor

    1 Agent Answer    0 Community Answer
    May 18, 2015 05:24PM UTC
  • UI - Scanner:Results - tag resolved findings

    Hi, I would love to be able to tag findings as 'already worked on and resolved' or 'read'. Helps in case I go through findings while the active scan is still on (reason being lack of time). In current state new findings are added to the Results tab and mix with those I have already seen and evaluated. My solution would be to have a possibility to tag a finding as e.g. '...

    1 Agent Answer    0 Community Answer
    May 18, 2015 05:18PM UTC
  • UI - Scanner - selected tab persistence (like in Proxy)

    Hi, I would like selected tab persistence when browsing through findings (exactly like in Proxy tab) - I select tab Response and it stays the selected one when I click on a different finding. A small thing, would help a lot to eliminate useless clicks when going through a bunch of similar findings' responses. Thanks.

    0 Community Answer
    May 18, 2015 05:10PM UTC
  • Reflected input monitor for passive scanning

    A new check should be introduced to passive scanner which will monitor all the requests and report if any of the input parameters get reflected in the response. This will be very useful in determining which parameters to focus on.

    1 Agent Answer    0 Community Answer
    May 15, 2015 06:41AM UTC
  • HTTP Parameter Pollution

    Are there plans to implement HTTP Parameter Pollution tests? More info: https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OTG-INPVAL-004%29

    4 Agent Answers    4 Community Answers
    May 13, 2015 06:36PM UTC