Burp Suite Professional’s User Interface is one of the most advanced Java UIs out there, but everyone has a bad day now and then. Frustratingly, the tool’s Message Editor can sometimes misrepresent where you are editing, including both the cursor represented by the pipe character (“|”) and text selections made using the mouse.
Cursor Chaos
This situation makes the tool basically unusable for any manual testing. As seen in the video above, which shows a magnified view of Burp’s Intruder tool, highlighted selections used to mark injection points cannot be relied upon. Pressing backspace might cause a character two places behind the cursor to disappear. The effect is even variable within a line of text — while it may delete two characters behind on the left of the screen, it could be three or four on the right side of the screen.
The Doctor Is In
What’s the prognosis? In my case, the problem was scaling issues within Burp due to an unconventional setup. I was viewing Burp in a VMware Horizons VDI client window. This meant there were probably multiple scaling factors in place: Burp’s scaling to fit the VDI environment, and the VMware Horizons client applying its own scaling to my local operating system. I was also using an external monitor, so perhaps another scaling function was applied there. The layers of scaling make for some really strange selection behavior, but can be easily fixed using a command argument to Java when opening Burp, to lock scaling to 100%:
> java -jar -Dsun.java2d.uiScale=1 burpsuite_pro_vVERSION.jarBack in business!
MORE FROM WHITE OAK SECURITY
White Oak Security provides deep-dive offensive security testing. We are a highly skilled and knowledgeable cyber security and penetration testing company that works hard to help organizations strengthen their security posture by getting into the minds of opponents to try to protect those we serve from malicious threats through expertise, integrity, and passion.
Our unique industry experience allows us to offer a wide range of services to help analyze and test information security controls and provide guidance to prioritize and remediate vulnerabilities.