Penetration Testing mailing list archives
RE: Burp Suite v1.3 released
From: "PortSwigger" <mail () portswigger net>
Date: Mon, 11 Jan 2010 11:00:11 -0000
Burp v1.3 already handles viewing and editing of AMF-encoded messages in the Proxy and Repeater, and the Scanner places attacks into AMF string fields. Intruder doesn't currently support AMF, but it will do soon. Regarding support for other functionality to handle Flash, I'll look at adding this if enough people ask for it. Cheers PortSwigger -----Original Message----- From: Michele Orru [mailto:antisnatchor () gmail com] Sent: 08 January 2010 21:25 To: PortSwigger Cc: webappsec () securityfocus com; pen-test () securityfocus com Subject: Re: Burp Suite v1.3 released Hi Dafydd, are you planning to add support to Flash-based applications, something like Charles (at least in the PRO version)? I was thinking in something like integration with flare/flasm, or by the way some mechanisms to check for reflected XSS on every field exposed by the swf (something like SWFintruder of Stefano, but in an automatic way). When pen testing flash-based apps, I've always to work with SWFintruder, that is far good but anyway something external from my favorite proxy (burp). I don't think I can achieve the same results using the Intruder to send XSS vectors, specifying the swf url with its GET/POST parameters. I think that actually there not exists any semi-automated proxy that does something like that. Correct me if I'm wrong. Thanks Michele "antisnatchor" Orru' http://antisnatchor.com On Fri, Jan 8, 2010 at 11:27 AM, PortSwigger <mail () portswigger net> wrote:
Burp Suite v1.3 is now available for free download at http://portswigger.net/suite/ This is a major upgrade with a host of new features, including: - A new message editor/viewer optimised for HTTP requests and responses, with colourised syntax, mouse-over decoding, and quick conversion
functions.
- Facility to add comments and highlights to the proxy history and site
map.
- Support for viewing and editing AMF-encoded messages. - Improved handling of SSL server certificates, to eliminate browser SSL warnings and connection problems with thick clients. - Copy to file / paste from file to facilitate working with binary
content.
- New display filters. - Greatly enhanced extensibility. - Configurable DNS resolution, to override your computer's own resolution, facilitating work with non-proxy-aware clients. - Fine-grained upstream proxy rules. - Exporting of HTTP messages and metadata in XML format. For more details see: http://blog.portswigger.net/2010/01/burp-suite-v13-released.html Cheers PortSwigger This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Burp Suite v1.3 released PortSwigger (Jan 11)
- Re: Burp Suite v1.3 released Michele Orru (Jan 11)
- RE: Burp Suite v1.3 released PortSwigger (Jan 11)
- Re: Burp Suite v1.3 released Michele Orru (Jan 11)