Burp v1.3 already handles viewing and editing of AMF-encoded messages in the
Proxy and Repeater, and the Scanner places attacks into AMF string fields.
Intruder doesn't currently support AMF, but it will do soon.
Regarding support for other functionality to handle Flash, I'll look at
adding this if enough people ask for it.
Cheers
PortSwigger
-----Original Message-----
From: Michele Orru [mailto:antisnatchor (at) gmail (dot) com [email concealed]]
Sent: 08 January 2010 21:25
To: PortSwigger
Cc: webappsec (at) securityfocus (dot) com [email concealed]; pen-test (at) securityfocus (dot) com [email concealed]
Subject: Re: Burp Suite v1.3 released
Hi Dafydd,
are you planning to add support to Flash-based applications, something
like Charles (at least in the PRO version)?
I was thinking in something like integration with flare/flasm, or by
the way some mechanisms
to check for reflected XSS on every field exposed by the swf
(something like SWFintruder of Stefano, but in
an automatic way).
When pen testing flash-based apps, I've always to work with
SWFintruder, that is far good but
anyway something external from my favorite proxy (burp). I don't think
I can achieve the same results
using the Intruder to send XSS vectors, specifying the swf url with
its GET/POST parameters.
I think that actually there not exists any semi-automated proxy that
does something like that.
Correct me if I'm wrong.
On Fri, Jan 8, 2010 at 11:27 AM, PortSwigger <mail (at) portswigger (dot) net [email concealed]> wrote:
>
> Burp Suite v1.3 is now available for free download at
> http://portswigger.net/suite/
>
> This is a major upgrade with a host of new features, including:
>
> - A new message editor/viewer optimised for HTTP requests and responses,
> with colourised syntax, mouse-over decoding, and quick conversion
functions.
>
> - Facility to add comments and highlights to the proxy history and site
map.
>
> - Support for viewing and editing AMF-encoded messages.
>
> - Improved handling of SSL server certificates, to eliminate browser SSL
> warnings and connection problems with thick clients.
>
> - Copy to file / paste from file to facilitate working with binary
content.
>
> - New display filters.
>
> - Greatly enhanced extensibility.
>
> - Configurable DNS resolution, to override your computer's own resolution,
> facilitating work with non-proxy-aware clients.
>
> - Fine-grained upstream proxy rules.
>
> - Exporting of HTTP messages and metadata in XML format.
>
> For more details see:
> http://blog.portswigger.net/2010/01/burp-suite-v13-released.html
>
> Cheers
> PortSwigger
>
>
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Proxy and Repeater, and the Scanner places attacks into AMF string fields.
Intruder doesn't currently support AMF, but it will do soon.
Regarding support for other functionality to handle Flash, I'll look at
adding this if enough people ask for it.
Cheers
PortSwigger
-----Original Message-----
From: Michele Orru [mailto:antisnatchor (at) gmail (dot) com [email concealed]]
Sent: 08 January 2010 21:25
To: PortSwigger
Cc: webappsec (at) securityfocus (dot) com [email concealed]; pen-test (at) securityfocus (dot) com [email concealed]
Subject: Re: Burp Suite v1.3 released
Hi Dafydd,
are you planning to add support to Flash-based applications, something
like Charles (at least in the PRO version)?
I was thinking in something like integration with flare/flasm, or by
the way some mechanisms
to check for reflected XSS on every field exposed by the swf
(something like SWFintruder of Stefano, but in
an automatic way).
When pen testing flash-based apps, I've always to work with
SWFintruder, that is far good but
anyway something external from my favorite proxy (burp). I don't think
I can achieve the same results
using the Intruder to send XSS vectors, specifying the swf url with
its GET/POST parameters.
I think that actually there not exists any semi-automated proxy that
does something like that.
Correct me if I'm wrong.
Thanks
Michele "antisnatchor" Orru'
http://antisnatchor.com
On Fri, Jan 8, 2010 at 11:27 AM, PortSwigger <mail (at) portswigger (dot) net [email concealed]> wrote:
>
> Burp Suite v1.3 is now available for free download at
> http://portswigger.net/suite/
>
> This is a major upgrade with a host of new features, including:
>
> - A new message editor/viewer optimised for HTTP requests and responses,
> with colourised syntax, mouse-over decoding, and quick conversion
functions.
>
> - Facility to add comments and highlights to the proxy history and site
map.
>
> - Support for viewing and editing AMF-encoded messages.
>
> - Improved handling of SSL server certificates, to eliminate browser SSL
> warnings and connection problems with thick clients.
>
> - Copy to file / paste from file to facilitate working with binary
content.
>
> - New display filters.
>
> - Greatly enhanced extensibility.
>
> - Configurable DNS resolution, to override your computer's own resolution,
> facilitating work with non-proxy-aware clients.
>
> - Fine-grained upstream proxy rules.
>
> - Exporting of HTTP messages and metadata in XML format.
>
> For more details see:
> http://blog.portswigger.net/2010/01/burp-suite-v13-released.html
>
> Cheers
> PortSwigger
>
>
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]