Thursday, 03 March 2022 / Published in Brand, PortSwigger

Burp Suite Enterprise Edition Product Latest Release and Build

Burp Suite Enterprise Edition Product Latest Release and Build, this is an ongoing and incremental update post, we consolidate all information into a single post for users who want to know all the updates, new features and fixes along the edition.

Latest release and build will show at the top of the post, and the oldest information will at bottom. If you are looking for the Burp Suite Enterprise Edition product information like features and benefits, please read it from this dedicated post link https://www.e-spincorp.com/burp-suite-enterprise-edition/

Enterprise Edition 2022.2.1 Release 2022-Mar-3

This release provides a number of minor improvements and bug fixes. For example:

When you run a scan with verbose logging enabled, you can now download the scan’s project file for debugging purposes.
We have fixed a bug that was preventing email notifications for new updates from being sent to customers who are running the 2022.2 release.

Enterprise Edition Jenkins plugin 2022.2 Release 2022-Mar-1

This release fixes the Jenkins plugin. The previous version was causing the Burp Suite Enterprise Edition UI to become non-functional when used in combination with the kubernetes-cli plugin. This was due to a jQuery conflict.

Enterprise Edition 2022.2 Release 2022-Feb-23

This release provides a number of minor improvements and bug fixes. For example:

We have fixed a bug that was preventing the database server from shutting down during Enterprise server updates. This was causing version mismatches between the two servers.
We have amended the Jira settings UI page so that it is consistent with the existing Trello and Gitlab settings pages.
We have made performance improvements to the site tree. Previously, the UI could become unresponsive when importing or performing bulk actions on large numbers of sites.

Enterprise Edition 2022.1.1 Release 2022-Feb-21

This release does not provide any additional functionality. It simply implements some background changes in preparation for a future release, which will enable a brand new option for deploying to Kubernetes using a Helm chart. This will replace our existing AWS CloudFormation and Azure Resource Manager deployment methods.

Please note that if you deployed Burp Suite Enterprise Edition using our existing AWS CloudFormation or Azure Resource Manager templates, this is the last version that those deployments will support. You will need to migrate using the new Helm chart (coming soon) before you can install any future updates.

Enterprise Edition 2022.1 Release 2022-Jan-21

This release offers a number of minor improvements and bug fixes such as:

You are now given alert through the scan log when the assigned agent machine has insufficient resources available to run a scan in order to prevent overloading machines with too many concurrent scans that can lead to poor performance or cause scans to fail.
You are provided with bug fix that prevent bulk site imports from a CSV file working as expected.
You are provided with bug fix that prevent from applying self-signed certificates for connecting to an SMTP server using TLS.

Enterprise Edition 2021.12.1 Release 2021-Dec-15

This release came with the audited version of both Burp Suite Enterprise Edition and Burp Suite Professional/Community Edition. The release focuses on making sure that both versions are not vulnerable to the latest discovery on vulnerability in the Java logging library Log4j. Even though this library was present in Burp Suite Enterprise Edition because of transitive dependency, it was not used.

Importantly, you should disable third-party extensions while they are audited as they may appear vulnerable.

Jira bug fix

This release includes bug fixes that disable you to create Jira tickets from Burp Suite Enterprise Edition.

Cloud deployment links

AWS CloudFormation or Azure Resource Manager templates will be replaced with the release of a more improved, simpler deployment method soon. It is recommended to wait for the release instead.

Enterprise Edition 2021.12 Release 2021-Dec-15

This release allows bulk actions for sites and scans as well as integration with GitLab and Trello which enable you to raise tickets for any vulnerabilities detected by your scans.

Bulk actions for sites and scans

Now, you are able to perform common actions on multiple items at the same time from the Sites and Scans pages which includes:

Moving sites and folders
Deleting sites and folders
Launching quick scans
Cancelling or deleting scans

The bulk actions menu which appears automatically during selection of one or more items using the checkboxes to the left of the page. helps you save significant amount of time and effort particularly when managing your site tree.

Trello and GitLab integration

Connecting to Burp Suite Enterprise Edition to both Trello and GitLab are now available. Therefore, for any vulnerabilities detected by your scans, you can create Trello cards or raise GitLab issues from the Burp Suite Enterprise Edition web UI.

Refer to the documentation for information on how to configure the integration.

Microsoft SQL Server 2019 support

Microsoft SQL Server 2019 databases is available to use with Burp Suite Enterprise Edition. Refer to the documentation for a complete list of supported database types.

GraphQL upgrade

GraphQL implementation to GraphQL Java 17.3 have been updated in this release to improve bug fixes and also increase protection against denial-of-service attacks.

Verbose scan log

This release gives you the option to enable verbose logging when creating a one-off scan. This can be done by downloading this log from the Reporting & Logs tab.

Importantly, this feature is specifically design for technical support team (This team will occasionally ask you to activate this when helping you resolve a problem.

Bug fixes

This release consists of several minor bug fixes. The most notable bug fixes feature that have been added are improved uninstallerthat allow you to lower the chance of issues arising when reinstalling at a later date as well as an issue that may occur when running the database transfer tool with MySQL 8 databases.

Cloud deployment links

AWS CloudFormation or Azure Resource Manager templates will be replaced with the release of a more improved, simpler deployment method soon.

Enterprise Edition 2021.11 Release 2021-Nov-11

This release provides a new option for preconfiguring and adding a large number of sites in bulk, adds support for Slack integration, and enables user provisioning and decommissioning via SCIM. It also contains a number of minor improvements and bug fixes.

Add multiple sites in bulk

Instead of adding and configuring sites in Burp Suite Enterprise Edition one by one, you can now preconfigure and import a large number of sites at once from a CSV file.

You can download our template from the Sites page by clicking Import Sites.

For more information, please refer to the documentation.

Receive automated scan notifications via Slack

You can now connect Burp Suite Enterprise Edition to Slack. Once configured, this enables you to automatically notify teams via their Slack channels whenever a scan starts, fails, or finishes for a given site.

As you assign Slack channels on a site-by-site basis, you can ensure that channels only receive notifications about sites that are relevant to them.

For details on how to configure the integration, please refer to the documentation.

Improved user lifecycle management via SCIM (on-premise only)

For on-premise installations of Burp Suite Enterprise Edition, you can now enable SCIM in order to simplify the process of provisioning and decommissioning users and groups from a central identity provider (IdP).

SCIM is typically integrated in conjunction with SAML. This means you can create, update, and delete your users and groups using SCIM, while SAML is reserved exclusively for authentication via your IdP.

We have fully tested SCIM integrations with the following IdPs:

Okta
OneLogin

For more information, please refer to the documentation.

Add new sites to a new folder

When adding a new site, you now have the option to create a new folder for it at the same time. Previously, you could only add sites to existing folders.

Bug fixes

We have also fixed a number of bugs, most notably one that caused issues for some users when attempting to update Burp Scanner.

Enterprise Edition 2021.8.1 Released 2021-Sep-8

This release gives several bug fixes; one particularly for a bug that caused an abundant number of email notifications to be sent to some users.

Cloud deployment links

In order to apply this release of Burp Suite Enterprise Edition to the cloud, use the following links to access the corresponding instructions and templates for the preferred platform.

AWS

Azure

Enterprise Edition 2021.8 Released 2021-Aug-25

This release allows you to install extensions and adds some Scanner compatibility improvements, telemetry collection, and some bug fixes.

Extensions support

This release of Burp Suite Enterprise Edition enables you to use extensions to expand and customize its scanning functionality. For example, you could use an extension to scan for a specific vulnerability or to expand your logging.

With this release, Enterprise Edition supports custom extensions written in java and BApps identified as Enterprise Edition compatible. The BApp store has been updated to identify which products each BApp is compatible with. Those with the Enterprise tag can be downloaded from the BApp store and uploaded to the Enterprise extensions library.

Scanner compatibility

Burp Suite Enterprise Edition and Burp Scanner are updated and installed independently. Each component has dependencies (such as the JRE version) that mean not all versions are compatible with each other.

You will get a notification to update your version of Enterprise Edition from Managing updates when you are updating components manually and trying to upgrade to a version of Burp Scanner that is not compatible with your version of Enterprise Edition before installing the new Scanner. You will also receive emails about the release of a new version of Burp Scanner that is incompatible with your version of Enterprise Edition.

Telemetry collection

Starting with this release, we are collecting telemetry that will allow us to understand your usage of Burp Suite Enterprise Edition better, and offer you more cost-effective options. We will not be capturing any information about the sites that you are scanning or any details of your scan results.

Bug fixes

This release includes the following bug fixes:

You can now use Cyrillic characters in group names.
GraphQL queries no longer return incorrect null values in Issue fields.
We fixed several minor bugs.

Cloud deployment links

If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for the preferred platform.

AWS

Azure

Enterprise Edition 2021.6 Released 2021-Jun-25

This release includes a Java update and several minor improvements as well as bug fixes.

Update to Java 11

Burp Suite Enterprise Edition is updated to Java version 11.

Minor improvements

This release includes the following minor improvements:

Change in security settings is not needed when installing Burp Suite Enterprise Edition on a MacOS machine
We have made several small improvements to the user interface.

Bug fixes

Scans are now reported correctly in the UI and GraphQL if the browser crashes during the scan.
The user count now only includes users created directly in Burp Suite Enterprise Edition. External users, such as those logged in via SSO, will no longer be included.

Cloud deployment links

If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.

AWS

Azure

Enterprise Edition 2021.4.1 Released 2021-Apr-29

This release gives the ability to arrange agent machines and target sites into pools in order to better organize your scanning resources. There is also significant improvements included to the user interface and navigation like a new scan results page design. It also include several bugs fixes.

Agent machine pools

Agent machines and sites are now organized into agent machine pools. All agent machines and all sites are assigned to one and only one agent machine pool. Unless you specify otherwise, all agent machines and sites will be assigned to the same default pool. An agent will only scan a site if the site belongs to the same agent machine pool as the agent’s machine.

Agent machine pools support the “agent affinity” concept and are useful if you have a need to limit which agent machines can scan certain sites. Agent machine pools stop the problem of a scan failing because the relevant machine is busy elsewhere, or an assigned agent being unable to access a restricted site for a scan. Sample uses for agent machine pools are:

Keeping the agent machines and sites for one geographic area together.
Allocating the resources of one team.
Scanning sites with restricted access.
Reserving agent machines for specific purposes, such as a CI/CD pipeline or ad-hoc scanning.

UI and navigation improvements

We have improved the user interface and experience throughout Burp Suite Enterprise Edition. These improvements include:

We have improved the way we present scan results, to make access for information quicker and to make understanding the results easier. These changes include a set of tabs to show scan details and a site tree view for scanned sites. See here for the details of the changes.
We have added a new wizard to make integration with Jira easier.
The interface is now more consistent across Teams pages.
We added a page to the help center that directs uses to key category pages of documentation.
We improved navigation throughout Burp Suite Enterprise Edition.

New user permission for viewing site login details

We have created a new user permission for viewing login details (credentials and/or recorded login sequences) associated with sites. This permission is not assigned to any user by default.

Bug fixes

This release also includes several bug fixes, including:

Migrations to MS-SQL databases no longer fail when the username includes a backslash character.
When performing an offline update under Windows, you are now correctly redirected to the updated software.
Scans no longer incorrectly report scan failure when the scan path contains 4-byte unicode characters.
LDAP connections no longer fail when there are Cyrillic characters in the user name.
Filters for the schedule_items query in GraphQL are now enums rather than strings. See more details here.
Requesting issue type descriptions through GraphQL now correctly returns the description and remediation.
Database transfers to databases with custom names now work correctly.
Deleting users who have defined custom scan configurations no longer causes errors.
Users with site restrictions creating sites within folders they don’t have permission to view can now correctly see the created site without having to log out and back in again.
Performing a GraphQL query of a site’s parent ID via a schedule item in a scan no longer returns an incorrect value.
A browser crashing during a browser-powered scan no longer causes an error message and the scan results to be unavailable.

New to release 2021.4.1

This release provides the following bug fix:

When upgrading from a previous version of Burp Suite Enterprise Edition and using an MS-SQL database, agent machine pool assignments now work correctly, and the site tree loads without errors.

Cloud deployment links

If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.

AWS

Azure

Enterprise Edition 2021.4 Released 2021-Apr-23

Agent machine pools

All agent machines and all sites are assigned to only one agent machine pool. Unless being specified otherwise by users, all agent machines and sites will be assigned to the same default pool. An agent will only scan a site if the site belongs to the same agent machine pool as the agent’s machine.

Keeping the agent machines and sites for one geographic area together.
Allocating the resources of one team.
Scanning sites with restricted access.
Reserving agent machines for specific purposes, such as a CI/CD pipeline or ad-hoc scanning.

UI and navigation improvements

We have improved the user interface and experience throughout Burp Suite Enterprise Edition. These improvements include:

Improved the presentation of the scan results – access for information are quicker to understand the results easier. These changes include a set of tabs to show scan details and a site tree view for scanned sites. See here for the details of the changes.
New wizard to make integration with Jira easier.
More consistent interface across Teams pages.
A page to the help center that directs uses to key category pages of documentation.
Improved navigation throughout Burp Suite Enterprise Edition.

New user permission for viewing site login details

We have created a new user permission for viewing login details (credentials and/or recorded login sequences) associated with sites. This permission is not assigned to any user by default.

Bug fixes

This release includes several bug fixes as below:

Migrations to MS-SQL databases no longer fail when the username includes a backslash character.
When performing an offline update under Windows, you are now correctly redirected to the updated software.
Scans no longer incorrectly report scan failure when the scan path contains 4-byte unicode characters.
LDAP connections no longer fail when there are Cyrillic characters in the user name.
Filters for the schedule_items query in GraphQL are now enums rather than strings. See more details here.
Requesting issue type descriptions through GraphQL now correctly returns the description and remediation.
Database transfers to databases with custom names now work correctly.
Deleting users who have defined custom scan configurations no longer causes errors.
Users with site restrictions creating sites within folders they don’t have permission to view can now correctly see the created site without having to log out and back in again.
Performing a GraphQL query of a site’s parent ID via a schedule item in a scan no longer returns an incorrect value.
A browser crashing during a browser-powered scan no longer causes an error message and the scan results to be unavailable.

Cloud deployment links

If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.

AWS

Azure

Enterprise Edition 2021.3.1 Released 2021-Mar-24

This release provides several major enhancements to our cloud-friendly version of Burp Suite Enterprise Edition, as well as support for a new database version.

Additional database support

You can now use an Oracle 19c database with Burp Suite Enterprise Edition. For a full list of supported database types, please refer to the system requirements.

Nested cloud templates

Both the main AWS CloudFormation template and the Azure Resource Manager template now comprise multiple “nested” templates, each with their own URL. This gives you the option to skip parts of the template and perform some of the process independently.

For example, you may prefer to set up the required infrastructure on your own and just use the template to deploy the main application. In this case, instead of entering the top-level URL for the full template in AWS/Azure, you can now just enter the URL for the deployment part.

You can find the URLs for the nested templates within the main template for each platform. We’ve also provided direct links at the bottom of these release notes. If you still want to use the full template, you can just ignore the nested ones and use the main URL in the same way as before.

Role-based access control using AWS Identity and Access Management

We now support role-based access control (RBAC) for the entire deployment process on AWS.

In previous releases, you had to provide an AWS access key and secret for the user who would be performing the deployment. This requirement has been removed completely. Instead, our IAM CloudFormation template now automatically generates roles that cover all of the required permissions, along with a corresponding group. Simply assigning the user to this group will allow them to perform the rest of the deployment.

Optional PostgreSQL database for AWS

The main AWS CloudFormation template now provides the option to automatically create and configure a new PostgreSQL database using Amazon’s Relational Database Service (RDS). This should make it much easier to get started as you won’t have to manually set up and connect to a database; most of the configuration will be done for you.

This is completely optional. If you prefer, you can still connect to any of our supported database types in the same way as before.

Improved logging for AWS deployment

On AWS, application logging is now enabled at the beginning of the deployment phase. This means that any errors that occur during the database migration will now be captured in CloudWatch, which should help with debugging.

Obfuscated credentials in AWS

All credentials that you provide in the CloudFormation template are now obfuscated. This prevents them from being viewed by other users who have access to your Burp Suite Enterprise Edition resources in the AWS Management Console.

Cloud deployment links

If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.

AWS

Azure

Enterprise Edition 2021.3 Released 2021-Mar-8

This release includes several enhancements that help you to better integrate Burp Suite Enterprise Edition with other web applications. It also adds support for some additional database versions, along with a significant number of minor improvements and bug fixes.

CORS whitelisting for enhanced integration with other web applications

If you want to integrate Burp Suite Enterprise Edition with a third-party web application, or one that you’ve developed yourself, it probably needs access to your sites and scan data. This release adds a new option that lets you whitelist trusted origins for cross-origin resource sharing (CORS) via the GraphQL API.

Once you’ve whitelisted the origin on which your other application is running, its client-side JavaScript will have access to the full functionality exposed by the GraphQL API. This allows you to develop more powerful integrated applications that can fetch the relevant data, create and edit sites, and launch new scans directly from the browser using AJAX.

By default, all cross-origin requests initiated by JavaScript in the browser will be blocked unless you have explicitly whitelisted their origin. To do this, go to the network settings page and add trusted origins to the “Allowed Origins for GraphQL API” list.

Improvements to the GraphQL API

You can now include an optional schedule_item_id parameter in a scans query. This makes it much easier to locate the Scan that was generated by a ScheduleItem you’ve just created.
You can use the new site query to fetch an individual Site by its ID. This means you no longer have to fetch the whole SiteTree in order to query a specific known Site.
You can now send gzip-encoded data to the API.

Additional database support

Burp Suite Enterprise Edition now supports the following additional database versions:

PostgreSQL 11, 12, and 13
MariaDB 10.4 and 10.5

For a full list of databases that you can use with Burp Suite Enterprise Edition, please check the system requirements.

Other improvements

If you upload an invalid recorded login script, you are now informed of this when you try to save so that you can fix the issue right away. Previously, you would only know that your script was invalid once a scan started and subsequently failed to log in.
You can no longer add end-of-scan report recipients to a site unless an admin user has configured a connection to an email server. This helps prevent situations where you mistakenly believe that colleagues are receiving scan reports even though no emails are actually being sent.
Burp Scanner’s embedded Chromium browser is now stored in the data directory that you select in the installation wizard. Previously, this would be unpacked in your home directory, which was causing issues for some customers.
On the “Site” > “Details” page, if you click on the ? icon to view the scan configuration, the configuration ID is now displayed in the URL in your browser’s address bar for easier access.
When you cancel a scan with errors, the error message is now displayed in the “Cancel scan” confirmation dialog.

Bug fixes

The link for the REST API is now generated using the correct domain name for your web server. Previously, the default IP address would still be used to generate the API link even if you had manually set a different “Web server URL” in the network settings.
A problem with our site-tree caching has been fixed. This should dramatically improve performance when using our APIs.
The database transfer tool no longer assumes that the agent user for the database is called burp_agent. You can now use the tool even if you assigned a different username when setting up your database.
A problem with the network settings page has been fixed. A bug in the previous release meant that you were unable to save changes to other settings while the “Use TLS” option was enabled.
Adding client TLS certificates to a scan configuration now works as expected. A bug in the previous release meant that you would sometimes encounter a “value required” error when trying to upload a new certificate.
We have also fixed several minor UI-related bugs that were introduced by some of our recent changes.

Cloud deployment links

If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.

AWS

Azure

Enterprise Edition 2021.1 Released 2021-Feb-2

This release provides the following bug fixes:

The process for deploying to Azure now works as expected.
Browser-powered scans are now supported on cloud-based deployments of Burp Suite Enterprise Edition. A bug in the previous release prevented Burp Scanner‘s embedded browser from starting properly.

Enterprise Edition 2020.12 Release 2020-Dec-23

This release provides the following improvements and bug fixes.

UI refresh

The UI now has a more modern look and feel. We hope you like the new design as much as we do.

New Help center and troubleshooting features

Users with permission to modify the settings can access the new “Help center” by clicking the ? icon in the upper-right corner of the screen. This provides a range of new features to help troubleshoot issues with your setup:

Diagnostics – This page provides quick access to all the background information our support team needs to know when you report an issue. It contains some basic details about your installation, memory usage, operating system, and so on. This enables you to quickly copy and paste all of this information from one place, rather than having to track it down across your system.
Debug – From time to time, the support team may ask you to enable detailed debugging for specific areas of Burp Suite Enterprise Edition. In this case, they will provide a series of values that you should enter on this page. This temporarily increases the level of detail that is included in the logs, which will help our support team get to the bottom of any issues.
Support pack – The support team may occasionally ask you to provide a collection of log files to help them troubleshoot an issue that you’ve reported. This page enables you to download various different logs as a single file so that you can easily send them to our support team.

This release also adds the following new options for downloading logs:

You can now download the logs for an individual scan. To do this, go to the scan details page for the relevant scan and select “More actions” > “Download scan log”. Note that the log is only available for scans that:
- Were successfully assigned to an agent
- Have run or started running since you upgraded to Burp Suite Enterprise Edition 2020.12
- Are less than 10 days old
You can now download the logs for an individual agent machine. To do this, go to the “Agents” page and select the relevant agent machine. In the upper-right corner, click “Download logs”.

Bug fixes

When trying to connect to Jira, receiving a response that is larger than 2 MB no longer triggers an exception.
In the “Database backup” settings, specifying a save location with dots in the path no longer causes issues. Previously, you would be prevented from saving your changes if you entered a path such as /home/user/example.directory/.
When transferring a SQL Server database with the transfer tool, you can now successfully use any target database name. Previously, the transfer would fail if the target name was anything other than burp_enterprise.

Enterprise Edition 2020.11 Release 2020-Nov-16

This release provides a new application logins option that will enable scans to handle single sign-on and other complex login mechanisms. Please note that this upgrade includes some major changes to the GraphQL API as a result.

Recorded login sequences

When adding application logins to a site, instead of simply adding basic sets of user credentials, you now have the option to upload recorded login sequences instead. A recorded login sequence is essentially a script that tells Burp Scanner exactly how to log in to the site. This enables it to handle more complex login mechanisms, including single sign-on.

To generate this script, you use our dedicated Chrome extension to record your browser interactions while you perform the login sequence manually. You then upload this script to the relevant site in Burp Suite Enterprise Edition. When scans of this site begin an authenticated crawl, Burp Scanner will start a new session in its embedded browser and use this script to replicate your actions, performing the full login sequence from scratch.

For more information, please refer to the documentation.

API scanning

Burp Scanner is now able to scan both JSON and YAML-based APIs for vulnerabilities. By default, the crawler attempts to parse any API definitions that it encounters to identify potential endpoints, along with their supported methods and parameters. Based on the endpoints that it discovers, Burp Scanner is then able to derive new locations to crawl and audit.

You can also explicitly provide the URL of an API definition in the list of included URLs for a site.

If you prefer, you can disable API scanning by deselecting the “Parse API definitions” crawl option in your scan configuration. You can find this option under “Miscellaneous”.

Please note that this initial release only supports scanning of a fairly limited range of REST APIs. For a full list of the prerequisites and limitations, please refer to the Burp Scanner documentation. We plan to further develop this feature and gradually add support for a wider range of APIs in future releases.

GraphQL API updates

In order to implement the new functionality for uploading recorded login sequences, we’ve had to make some changes to the GraphQL API. These changes may require you to refactor your existing integrations before they will work with this version of Burp Suite Enterprise Edition.

Generally speaking, the entities related to application logins have now been split in two. This is to create the distinction between sets of basic login credentials and recorded login sequences.

The full list of changes is as follows:

The type ApplicationLogin is now obsolete. This has been replaced by two new types, LoginCredential and RecordedLogin.
The new type ApplicationLogins has been added. This provides two fields, login_credentials and recorded_logins, which contain a list of LoginCredential and RecordedLogin objects respectively.
Fields that used to contain a list of the obsolete ApplicationLogin objects now contain a single object of the new type ApplicationLogins. This affects the following fields:
- The site_application_logins and schedule_item_application_logins fields of Scan objects
- The application_logins field of Site objects
The following mutations are now obsolete:
- create_site_application_login
- update_site_application_login
- delete_site_application_login
These have been replaced by the following new mutations:
- create_site_login_credential
- create_site_recorded_login
- update_site_login_credential
- delete_site_login_credential
- delete_site_recorded_login

Please note that you can add either LoginCredential or RecordedLogin objects to a Site, but not both. Querying the application_logins field for a Site will return a single ApplicationLogins object for which only one of the login_credentials and recorded_logins fields will contain data.

Improved logging

We have improved the logging of certain processes, which should make it easier to troubleshoot any problems that arise. For example, there is now much greater transparency in the log entries when backing up your database. When errors occur with Jira, the log now also provides much more detail about what the problem is.

When a scan check is abandoned due to memory allocation issues, this is now indicated in the scan results, the list of scans, and the downloadable reports. Previously, this would only be mentioned in the event log, which meant that it was easy to miss.

Bug fixes

This release also provides the following bug fixes:

The installer now works for users with an external database.
The database migration scripts no longer fail when migrating a PostgreSQL or MySQL database on Azure.
When the Enterprise server is connected to your SMTP server but cannot connect to portswigger.net, you no longer receive an excessive number of emails about this issue.

Cloud deployment links

If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.

AWS

Azure

Enterprise Edition 2020.10.1 Release 2020-Oct-19

Bug fix

This release fixes a bug in the installer that affected some customers using an Oracle database. Previously, the installer would fail if the database schema name was anything other than burp_enterprise.

Cloud deployment links

If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred cloud platform.

AWS

Azure

Enterprise Edition 2020.10 Release 2020-Oct-15

This release further improves Burp Suite Enterprise Edition‘s support for single sign-on by enabling SAML integration. It also provides major improvements to the AWS deployment process.

SAML integration

Burp Suite Enterprise Edition now supports SAML-based single sign-on. This is particularly useful for managing user authentication for cloud-based deployments.

You can integrate SAML SSO using any identity provider (IdP), but the following ones have been fully tested:

Active Directory Federation Services (ADFS)
Okta
Azure Active Directory

To configure the connection to your preferred SAML IdP, log in to Burp Suite Enterprise Edition as an administrator, select “Single sign-on” from the settings menu, then open the “SAML connection” tab.

For more detailed information, please refer to the accompanying documentation.

Other improvements

This release also provides the following improvements:

When marking all issues of the same type as false positives, you can now choose to limit this to the current scan only.
Empty placeholder pages have been improved. In each case, you will now be informed why the page is empty and prompted to perform the relevant actions to populate it with data.
Sites and folders are now displayed in alphabetical order in the site tree.
Performance has been improved when running scans that use a large number of scan configurations.

Burp Suite Enterprise Edition on the cloud

This release provides major usability improvements to the deployment process for Burp Suite Enterprise Edition on AWS.

Most notably, the CloudFormation template now creates all of the required AWS infrastructure for you. This includes creating a new Virtual Private Cloud (VPC), so you no longer need to set this up manually. We hope that this will make it much easier to get up and running.

Secondly, there are now two CloudFormation templates for each release of Burp Suite Enterprise Edition:

The main template, which is used to create the required AWS environment and deploy the application.
The IAM template, which is used to create the relevant IAM users.

Previously, some customers faced issues when the user performing the deployment did not have the appropriate permissions to create IAM users. Now that this is handled in a separate template, you can easily hand over this part of the setup process to the relevant team within your organization.

If you want to deploy Burp Suite Enterprise Edition 2020.10 to the cloud for beta testing, you can download the template for your preferred cloud platform from the links below.

AWS

Azure

Bug Fixes

We have also provided the following bug fixes:

Reinstalling Burp Suite Enterprise Edition for use with an existing database no longer causes issues.
You can now successfully run the installer over an existing installation, for example, to fix any missing libraries.
When the API key is generated for a new API user, long domain names no longer cause the URL to exceed the boundaries of the text field.
The option for creating Jira sub-tasks has been removed to avoid invalid issue type errors. Creating sub-tasks is not supported by the Jira API.
You can now update the port for your web server’s HTTPS URL without having to upload a new certificate.
We have made minor corrections to the GraphQL API reference documentation.

Enterprise Edition 2020.7 Release 2020-Jul-23

This release provides several improvements to our APIs and continues the ongoing improvements to the Burp Suite Enterprise Edition UI.

GraphQL API

We recently released a new GraphQL API to improve the integration of Burp Suite Enterprise Edition with other tools. This release implements the following changes:

You can now apply a site_id filter to the scans query. This enables you to fetch all scans for a given site.
When fetching issues for a scan, specifying a type_index is now optional. This enables you to fetch all issues for a scan directly. Previously, you first had to fetch the issues grouped by type.
We’ve added a new type IssueType, which contains information relevant to a specific issue type, such as a description and remediation advice. Instances of the type Issue now also contain an issue_type field that allows you to fetch this information.

We have also made the following adjustments to the names of some entities:

To allow for the new type IssueType, the query issue_types has been renamed to issue_type_groups. Similarly, the existing type IssueType has now been renamed to IssueTypeGroup.
For the input object DeauthorizeAgentInput, we have renamed the machine_id field to just id.

REST API

When you apply a custom scan configuration to a scan using the REST API, you can now save it as a named configuration for reuse in future scans. Previously, a custom scan configuration assigned using the REST API would be deleted after the scan was completed.

UI improvements

This release provides more improvements to the Burp Suite Enterprise Edition UI. The placeholder pages that are displayed before you have added a site or run a scan are now much more intuitive.

Bug fixes

We’ve also provided several minor bug fixes, most notably:

Active Directory users can now view the scan results by clicking on a scan.
Scans that fail to start now appear as failed in the list of scans. This frees up the assigned agent so that you can use it to perform another scan.

Burp Suite Enterprise Edition Cloud

If you want to deploy Burp Suite Enterprise Edition 2020.7 to the cloud for beta testing, you can download the corresponding template for your preferred cloud platform AWS or Azure.

Enterprise Edition 2020.6 Release 2020-Jul-7

This release provides major usability improvements and adds support for single sign-on. We are also pleased to announce a beta release for the cloud-native Burp Suite Enterprise Edition on both AWS and Azure.

UI improvements

Over the next few months, we’re working on improving the usability of Burp Suite Enterprise Edition by upgrading the UI. This release includes the first set of these changes:

The header menu has been redesigned to make it much easier to navigate. You can now jump straight to the most commonly used parts of the application with a single click.
The pages for creating, editing, and viewing both sites and scans have been redesigned to make them much more intuitive.
The overall look-and-feel of some screens has been updated. These changes will be rolled out across other parts of the application in upcoming releases.

Single sign-on

You can now configure an LDAP connection between Burp Suite Enterprise Edition and your Active Directory. This enables you to manage your Burp Suite Enterprise Edition users centrally using single sign-on, just like you might already do with other applications.

Once you configure the connection, you simply create user groups in Burp Suite Enterprise Edition that correspond to the groups in your Active Directory. Users can then log in using their existing credentials. User permissions within the application are controlled on the group level, removing the need to create and manage dedicated users for Burp Suite Enterprise Edition.

For more information, please refer to the product documentation.

Burp Suite Enterprise Edition on the cloud

A beta release is now available for deploying Burp Suite Enterprise Edition natively on both AWS and Azure.

Note that you will need a separate Burp Suite Enterprise Edition license for your cloud-based deployment, even if you already have a license for an on-premise installation. You can request a trial license or purchase a new license from portswigger.net.

You can use the links below to download the corresponding template for deploying to your preferred platform. We have also provided installation instructions to help get you started.

AWS

- - AWS CloudFormation template
  - AWS instructions

Azure

- - Azure Resource Manager template
  - Azure instructions

Bug fixes

We have also implemented several minor bug fixes and performance improvements.

Enterprise Edition 2021.4.1 Release 2021-Apr-29

This release provides the ability to arrange your agent machines and target sites into pools, to better organize your scanning resources. It also includes significant improvements to the user interface and navigation such as a new scan results page design. The release also fixes several bugs.

Agent machine pools

Keeping the agent machines and sites for one geographic area together.
Allocating the resources of one team.
Scanning sites with restricted access.
Reserving agent machines for specific purposes, such as a CI/CD pipeline or ad-hoc scanning.

UI and navigation improvements

We have improved the user interface and experience throughout Burp Suite Enterprise Edition. These improvements include:

We have improved the way we present scan results, to make access for information quicker and to make understanding the results easier. These changes include a set of tabs to show scan details and a site tree view for scanned sites.
We have added a new wizard to make integration with Jira easier.
The interface is now more consistent across Teams pages.
We added a page to the help center that directs uses to key category pages of documentation.
We improved navigation throughout Burp Suite Enterprise Edition.

New user permission for viewing site login details

We have created a new user permission for viewing login details (credentials and/or recorded login sequences) associated with sites. This permission is not assigned to any user by default.

Bug fixes

This release also includes several bug fixes, including:

Migrations to MS-SQL databases no longer fail when the username includes a backslash character.
When performing an offline update under Windows, you are now correctly redirected to the updated software.
Scans no longer incorrectly report scan failure when the scan path contains 4-byte unicode characters.
LDAP connections no longer fail when there are Cyrillic characters in the user name.
Filters for the schedule_items query in GraphQL are now enums rather than strings.
Requesting issue type descriptions through GraphQL now correctly returns the description and remediation.
Database transfers to databases with custom names now work correctly.
Deleting users who have defined custom scan configurations no longer causes errors.
Users with site restrictions creating sites within folders they don’t have permission to view can now correctly see the created site without having to log out and back in again.
Performing a GraphQL query of a site’s parent ID via a schedule item in a scan no longer returns an incorrect value.
A browser crashing during a browser-powered scan no longer causes an error message and the scan results to be unavailable.

Enterprise Edition 2021.4 Release 2021-Apr-23

Agent machine pools

Keeping the agent machines and sites for one geographic area together.
Allocating the resources of one team.
Scanning sites with restricted access.
Reserving agent machines for specific purposes, such as a CI/CD pipeline or ad-hoc scanning.

UI and navigation improvements

We have improved the user interface and experience throughout Burp Suite Enterprise Edition. These improvements include:

We have improved the way we present scan results, to make access for information quicker and to make understanding the results easier. These changes include a set of tabs to show scan details and a site tree view for scanned sites.
We have added a new wizard to make integration with Jira easier.
The interface is now more consistent across Teams pages.
We added a page to the help center that directs uses to key category pages of documentation.
We improved navigation throughout Burp Suite Enterprise Edition.

New user permission for viewing site login details

We have created a new user permission for viewing login details (credentials and/or recorded login sequences) associated with sites. This permission is not assigned to any user by default.

Bug fixes

This release also includes several bug fixes, including:

Migrations to MS-SQL databases no longer fail when the username includes a backslash character.
When performing an offline update under Windows, you are now correctly redirected to the updated software.
Scans no longer incorrectly report scan failure when the scan path contains 4-byte unicode characters.
LDAP connections no longer fail when there are Cyrillic characters in the user name.
Filters for the schedule_items query in GraphQL are now enums rather than strings.
Requesting issue type descriptions through GraphQL now correctly returns the description and remediation.
Database transfers to databases with custom names now work correctly.
Deleting users who have defined custom scan configurations no longer causes errors.
Users with site restrictions creating sites within folders they don’t have permission to view can now correctly see the created site without having to log out and back in again.
Performing a GraphQL query of a site’s parent ID via a schedule item in a scan no longer returns an incorrect value.
A browser crashing during a browser-powered scan no longer causes an error message and the scan results to be unavailable.

Enterprise Edition 2021.3.1 Release 2021-Mar-23

This release provides several major enhancements to our cloud-friendly version of Burp Suite Enterprise Edition, as well as support for a new database version.

Additional database support

You can now use an Oracle 19c database with Burp Suite Enterprise Edition. For a full list of supported database types, please refer to the system requirements.

Nested cloud templates

Role-based access control using AWS Identity and Access Management

We now support role-based access control (RBAC) for the entire deployment process on AWS.

Optional PostgreSQL database for AWS

This is completely optional. If you prefer, you can still connect to any of our supported database types in the same way as before.

Improved logging for AWS deployment

Obfuscated credentials in AWS

Enterprise Edition generic CI/CD driver 2021.3 Release 2021-Mar-18

This release greatly improves the usability of Burp Suite Enterprise Edition’s generic, platform-agnostic CI/CD driver by adding a new “site-driven scan” integration option. Don’t worry, it still includes the legacy “Burp scan” option, which you can use in the same way as before. This means you can make the switch to the new driver without breaking your existing integrations.

Prerequisites

Please note that in order to use the new site-driven scan option, you also need to upgrade Burp Suite Enterprise Edition to version 2021.3 or higher.

What is the CI/CD driver?

Our CI/CD driver enables you to integrate automated vulnerability scans into your existing pipelines on almost any platform. You can then configure rules for failing the build based on the scan’s results. This helps you to catch bugs earlier in your development process by adopting a DevSecOps approach, with minimal disruption to your existing workflow.

Our platform-agnostic driver comes in the form of a JAR file, which you simply run from a command-line build step in your CI/CD pipeline. Any configuration options are set using a series of parameters.

If you use Jenkins or TeamCity, please be aware we also provide native plugins for both of these platforms. The plugins offer all of the same functionality as our generic CI/CD driver, but they allow you to configure the various options via the native platform UI instead of using shell commands. Both of these plugins are also available from our releases page

Site-driven scans

The new “site-driven scan” integration option provides the following key advantages.

Manual site matching

Your sites are automatically fetched from Burp Suite Enterprise Edition via its GraphQL API. This means that when adding a vulnerability scan to your pipeline, you can manually select the exact site that it relates to. Previously, you had to rely on the automated site-matching rules.

Manually matching your sites and scans ensures that all of your scan data is associated with the correct site and that results are seamlessly aggregated from both user-created and CI/CD-generated scans. This allows you to take full advantage of Burp Suite Enterprise Edition’s powerful analytics features and accurately monitor changes to your security posture over time.

Greatly simplified integration process

Site-driven scans also have access to most of your site data from Burp Suite Enterprise Edition. This includes the default scan configurations, URL scope, false positive settings, and so on. As a result, you no longer need to manually provide this information in your build step. This makes the integration process much simpler and removes the need to create custom JSON scan definitions.

Instead, you simply create and configure your site as normal using Burp Suite Enterprise Edition’s intuitive web UI. You can then test your site and scan configuration by running a few scans manually, tweaking the behavior if necessary. Once you’re satisfied with everything, you just select this site from your CI/CD build step and all of these settings will be used automatically. Any subsequent changes you make to your site in the Burp Suite Enterprise Edition web UI will be automatically reflected in your CI/CD system the next time you run a build.

Burp scans

To provide continued support for any existing integrations that you may have configured, this release also retains the legacy “Burp scan” option in its original form.

This is useful in some cases, such as when you want to run a one-off scan and do not want its results to be linked to a particular site. However, for most new integrations, we recommend using the new site-driven scan option instead.

For more detailed information about the pros and cons of both approaches, please refer to the documentation.

Enterprise Edition Jenkins plugin 2021.3 Released 2021-Mar-18

This release greatly improves the usability of Burp Suite Enterprise Edition’s native Jenkins plugin by adding a new “site-driven scan” integration option. Don’t worry, it still includes the legacy “Burp scan” option, which you can use in the same way as before. This means you can upgrade to the new plugin without breaking your existing integrations.

Prerequisites

Please note that in order to use the new site-driven scan option, you also need to upgrade Burp Suite Enterprise Edition to version 2021.3 or higher.

What is the Jenkins plugin?

Our native Jenkins plugin enables you to integrate automated vulnerability scans into your existing pipelines and configure rules for failing the build based on the scan’s results. This helps you to catch bugs earlier in your development process by adopting a DevSecOps approach, with minimal disruption to your existing workflow.

The plugin offers all of the same functionality as our generic CI/CD driver, but also adds two custom build step types to Jenkins. This allows you to configure the various options using the Jenkins web interface rather than having to use a shell command.

Site-driven scans

The new “site-driven scan” integration option provides the following key advantages.

Manual site matching

Manually matching your sites and scans ensures that all of your scan data is associated with the correct site and that results are seamlessly aggregated from both user-created and Jenkins-generated scans. This allows you to take full advantage of Burp Suite Enterprise Edition’s powerful analytics features and accurately monitor changes to your security posture over time.

Greatly simplified integration process

Instead, you simply create and configure your site as normal using Burp Suite Enterprise Edition’s intuitive web UI. You can then test your site and scan configuration by running a few scans manually, tweaking the behavior if necessary. Once you’re satisfied with everything, you just select this site from your Jenkins build step and all of these settings will be used automatically. Any subsequent changes you make to your site in the Burp Suite Enterprise Edition web UI will be automatically reflected in Jenkins the next time you run a build.

Burp scans

To provide continued support for any existing integrations that you may have configured, this release also retains the legacy “Burp scan” option in its original form.

For more detailed information about the pros and cons of both approaches, please refer to the documentation.

Enterprise Edition TeamCity plugin 2021.3 Release 2021-Mar-18

This release greatly improves the usability of Burp Suite Enterprise Edition’s native TeamCity plugin by adding a new “site-driven scan” integration option. Don’t worry, it still includes the legacy “Burp scan” option, which you can use in the same way as before. This means you can upgrade to the new plugin without breaking your existing integrations.

Prerequisites

Please note that in order to use the new site-driven scan option, you also need to upgrade Burp Suite Enterprise Edition to version 2021.3 or higher.

What is the TeamCity plugin?

Our native TeamCity plugin enables you to integrate automated vulnerability scans into your existing pipelines and configure rules for failing the build based on the scan’s results. This helps you to catch bugs earlier in your development process by adopting a DevSecOps approach, with minimal disruption to your existing workflow.

The plugin offers all of the same functionality as our generic CI/CD driver, but also adds two custom build step runner types to TeamCity. This allows you to configure the various options using the TeamCity web interface rather than having to use a shell command.

Site-driven scans

The new “site-driven scan” option provides the following key advantages.

Manual site matching

Manually matching your sites and scans ensures that all of your scan data is associated with the correct site and that results are seamlessly aggregated from both user-created and TeamCity-generated scans. This allows you to take full advantage of Burp Suite Enterprise Edition’s powerful analytics features and accurately monitor changes to your security posture over time.

Greatly simplified integration process

Instead, you simply create and configure your site as normal using Burp Suite Enterprise Edition’s intuitive web UI. You can then test your site and scan configuration by running a few scans manually, tweaking the behavior if necessary. Once you’re satisfied with everything, you just select this site from your TeamCity build step and all of these settings will be used automatically. Any subsequent changes you make to your site in the Burp Suite Enterprise Edition web UI will be automatically reflected in TeamCity the next time you run a build.

Burp scans

To provide continued support for any existing integrations that you may have configured, this release also retains the legacy “Burp scan” option in its original form.

For more detailed information about the pros and cons of both approaches, please refer to the documentation.

Enterprise Edition 2021.3 Release 2021-Mar-8

This release includes several enhancements that help you to better integrate Burp Suite Enterprise Edition with other web applications. It also adds support for some additional database versions, along with a significant number of minor improvements and bug fixes.

CORS whitelisting for enhanced integration with other web applications

If you want to integrate Burp Suite Enterprise Edition with a third-party web application, or one that you’ve developed yourself, it probably needs access to your sites and scan data. This release adds a new option that lets you whitelist trusted origins for cross-origin resource sharing (CORS) via the GraphQL API.

Improvements to the GraphQL API

You can now include an optional schedule_item_id parameter in a scans query. This makes it much easier to locate the Scan that was generated by a ScheduleItem you’ve just created.
You can use the new site query to fetch an individual Site by its ID. This means you no longer have to fetch the whole SiteTree in order to query a specific known Site.
You can now send gzip-encoded data to the API.

Additional database support

Burp Suite Enterprise Edition now supports the following additional database versions:

PostgreSQL 11, 12, and 13
MariaDB 10.4 and 10.5

For a full list of databases that you can use with Burp Suite Enterprise Edition, please check the system requirements.

Other improvements

If you upload an invalid recorded login script, you are now informed of this when you try to save so that you can fix the issue right away. Previously, you would only know that your script was invalid once a scan started and subsequently failed to log in.
You can no longer add end-of-scan report recipients to a site unless an admin user has configured a connection to an email server. This helps prevent situations where you mistakenly believe that colleagues are receiving scan reports even though no emails are actually being sent.
Burp Scanner’s embedded Chromium browser is now stored in the data directory that you select in the installation wizard. Previously, this would be unpacked in your home directory, which was causing issues for some customers.
On the “Site” > “Details” page, if you click on the ? icon to view the scan configuration, the configuration ID is now displayed in the URL in your browser’s address bar for easier access.
When you cancel a scan with errors, the error message is now displayed in the “Cancel scan” confirmation dialog.

Bug fixes

The link for the REST API is now generated using the correct domain name for your web server. Previously, the default IP address would still be used to generate the API link even if you had manually set a different “Web server URL” in the network settings.
A problem with our site-tree caching has been fixed. This should dramatically improve performance when using our APIs.
The database transfer tool no longer assumes that the agent user for the database is called burp_agent. You can now use the tool even if you assigned a different username when setting up your database.
A problem with the network settings page has been fixed. A bug in the previous release meant that you were unable to save changes to other settings while the “Use TLS” option was enabled.
Adding client TLS certificates to a scan configuration now works as expected. A bug in the previous release meant that you would sometimes encounter a “value required” error when trying to upload a new certificate.
We have also fixed several minor UI-related bugs that were introduced by some of our recent changes.

Enterprise Edition 2021.1 Release 2021-Feb-2

This release provides the following bug fixes:

The process for deploying to Azure now works as expected.
Browser-powered scans are now supported on cloud-based deployments of Burp Suite Enterprise Edition. A bug in the previous release prevented Burp Scanner’s embedded browser from starting properly.

Enterprise Edition 2020.12 Release 2020-Dec-23

This release provides the following improvements and bug fixes.

UI refresh

The UI now has a more modern look and feel. We hope you like the new design as much as we do.

New Help center and troubleshooting features

Diagnostics – This page provides quick access to all the background information our support team needs to know when you report an issue. It contains some basic details about your installation, memory usage, operating system, and so on. This enables you to quickly copy and paste all of this information from one place, rather than having to track it down across your system.
Debug – From time to time, the support team may ask you to enable detailed debugging for specific areas of Burp Suite Enterprise Edition. In this case, they will provide a series of values that you should enter on this page. This temporarily increases the level of detail that is included in the logs, which will help our support team get to the bottom of any issues.
Support pack – The support team may occasionally ask you to provide a collection of log files to help them troubleshoot an issue that you’ve reported. This page enables you to download various different logs as a single file so that you can easily send them to our support team.

This release also adds the following new options for downloading logs:

You can now download the logs for an individual scan. To do this, go to the scan details page for the relevant scan and select “More actions” > “Download scan log”. Note that the log is only available for scans that:
- Were successfully assigned to an agent
- Have run or started running since you upgraded to Burp Suite Enterprise Edition 2020.12
- Are less than 10 days old
You can now download the logs for an individual agent machine. To do this, go to the “Agents” page and select the relevant agent machine. In the upper-right corner, click “Download logs”.

Bug fixes

When trying to connect to Jira, receiving a response that is larger than 2 MB no longer triggers an exception.
In the “Database backup” settings, specifying a save location with dots in the path no longer causes issues. Previously, you would be prevented from saving your changes if you entered a path such as /home/user/example.directory/.
When transferring a SQL Server database with the transfer tool, you can now successfully use any target database name. Previously, the transfer would fail if the target name was anything other than burp_enterprise.

Enterprise Edition 2020.11 Release 2020-Nov-16

Recorded login sequences

To generate this script, you use our dedicated Chrome extension to record your browser interactions while you perform the login sequence manually. You then upload this script to the relevant site in Burp Suite Enterprise Edition. When scans of this site begin an authenticated crawl, Burp Scanner will start a new session in its embedded browser and use this script to replicate your actions, performing the full login sequence from scratch.

For more information, please refer to the documentation.

API scanning

You can also explicitly provide the URL of an API definition in the list of included URLs for a site.

Please note that this initial release only supports scanning of a fairly limited range of REST APIs. For a full list of the prerequisites and limitations, please refer to the Burp Scanner documentation. We plan to further develop this feature and gradually add support for a wider range of APIs in future releases.

GraphQL API updates

Generally speaking, the entities related to application logins have now been split in two. This is to create the distinction between sets of basic login credentials and recorded login sequences.

The full list of changes is as follows:

The type ApplicationLogin is now obsolete. This has been replaced by two new types, LoginCredential and RecordedLogin.
The new type ApplicationLogins has been added. This provides two fields, login_credentials and recorded_logins, which contain a list of LoginCredential and RecordedLogin objects respectively.
Fields that used to contain a list of the obsolete ApplicationLogin objects now contain a single object of the new type ApplicationLogins. This affects the following fields:
- The site_application_logins and schedule_item_application_logins fields of Scan objects
- The application_logins field of Site objects
The following mutations are now obsolete:
- create_site_application_login
- update_site_application_login
- delete_site_application_login
These have been replaced by the following new mutations:
- create_site_login_credential
- create_site_recorded_login
- update_site_login_credential
- delete_site_login_credential
- delete_site_recorded_login

Improved logging

Bug fixes

This release also provides the following bug fixes:

The installer now works for users with an external database.
The database migration scripts no longer fail when migrating a PostgreSQL or MySQL database on Azure.
When the Enterprise server is connected to your SMTP server but cannot connect to portswigger.net, you no longer receive an excessive number of emails about this issue.

Enterprise Edition 2020.10.1 Release 2020-Oct-19

Bug fix

Enterprise Edition 2020.10 Release 2020-Oct-15

This release further improves Burp Suite Enterprise Edition’s support for single sign-on by enabling SAML integration. It also provides major improvements to the AWS deployment process.

SAML integration

Burp Suite Enterprise Edition now supports SAML-based single sign-on. This is particularly useful for managing user authentication for cloud-based deployments.

You can integrate SAML SSO using any identity provider (IdP), but the following ones have been fully tested:

Active Directory Federation Services (ADFS)
Okta
Azure Active Directory

For more detailed information, please refer to the accompanying documentation.

Other improvements

This release also provides the following improvements:

When marking all issues of the same type as false positives, you can now choose to limit this to the current scan only.
Empty placeholder pages have been improved. In each case, you will now be informed why the page is empty and prompted to perform the relevant actions to populate it with data.
Sites and folders are now displayed in alphabetical order in the site tree.
Performance has been improved when running scans that use a large number of scan configurations.

Burp Suite Enterprise Edition on the cloud

This release provides major usability improvements to the deployment process for Burp Suite Enterprise Edition on AWS.

Secondly, there are now two CloudFormation templates for each release of Burp Suite Enterprise Edition:

The main template, which is used to create the required AWS environment and deploy the application.
The IAM template, which is used to create the relevant IAM users.

If you want to deploy Burp Suite Enterprise Edition 2020.10 to the cloud for beta testing, you can download the template for your preferred cloud platform.

Bug Fixes

We have also provided the following bug fixes:

Reinstalling Burp Suite Enterprise Edition for use with an existing database no longer causes issues.
You can now successfully run the installer over an existing installation, for example, to fix any missing libraries.
When the API key is generated for a new API user, long domain names no longer cause the URL to exceed the boundaries of the text field.
The option for creating Jira sub-tasks has been removed to avoid invalid issue type errors. Creating sub-tasks is not supported by the Jira API.
You can now update the port for your web server’s HTTPS URL without having to upload a new certificate.
We have made minor corrections to the GraphQL API reference documentation.

Enterprise Edition 2020.7 Released 2020-Jul-23

This release provides several improvements to our APIs and continues the ongoing improvements to the Burp Suite Enterprise Edition UI.

GraphQL API

We recently released a new GraphQL API to improve the integration of Burp Suite Enterprise Edition with other tools. This release implements the following changes:

You can now apply a site_id filter to the scans query. This enables you to fetch all scans for a given site.
When fetching issues for a scan, specifying a type_index is now optional. This enables you to fetch all issues for a scan directly. Previously, you first had to fetch the issues grouped by type.
We’ve added a new type IssueType, which contains information relevant to a specific issue type, such as a description and remediation advice. Instances of the type Issue now also contain an issue_type field that allows you to fetch this information.

We have also made the following adjustments to the names of some entities:

To allow for the new type IssueType, the query issue_types has been renamed to issue_type_groups. Similarly, the existing type IssueType has now been renamed to IssueTypeGroup.
For the input object DeauthorizeAgentInput, we have renamed the machine_id field to just id.

REST API

UI improvements

This release provides more improvements to the Burp Suite Enterprise Edition UI. The placeholder pages that are displayed before you have added a site or run a scan are now much more intuitive.

Bug fixes

We’ve also provided several minor bug fixes, most notably:

Active Directory users can now view the scan results by clicking on a scan.
Scans that fail to start now appear as failed in the list of scans. This frees up the assigned agent so that you can use it to perform another scan.

Enterprise Edition 2020.6 Released 2020-Jul-7

UI improvements

Over the next few months, we’re working on improving the usability of Burp Suite Enterprise Edition by upgrading the UI. This release includes the first set of these changes:

The header menu has been redesigned to make it much easier to navigate. You can now jump straight to the most commonly used parts of the application with a single click.
The pages for creating, editing, and viewing both sites and scans have been redesigned to make them much more intuitive.
The overall look-and-feel of some screens has been updated. These changes will be rolled out across other parts of the application in upcoming releases.

Single sign-on

For more information, please refer to the product documentation.

Burp Suite Enterprise Edition on the cloud

A beta release is now available for deploying Burp Suite Enterprise Edition natively on both AWS and Azure.

Note that you will need a separate Burp Suite Enterprise Edition license for your cloud-based deployment, even if you already have a license for an on-premise installation.

You can use the links below to download the corresponding template for deploying to your preferred platform.

Enterprise Edition 2020.4.3 Released 2020-Jun-3

This release fixes an issue that was causing some customers to see the “Lost communication with Burp Suite” error during scans

Enterprise Edition 2020.4.1 Release 2020-May-18

This release provides several minor bug fixes. Most notably:

We have fixed a bug that was causing license key issues for Linux users when upgrading from 2020.2 to 2020.4.
Note: Unfortunately, if your first installation of Burp Suite Enterprise Edition was version 2020.4, this issue will also occur when you upgrade to 2020.4.1. If you are affected, please contact our Customer Support team for assistance. This will no longer be an issue in future releases.
The scan progress is now displayed properly on the sites tree, as well as on the home and folder-level dashboards.

Enterprise Edition 2020.4 Release 2020-Apr-28

GraphQL API

This release provides a beta version of our brand new GraphQL-based API, which exposes most of the core functionality of Burp Suite Enterprise Edition. Among other things, you can use the new API to:

Create and edit sites
Schedule one-off and regular scans
Create and edit custom scan configurations
Add folders to your site tree
Get scan results and reports
Manage your pool of agent machines, including authorizing new agent machines.

You can find more detailed information about how to use the API and the full range of supported operations in the API documentation. This also includes example payloads for typical queries.

As this is a beta version of the API, we would be grateful if customers could inform us of any problems that they encounter so that we can continue to optimize the behavior over the coming months. The Jenkins/TeamCity CI plugins and the generic CI driver will continue to use the existing public REST API. However, we are planning to release additional GraphQL-based versions in the near future.

Note: As a workaround for accessing functionality that was not supported by the public REST API, a small number of customers have integrated their own tools with Burp Suite Enterprise Edition using our internal REST API. Unfortunately, after upgrading to version 2020.4, these integrations will no longer be supported because the internal REST API has largely been replaced. However, you should be able to refactor your integrations to achieve the same results using the new GraphQL API. The vast majority of customers will be unaffected by this issue.

Burp Suite Enterprise Edition in the cloud

This release also marks the start of beta testing for the cloud-native version of Burp Suite Enterprise Edition. Over the next quarter, a small number of customers will be beta testing on both AWS and Azure.

Bug fixes

We have also implemented several minor performance improvements and bug fixes. Most notably, the following issues have been resolved:

A null pointer exception is no longer raised when Jira tickets are created automatically using the default severity and confidence settings.
Changing the name of a site while using a slower network connection no longer causes errors.

Enterprise Edition 2020.2 released 2020-Feb-12

This release adds a number of new features to help simplify and streamline your post-scan activities. You can now:

Choose to download a detailed scan report instead of just a summary.
Tailor scan reports to your needs by choosing which severity of issues to include.
Specify email addresses that should automatically receive an end-of-scan summary when a scan is completed for a particular site. Note that configuring your email server is a prerequisite for enabling this feature.
Download a summary of aggregated issues in CSV format.
Automatically create Jira tickets for issues based on their severity and confidence.

Enterprise Edition 2020.1 Released 2020-Jan-13

This release contains a number of valuable enhancements.

There is a new scan configuration library that replicates the Burp Suite Pro feature. You can:

View and manage built-in and custom scan configurations.
Configure detailed settings for crawling and auditing, as well as platform authentication and upstream proxy settings.
Import and export configurations in JSON format.

For each scan, you can now view full details of the individual URLs that were scanned, together with the numbers of issues, requests, and insertion points. You can drill into each URL to view the details of individual issues:

You can now download the scan event log, via the “More actions” button on the scan results page.

There is a new database migration tool that lets you migrate from the bundled database to an external database. See documentation on database migration.

There are various other enhancements and bug fixes:

Estimates of scan time remaining are now based on the duration of the preceding scan where applicable.
Scans that have not made any progress for 24 hours will be automatically canceled.
Issue details can now be retrieved from the aggregated issues list for scans created through the REST
API when the site is not saved in the Sites tree.
Hover action buttons on the Sites tree are now available for users belonging to groups that have site restrictions configured.

Enterprise Edition 1.1.04 Released 2019-Nov-05

This release includes various enhancements and bugfixes:

The page for a folder in the Sites tree now includes a Scans tab, showing scans for all the sites in the selected folder.
When creating a new site and selecting the folder to add it to, you can now search for the folder by name.
When creating a new scan and selecting the site to scan, you can now search for the site by name.
When viewing issues in the aggregated issues view, there is now a preview pane where you can view details of the selected issue, and perform actions such as creating a Jira ticket.
A bug that caused Burp Suite Enterprise Edition to leak file handles in some situations has been resolved.

Enterprise Edition 1.1.03 Released 2019-Oct-1

This release adds some new dashboard views.

There is a new site-level dashboard showing various information about the issues that have been found for the site, and its security posture over time. There are new tabs on the site page that let you switch between the dashboard, scan history, issues, and site details:

The sites area has new aggregated issues views. For a selected folder (or for all sites), this view shows all of the issues from the latest scans grouped by issue type. You can expand each aggregated issue to view the details of individual occurrences, and you can filter the view by severity, date, and whether issues are new or regressed:

Various performance improvements have been made. The sites page now loads considerably faster, and large folders are collapsed by default.

Various bugs have been fixed.

In a large organization with many sites and folders, the new folder-level dashboards let you drill down into parts of the organization and understand the vulnerabilities and trends within each area.

Enterprise Edition 1.1.01 Released 2019-Jul-18

This release contains a new database backup feature. This is currently only available when using the internal bundled database (H2).

Automatic backups are enabled by default. The following options can be configured:

The number of backups to store.
The backup schedule.
The location to store backup files (this is configured during installation).

You can also trigger a manual database backup at any time.

A number of minor bugs have also been fixed.

Enterprise Edition 1.1 Released 2019-Jun-28

Burp Suite Enterprise Edition is now officially out of beta!

This release also adds a beautiful new home page dashboard, with various charts showing an at-a-glance view of your overall security posture:

The new charts show:

Current issue counts
Issue counts over time
New and resolved issues over time (deltas between successive scans)
Most vulnerable sites
Most serious vulnerabilities
Recent, running, and upcoming scans

Coming out of beta means we regard Burp Suite Enterprise Edition as essentially stable and suitable for general usage. It doesn’t mean there are no bugs. All software has bugs, and feedback is always welcome about any problems that users observe.

PortSwigger will, of course, be continuing to enhance Burp Suite Enterprise Edition with various new features over the coming months.

SIGN IN YOUR ACCOUNT TO HAVE ACCESS TO DIFFERENT FEATURES

FORGOT YOUR DETAILS?

Burp Suite Enterprise Edition Product Latest Release and Build

Enterprise Edition 2022.2.1 Release 2022-Mar-3

Enterprise Edition Jenkins plugin 2022.2 Release 2022-Mar-1

Enterprise Edition 2022.2 Release 2022-Feb-23

Enterprise Edition 2022.1.1 Release 2022-Feb-21

Enterprise Edition 2022.1 Release 2022-Jan-21

Enterprise Edition 2021.12.1 Release 2021-Dec-15

Jira bug fix

Cloud deployment links

Enterprise Edition 2021.12 Release 2021-Dec-15

Bulk actions for sites and scans

Trello and GitLab integration

Microsoft SQL Server 2019 support

GraphQL upgrade

Verbose scan log

Bug fixes

Cloud deployment links

Enterprise Edition 2021.11 Release 2021-Nov-11

Add multiple sites in bulk

Receive automated scan notifications via Slack

Improved user lifecycle management via SCIM (on-premise only)

Add new sites to a new folder

Bug fixes

Enterprise Edition 2021.8.1 Released 2021-Sep-8

Cloud deployment links

AWS

Azure

Enterprise Edition 2021.8 Released 2021-Aug-25

Extensions support

Scanner compatibility

Telemetry collection

Bug fixes

Cloud deployment links

AWS

Azure

Enterprise Edition 2021.6 Released 2021-Jun-25

Update to Java 11

Minor improvements

Bug fixes

Cloud deployment links

AWS

Azure

Enterprise Edition 2021.4.1 Released 2021-Apr-29

Agent machine pools

UI and navigation improvements

New user permission for viewing site login details

Bug fixes

New to release 2021.4.1

Cloud deployment links

AWS

Azure

Enterprise Edition 2021.4 Released 2021-Apr-23

Agent machine pools

UI and navigation improvements

New user permission for viewing site login details

Bug fixes

Cloud deployment links

AWS

Azure

Enterprise Edition 2021.3.1 Released 2021-Mar-24

Additional database support

Nested cloud templates

Role-based access control using AWS Identity and Access Management

Optional PostgreSQL database for AWS

Improved logging for AWS deployment

Obfuscated credentials in AWS

Cloud deployment links

AWS

Azure

Enterprise Edition 2021.3 Released 2021-Mar-8

CORS whitelisting for enhanced integration with other web applications

Improvements to the GraphQL API

Additional database support

Other improvements

Bug fixes

Cloud deployment links

AWS

Azure