Burp Intruder Botox announces many improvements

by

In: Application Scanner , Burp

23 March 2010

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, downstream proxies, logging, alerting and extensibility.

The new beta version of Burp Intruder, which contains a bunch of frequently-requested enhancements:

  • You can now configure multiple attacks indepedently in separate tabs (as with Burp Repeater). You can copy attack configurations between tabs, or save configurations for later use.
  • Payload positioning now uses the same feature-rich editor as other tools, and fully preserves binary/non-printing characters.
  • There are several new payload sources, including a bit flipper, character frobber and username generator.
  • The existing simple payload processing options (for encoding, etc.) are replaced with a rules-based processor which can perform arbitrarily many actions, such as match/replace, prefix/suffix, substring, case modification, encoding, decoding and hashing.
  • All feasible attack configuration options can now be modified during a live attack, and have immediate effect, including the base request template, payloads, grep settings and thread count.
  • Each attack optionally performs an unmodified baseline request, to enable easy comparison with the results of actual attack requests.
  • The attack results table contains the same rich functionality as the Proxy history, with a configurable filter, annotation of items with comments and highlights, and a preview pane for quick viewing of requests and responses.
  • Selected result items can be flagged to be re-requested (e.g. if network errors or timeouts have occurred).
  • When an attack is configured to follow redirects, all intermediate responses and requests are recorded in the results viewer.

Following the enhancements made to other tools in recent releases, Burp Intruder was starting to look a bit left behind. This upgrade brings Intruder up to the same level of functionality as the rest of the suite, and you will hopefully find it more powerful and easier to use than previously. There are a lot of requested features which didn’t make the cut on this occasion, and these will hopefully make an appearance later this year.

We inform you as soon as this release is in the wild.

Compliance Mandates

  • Application Scanner :

    PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2


Related Articles

Application Scanner
Burp