Saving and Restoring State
[Pro version] The functions to save and
restore state can be accessed from the Burp menu.
Saving State
The items that can be saved are as follows:
- The Target site map, which includes all of the content discovered via
the Proxy and Spider.
- The Proxy history.
- The issues identified by the
Scanner, and the active scan queue.
- The contents and histories of the Repeater tabs.
- The configuration of all suite tools.
Selecting "Save state" from the Burp menu launches a wizard where you can
choose which items you want to save the state and configuration of, and
select the output file. The following options are also available:
- Save in-scope items only - If this option is
selected, only in-scope items from
tools' state will be saved. This option is useful to remove superfluous
content from the state file, and reduce the file size.
- Passwords within configuration options - This lets
you configure whether any passwords contained in the tools'
configuration (for example, credentials for an upstream proxy server)
will be remembered, and if so whether they will be encrypted using a
master password. When the state file is restored, Burp will prompt you
to enter the passwords that were not saved, or to enter the master
password, as appropriate.
You can continue
using Burp while its state is being saved, although you may experience some brief delays
if you try to perform an operation on data that Burp is in the process of saving,
to prevent any data corruption.
Restoring State
Selecting "Restore state" from the Burp menu launches a wizard
where you can choose which items you want to restore the state and
configuration of. The first step is to select a state file that you
previously saved. Burp then analyses the file to determine its contents
(i.e., the tools whose state and configuration it contains). You can then
choose which tools' state and configuration you want to restore, and whether
to add to or replace each tool's existing state.
You can optionally tell Burp to pause the Spider and Scanner tools
following the restore. This option is on by default and is usually desirable
when restoring an old state file, to avoid inadvertently attacking any
targets which are in-scope for that state file and which have actions pending
in the Spider or Scanner queues.
You can
continue using Burp while its state is being restored, although you may experience some
brief delays if you try to perform an operation on data that Burp is in the
process of restoring, to prevent any data corruption.
Usage Scenarios
The ability to save and restore tool state and configuration is of huge benefit
to penetration testers:
- You can save your work at the end of each day and seamlessly resume
it the next morning.
- You can back up key test information throughout a job, in case of system
crashes.
- At the end of an engagement, you can store a full archive of all accumulated
information, enabling you to re-open your work at a later point, to answer
a client question or re-test a fixed issue.
- The task of mapping out an application's content can be divided
up between consultants, and the resulting site maps can be merged incrementally
into one, for all consultants to share.
- Team leaders can optimize Burp's configuration for a particular
engagement, including fine-grained target scope definition,
and pass this configuration straight to other team members to begin testing.
- You can create configuration templates designed for different kinds
of task, save these for future use, and switch between them easily.
User Forum
Get help from other users, at the Burp Suite User Forum:
Visit the forum ›
Monday, November 3, 2014
v1.6.07
This release contains various enhancements to the Scanner engine logic, to improve both the reliability of issue reporting, and the quality of proof-of-concept exploits. Improvements have been made to the following checks:
- OS command injection
- SQL injection
- HTTP response header injection
- File path traversal
- Server-side JavaScript / NoSQL injection
- Reflected cross-site scripting
- Various DOM-based issues
- Open redirection
See all release notes ›