Burp Suite Pro 2021.5.1 (macOS, Linux) -- 查找、发现和利用漏洞

Burp Suite Professional, Test, find, and exploit vulnerabilities.

Posted by sysin on 2021-05-22
Estimated Reading Time 7 Minutes
Words 1.3k In Total
Viewed Times


请访问原文链接:Burp Suite Pro 2021 (macOS, Linux) -- 查找、发现和利用漏洞,查看最新版。原创作品,转载请保留出处。




Burp Suite Professional 是一套用于测试 web 安全性的高级工具集 —- 所有这些都在一个产品中。从一个基本的拦截代理到尖端的 Burp 扫描器,使用 Burp Suite Pro,正确的工具只需点击一下就可以了。

我们强大的自动化让您有更多的机会做您最擅长的,而 Burp Suite 处理容易实现的目标。先进的手动工具将帮助你识别目标更微妙的盲点。

Burp Suite Pro 是由一个研究团队开发的。这意味着在我们发布之前,发现成果已经包含在我们的最新更新中。我们的 pentesting 工具将使您的工作更快,同时让您了解最新的攻击向量。


Manual penetration testing features 手动渗透测试功能

Burp Suite Pro proxy interception

  • Intercept everything your browser sees

A powerful proxy/history lets you modify all HTTP(S) communications passing through your browser.

  • Manage recon data

All target data is aggregated and stored in a target site map - with filtering and annotation functions.

  • Expose hidden attack surface

Find hidden target functionality with an advanced automatic discovery function for “invisible” content.

  • Test for clickjacking attacks

Generate and confirm clickjacking attacks for potentially vulnerable web pages, with specialist tooling.

  • Work with WebSockets

WebSockets messages get their own specific history - allowing you to view and modify them.

  • Break HTTPS effectively

Proxy even secure HTTPS traffic. Installing your unique CA certificate removes associated browser security warnings.

  • Manually test for out-of-band vulnerabilities

Make use of a dedicated client to incorporate Burp Suite’s out-of-band (OAST) capabilities during manual testing.

  • Speed up granular workflows

Modify and reissue individual HTTP and WebSocket messages, and analyze the response - within a single window.

  • Quickly assess your target

Determine the size of your target application. Auto-enumeration of static and dynamic URLs, and URL parameters.

  • Assess token strength

Easily test the quality of randomness in data items intended to be unpredictable (e.g. tokens).

Advanced/custom automated attacks 高级/自定义自动攻击

  • Faster brute-forcing and fuzzing

Deploy custom sequences of HTTP requests containing multiple payload sets. Radically reduce time spent on many tasks.

  • Query automated attack results

Capture automated results in customized tables, then filter and annotate to find interesting entries/improve subsequent attacks.

  • Construct CSRF exploits

Easily generate CSRF proof-of-concept attacks. Select any suitable request to generate exploit HTML.

  • Facilitate deeper manual testing

See reflected/stored inputs even when a bug is not confirmed. Facilitates testing for issues like XSS.

  • Scan as you browse

The option to passively scan every request you make, or to perform active scans on specific URLs.

  • Automatically modify HTTP messages

Settings to automatically modify responses. Match and replace rules for both responses and requests.

Burp Suite Pro Intruder payload positions

Automated scanning for vulnerabilities 自动扫描漏洞

Burp Suite Pro scan results

  • Harness pioneering AST technology

High signal: low noise. Scan with pioneering, friction-free, out-of-band-application security testing (OAST).

  • Conquer client-side attack surfaces

Hybrid AST and built-in JavaScript analysis engine help to find holes in client-side attack surfaces.

  • Fuel vulnerability coverage with research

Cutting-edge scan logic from PortSwigger Research combines with coverage of over 100 generic bugs.

  • Fine-tune scan control

Get fine-grained control, with a user-driven scanning methodology. Or, run “point-and-click” scans.

  • Remediate bugs effectively

Custom descriptions and step-by-step remediation advice for every bug, from PortSwigger Research.

  • Configure scan behavior

Customize what you audit, and how. Skip specific checks, fine-tune insertion points, and much more.

  • Navigate difficult applications

Crawl more complex targets. Burp Suite’s crawler identifies locations based on content - not just URL.

  • Effectively apply IAST

Source identification and vulnerability reporting simplified, with optional code instrumentation.

  • Experience browser-driven scanning

Browser-driven scanning is already striding toward better coverage of tricky targets like AJAX-heavy single page apps.

Productivity tools 生产力工具

  • Deep-dive message analysis

Show follow-up, analysis, reference, discovery, and remediation in a feature-rich HTTP editor.

  • Utilize both built-in and custom configurations

Access predefined configurations for common tasks, or save and reuse custom configurations.

  • Multiply project options

Auto-save all working projects to disk, and add configurations to pre-saved projects.

  • Make code more readable

Automatically pretty-print code formats including JSON, JavaScript, CSS, HTML, and XML.

  • Easily remediate scan results

See source, discovery, contents, and remediation, for every bug, with aggregated application data.

  • Simplify scan reporting

Customize with HTML/XML formats. Report all evidence identified, including issue details.

  • Speed up data transformation

Decode or encode data, with multiple built-in operations (e.g. Hex, Octal, Base64).

Burp Suite Pro pretty-printing

Extensions 扩展

PortSwigger BApp Store

  • Create custom extensions

Extender API ensures universal adaptability. Code custom extensions to make Burp work for you.

  • Logger++

For in-depth vulnerability detail, ordered and arranged in an easily accessible table, make use of Logger++.

  • Autorize

When testing for authorization vulnerabilities, save time and perform repeat requests with Autorize.

  • Turbo Intruder

Configured in Python, with a custom HTTP stack, Turbo Intruder can unleash thousands of requests per second.

  • J2EE Scan

Expand your Java-specific vulnerability catalogue and hunt the most niche bugs, with J2EEScan.

  • Access the extension library

The BApp Store customizes and extends capabilities. Over 250 extensions, written and tested by Burp users.

  • Upload Scanner

Adapt Burp Scanner’s attacks by uploading and testing multiple file-type payloads, with Upload Scanner.

  • AuthMatrix

Run AuthMatrix with Autorize to define your access-level vulnerability authorization check.

  • Param Miner

Quickly find unkeyed inputs with Param Miner - can guess up to 65,000 parameter names per second.

  • Backslash Powered Scanner

Find research-grade bugs, and bridge human intuition and automation, with Backslash Powered Scanner.



  • macOS Big Sur 11

  • Ubuntu Desktop 20.04,基于 GNOME 桌面环境创建和验证

  • Burp Suite Pro for macOS
    2021.11.05 更新:修复了上个版本 keygen 无法运行的问题(重要),修正 AppID 重复问题。
    百度网盘链接:https://pan.baidu.com/s/1o72UPQfOUI4rRxJJdg-GYQ 提取码:jed4

    集成 keygen,直接运行,无需额外安装 Java

    修复原版图标,Big Sur 图标适配

    已知问题:首次运行窗口会变得非常小,拖拽,下次启动即可正常。应用程序运行显示的图标是 java 的图标,比较丑陋,因为使用 java loader 导致。

  • Burp Suite Pro for Linux
    百度网盘链接:https://pan.baidu.com/s/13tce9ciXhTUPpu7iaCzzHg 提取码:3ota

    安装:chmod +x burpsuitepro-linux-2021.5.1.bin && sudo ./burpsuitepro-linux-2021.5.1.bin

    集成安装、注册和卸载,无需额外安装 Java


捐助本站 ❤️ Donate


支付宝打赏 微信打赏