Re: Burp Suite v1.3 released

[Michele Orru <antisnatchor () gmail com>]

Hi Dafydd,

are you planning to add support to Flash-based applications, something
like Charles (at least in the PRO version)?
I was thinking in something like integration with flare/flasm, or by
the way some mechanisms
to check for reflected XSS on every field exposed by the swf
(something like SWFintruder of Stefano, but in
an automatic way).

When pen testing flash-based apps, I've always to work with
SWFintruder, that is far good but
anyway something external from my favorite proxy (burp). I don't think
I can achieve the same results
using the Intruder to send XSS vectors, specifying the swf url with
its GET/POST parameters.

I think that actually there not exists any semi-automated proxy that
does something like that.
Correct me if I'm wrong.

Thanks

Michele "antisnatchor" Orru'
http://antisnatchor.com

On Fri, Jan 8, 2010 at 11:27 AM, PortSwigger <mail () portswigger net> wrote:
> Burp Suite v1.3 is now available for free download at
> http://portswigger.net/suite/
>
> This is a major upgrade with a host of new features, including:
>
> - A new message editor/viewer optimised for HTTP requests and responses,
> with colourised syntax, mouse-over decoding, and quick conversion functions.
>
> - Facility to add comments and highlights to the proxy history and site map.
>
> - Support for viewing and editing AMF-encoded messages.
>
> - Improved handling of SSL server certificates, to eliminate browser SSL
> warnings and connection problems with thick clients.
>
> - Copy to file / paste from file to facilitate working with binary content.
>
> - New display filters.
>
> - Greatly enhanced extensibility.
>
> - Configurable DNS resolution, to override your computer's own resolution,
> facilitating work with non-proxy-aware clients.
>
> - Fine-grained upstream proxy rules.
>
> - Exporting of HTTP messages and metadata in XML format.
>
> For more details see:
> http://blog.portswigger.net/2010/01/burp-suite-v13-released.html
>
> Cheers
> PortSwigger
>
>
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------