Burp Suite Enterprise Edition Product Latest Release and Build, this is an ongoing and incremental update post, we consolidate all information into a single post for users who want to know all the updates, new features and fixes along the edition.
Latest release and build will show at the top of the post, and the oldest information will at bottom. If you are looking for the Burp Suite Enterprise Edition product information like features and benefits, please read it from this dedicated post link https://www.e-spincorp.com/burp-suite-enterprise-edition/
This release offers preset scan modes that make it easily to start scans for a range of use cases as well as simpler way to monitor how your scans are progressing .
Start scanning easily with the new preset scan modes. These four ready-to-use modes allows you to adjust the balance of speed and coverage using a single click, thus quickly launch a scan based on your needs. Moreover, you can choose from Lightweight, Fast, Balanced, or Deep modes when creating or editing a site.
Create custom scan configurations to fine-tune Burp Scanner‘s behavior is still available. You just need to select the Use a custom configuration radio button to access every options you’re familiar with from the previous versions.
Improved scan durations estimaties let you to easily monitor how your scans are progressing through:
This release also includes the following improvement:
Some bugs fixes such as:
This release lets you raise tickets for multiple issues at once and gives a security patch. Additionally, manage scan configurations has also been simplified.
Raising tickets for multiple issues at the same time in Jira, GitLab and Trello are now possible. This feature allows you to create a separate ticket for each issue, or combine similar type of issues into one ticket.
Manage scan configurations is now enabled exclusively on the site level. You are now unable to override the site’s configuration when scheduling a scan. This simplifies the process and ensures accuracy on the data used to track your security posture.
This release also offers other improvements such as:
We have fixed a bug related to site restrictions which is identified during internal testing.
Some bug fixes that come with this release includes:
This release enables several new reporting formats associated to PCI DSS and OWASP Top 10 vulnerabilities, also automated ticket creation for GitLab and Trello.
This Burp Suite Enterprise Edition which includes compliance reporting formats directly relating to the PCI DSS and the OWASP Top 10 makes it much easier to check for relevant vulnerabilities across your whole web portfolio.
Solving issues in Burp Suite Enterprise Edition is now easier as it can automatically create GitLab tickets and Trello cards when issues which are above a specified severity and confidence level found during scans.
This release includes a number of minor improvements and bug fixes, such as
This release let you deploy Burp Suite Enterprise Edition to any Kubernetes cluster that meets several simple prerequisites, using a Helm chart.
As a results, you can apply auto-scaling of scanning resources, which able to reduce infrastructure costs and maintenance effort – most importantly for larger deployments. Moreover, it is easier to run Burp Suite Enterprise Edition on your existing Kubernetes infrastructure.
For information on how to deploy Burp Suite Enterprise Edition to Kubernetes, refer the documentation.
The new Kubernetes deployment option now replaces the existing AWS and Azure cloud deployment templates.
While deployments built using our AWS and Azure templates will still be available for the immediate future, it is highly recommended to migrate to the new infrastructure when possible. In future, Burp Suite Enterprise Edition will no longer support legacy cloud deployments.
Refer the documentation for migration details.
Terminology of some components of Burp Suite Enterprise Edition are now using more descriptive names.
Significantly, this release no longer refer to “agents” as the word “agent” was used both internally and among users to mean different things depending on context. For instance, both the logical entity that performs scans and the machine on which the scan runs on were sometimes both referred to as an agent.
Now, the machine that runs scans is known as a “scanning machine”. Other than that, we now talk about the number of “concurrent scans” covered by your license, rather than a number of agents.
This release involves several minor improvements which include:
This release provides a number of minor improvements and bug fixes. For example:
This release fixes the Jenkins plugin. The previous version was causing the Burp Suite Enterprise Edition UI to become non-functional when used in combination with the kubernetes-cli plugin. This was due to a jQuery conflict.
This release provides a number of minor improvements and bug fixes. For example:
This release does not provide any additional functionality. It simply implements some background changes in preparation for a future release, which will enable a brand new option for deploying to Kubernetes using a Helm chart. This will replace our existing AWS CloudFormation and Azure Resource Manager deployment methods.
Please note that if you deployed Burp Suite Enterprise Edition using our existing AWS CloudFormation or Azure Resource Manager templates, this is the last version that those deployments will support. You will need to migrate using the new Helm chart (coming soon) before you can install any future updates.
This release offers a number of minor improvements and bug fixes such as:
This release came with the audited version of both Burp Suite Enterprise Edition and Burp Suite Professional/Community Edition. The release focuses on making sure that both versions are not vulnerable to the latest discovery on vulnerability in the Java logging library Log4j. Even though this library was present in Burp Suite Enterprise Edition because of transitive dependency, it was not used.
Importantly, you should disable third-party extensions while they are audited as they may appear vulnerable.
This release includes bug fixes that disable you to create Jira tickets from Burp Suite Enterprise Edition.
AWS CloudFormation or Azure Resource Manager templates will be replaced with the release of a more improved, simpler deployment method soon. It is recommended to wait for the release instead.
This release allows bulk actions for sites and scans as well as integration with GitLab and Trello which enable you to raise tickets for any vulnerabilities detected by your scans.
Now, you are able to perform common actions on multiple items at the same time from the Sites and Scans pages which includes:
The bulk actions menu which appears automatically during selection of one or more items using the checkboxes to the left of the page. helps you save significant amount of time and effort particularly when managing your site tree.
Connecting to Burp Suite Enterprise Edition to both Trello and GitLab are now available. Therefore, for any vulnerabilities detected by your scans, you can create Trello cards or raise GitLab issues from the Burp Suite Enterprise Edition web UI.
Refer to the documentation for information on how to configure the integration.
Microsoft SQL Server 2019 databases is available to use with Burp Suite Enterprise Edition. Refer to the documentation for a complete list of supported database types.
GraphQL implementation to GraphQL Java 17.3 have been updated in this release to improve bug fixes and also increase protection against denial-of-service attacks.
This release gives you the option to enable verbose logging when creating a one-off scan. This can be done by downloading this log from the Reporting & Logs tab.
Importantly, this feature is specifically design for technical support team (This team will occasionally ask you to activate this when helping you resolve a problem.
This release consists of several minor bug fixes. The most notable bug fixes feature that have been added are improved uninstallerthat allow you to lower the chance of issues arising when reinstalling at a later date as well as an issue that may occur when running the database transfer tool with MySQL 8 databases.
AWS CloudFormation or Azure Resource Manager templates will be replaced with the release of a more improved, simpler deployment method soon.
This release provides a new option for preconfiguring and adding a large number of sites in bulk, adds support for Slack integration, and enables user provisioning and decommissioning via SCIM. It also contains a number of minor improvements and bug fixes.
Instead of adding and configuring sites in Burp Suite Enterprise Edition one by one, you can now preconfigure and import a large number of sites at once from a CSV file.
You can download our template from the Sites page by clicking Import Sites.
For more information, please refer to the documentation.
You can now connect Burp Suite Enterprise Edition to Slack. Once configured, this enables you to automatically notify teams via their Slack channels whenever a scan starts, fails, or finishes for a given site.
As you assign Slack channels on a site-by-site basis, you can ensure that channels only receive notifications about sites that are relevant to them.
For details on how to configure the integration, please refer to the documentation.
For on-premise installations of Burp Suite Enterprise Edition, you can now enable SCIM in order to simplify the process of provisioning and decommissioning users and groups from a central identity provider (IdP).
SCIM is typically integrated in conjunction with SAML. This means you can create, update, and delete your users and groups using SCIM, while SAML is reserved exclusively for authentication via your IdP.
We have fully tested SCIM integrations with the following IdPs:
For more information, please refer to the documentation.
When adding a new site, you now have the option to create a new folder for it at the same time. Previously, you could only add sites to existing folders.
We have also fixed a number of bugs, most notably one that caused issues for some users when attempting to update Burp Scanner.
This release gives several bug fixes; one particularly for a bug that caused an abundant number of email notifications to be sent to some users.
In order to apply this release of Burp Suite Enterprise Edition to the cloud, use the following links to access the corresponding instructions and templates for the preferred platform.
This release allows you to install extensions and adds some Scanner compatibility improvements, telemetry collection, and some bug fixes.
This release of Burp Suite Enterprise Edition enables you to use extensions to expand and customize its scanning functionality. For example, you could use an extension to scan for a specific vulnerability or to expand your logging.
With this release, Enterprise Edition supports custom extensions written in java and BApps identified as Enterprise Edition compatible. The BApp store has been updated to identify which products each BApp is compatible with. Those with the Enterprise tag can be downloaded from the BApp store and uploaded to the Enterprise extensions library.
Burp Suite Enterprise Edition and Burp Scanner are updated and installed independently. Each component has dependencies (such as the JRE version) that mean not all versions are compatible with each other.
You will get a notification to update your version of Enterprise Edition from Managing updates when you are updating components manually and trying to upgrade to a version of Burp Scanner that is not compatible with your version of Enterprise Edition before installing the new Scanner. You will also receive emails about the release of a new version of Burp Scanner that is incompatible with your version of Enterprise Edition.
Starting with this release, we are collecting telemetry that will allow us to understand your usage of Burp Suite Enterprise Edition better, and offer you more cost-effective options. We will not be capturing any information about the sites that you are scanning or any details of your scan results.
This release includes the following bug fixes:
Issue fields.If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for the preferred platform.
This release includes a Java update and several minor improvements as well as bug fixes.
Burp Suite Enterprise Edition is updated to Java version 11.
This release includes the following minor improvements:
If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.
This release gives the ability to arrange agent machines and target sites into pools in order to better organize your scanning resources. There is also significant improvements included to the user interface and navigation like a new scan results page design. It also include several bugs fixes.
Agent machines and sites are now organized into agent machine pools. All agent machines and all sites are assigned to one and only one agent machine pool. Unless you specify otherwise, all agent machines and sites will be assigned to the same default pool. An agent will only scan a site if the site belongs to the same agent machine pool as the agent’s machine.
Agent machine pools support the “agent affinity” concept and are useful if you have a need to limit which agent machines can scan certain sites. Agent machine pools stop the problem of a scan failing because the relevant machine is busy elsewhere, or an assigned agent being unable to access a restricted site for a scan. Sample uses for agent machine pools are:
We have improved the user interface and experience throughout Burp Suite Enterprise Edition. These improvements include:
We have created a new user permission for viewing login details (credentials and/or recorded login sequences) associated with sites. This permission is not assigned to any user by default.
This release also includes several bug fixes, including:
schedule_items query in GraphQL are now enums rather than strings. See more details here.This release provides the following bug fix:
If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.
This release gives the ability to arrange agent machines and target sites into pools in order to better organize your scanning resources. There is also significant improvements included to the user interface and navigation like a new scan results page design. It also include several bugs fixes.
All agent machines and all sites are assigned to only one agent machine pool. Unless being specified otherwise by users, all agent machines and sites will be assigned to the same default pool. An agent will only scan a site if the site belongs to the same agent machine pool as the agent’s machine.
Agent machine pools support the “agent affinity” concept and are useful if you have a need to limit which agent machines can scan certain sites. Agent machine pools stop the problem of a scan failing because the relevant machine is busy elsewhere, or an assigned agent being unable to access a restricted site for a scan. The following are the sample uses for agent machine pools:
We have improved the user interface and experience throughout Burp Suite Enterprise Edition. These improvements include:
We have created a new user permission for viewing login details (credentials and/or recorded login sequences) associated with sites. This permission is not assigned to any user by default.
This release includes several bug fixes as below:
schedule_items query in GraphQL are now enums rather than strings. See more details here.If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.
This release provides several major enhancements to our cloud-friendly version of Burp Suite Enterprise Edition, as well as support for a new database version.
You can now use an Oracle 19c database with Burp Suite Enterprise Edition. For a full list of supported database types, please refer to the system requirements.
Both the main AWS CloudFormation template and the Azure Resource Manager template now comprise multiple “nested” templates, each with their own URL. This gives you the option to skip parts of the template and perform some of the process independently.
For example, you may prefer to set up the required infrastructure on your own and just use the template to deploy the main application. In this case, instead of entering the top-level URL for the full template in AWS/Azure, you can now just enter the URL for the deployment part.
You can find the URLs for the nested templates within the main template for each platform. We’ve also provided direct links at the bottom of these release notes. If you still want to use the full template, you can just ignore the nested ones and use the main URL in the same way as before.
We now support role-based access control (RBAC) for the entire deployment process on AWS.
In previous releases, you had to provide an AWS access key and secret for the user who would be performing the deployment. This requirement has been removed completely. Instead, our IAM CloudFormation template now automatically generates roles that cover all of the required permissions, along with a corresponding group. Simply assigning the user to this group will allow them to perform the rest of the deployment.
The main AWS CloudFormation template now provides the option to automatically create and configure a new PostgreSQL database using Amazon’s Relational Database Service (RDS). This should make it much easier to get started as you won’t have to manually set up and connect to a database; most of the configuration will be done for you.
This is completely optional. If you prefer, you can still connect to any of our supported database types in the same way as before.
On AWS, application logging is now enabled at the beginning of the deployment phase. This means that any errors that occur during the database migration will now be captured in CloudWatch, which should help with debugging.
All credentials that you provide in the CloudFormation template are now obfuscated. This prevents them from being viewed by other users who have access to your Burp Suite Enterprise Edition resources in the AWS Management Console.
If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.
This release includes several enhancements that help you to better integrate Burp Suite Enterprise Edition with other web applications. It also adds support for some additional database versions, along with a significant number of minor improvements and bug fixes.
If you want to integrate Burp Suite Enterprise Edition with a third-party web application, or one that you’ve developed yourself, it probably needs access to your sites and scan data. This release adds a new option that lets you whitelist trusted origins for cross-origin resource sharing (CORS) via the GraphQL API.
Once you’ve whitelisted the origin on which your other application is running, its client-side JavaScript will have access to the full functionality exposed by the GraphQL API. This allows you to develop more powerful integrated applications that can fetch the relevant data, create and edit sites, and launch new scans directly from the browser using AJAX.
By default, all cross-origin requests initiated by JavaScript in the browser will be blocked unless you have explicitly whitelisted their origin. To do this, go to the network settings page and add trusted origins to the “Allowed Origins for GraphQL API” list.
schedule_item_id parameter in a scans query. This makes it much easier to locate the Scan that was generated by a ScheduleItem you’ve just created.site query to fetch an individual Site by its ID. This means you no longer have to fetch the whole SiteTree in order to query a specific known Site.Burp Suite Enterprise Edition now supports the following additional database versions:
For a full list of databases that you can use with Burp Suite Enterprise Edition, please check the system requirements.
? icon to view the scan configuration, the configuration ID is now displayed in the URL in your browser’s address bar for easier access.burp_agent. You can now use the tool even if you assigned a different username when setting up your database.If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.
This release provides the following bug fixes:
This release provides the following improvements and bug fixes.
The UI now has a more modern look and feel. We hope you like the new design as much as we do.
Users with permission to modify the settings can access the new “Help center” by clicking the ? icon in the upper-right corner of the screen. This provides a range of new features to help troubleshoot issues with your setup:
This release also adds the following new options for downloading logs:
/home/user/example.directory/.burp_enterprise.
This release provides a new application logins option that will enable scans to handle single sign-on and other complex login mechanisms. Please note that this upgrade includes some major changes to the GraphQL API as a result.
When adding application logins to a site, instead of simply adding basic sets of user credentials, you now have the option to upload recorded login sequences instead. A recorded login sequence is essentially a script that tells Burp Scanner exactly how to log in to the site. This enables it to handle more complex login mechanisms, including single sign-on.
To generate this script, you use our dedicated Chrome extension to record your browser interactions while you perform the login sequence manually. You then upload this script to the relevant site in Burp Suite Enterprise Edition. When scans of this site begin an authenticated crawl, Burp Scanner will start a new session in its embedded browser and use this script to replicate your actions, performing the full login sequence from scratch.
For more information, please refer to the documentation.
Burp Scanner is now able to scan both JSON and YAML-based APIs for vulnerabilities. By default, the crawler attempts to parse any API definitions that it encounters to identify potential endpoints, along with their supported methods and parameters. Based on the endpoints that it discovers, Burp Scanner is then able to derive new locations to crawl and audit.
You can also explicitly provide the URL of an API definition in the list of included URLs for a site.
If you prefer, you can disable API scanning by deselecting the “Parse API definitions” crawl option in your scan configuration. You can find this option under “Miscellaneous”.
Please note that this initial release only supports scanning of a fairly limited range of REST APIs. For a full list of the prerequisites and limitations, please refer to the Burp Scanner documentation. We plan to further develop this feature and gradually add support for a wider range of APIs in future releases.
In order to implement the new functionality for uploading recorded login sequences, we’ve had to make some changes to the GraphQL API. These changes may require you to refactor your existing integrations before they will work with this version of Burp Suite Enterprise Edition.
Generally speaking, the entities related to application logins have now been split in two. This is to create the distinction between sets of basic login credentials and recorded login sequences.
The full list of changes is as follows:
ApplicationLogin is now obsolete. This has been replaced by two new types, LoginCredential and RecordedLogin.ApplicationLogins has been added. This provides two fields, login_credentials and recorded_logins, which contain a list of LoginCredential and RecordedLogin objects respectively.ApplicationLogin objects now contain a single object of the new type ApplicationLogins. This affects the following fields:
site_application_logins and schedule_item_application_logins fields of Scan objectsapplication_logins field of Site objectscreate_site_application_loginupdate_site_application_logindelete_site_application_loginThese have been replaced by the following new mutations:
create_site_login_credentialcreate_site_recorded_loginupdate_site_login_credentialdelete_site_login_credentialdelete_site_recorded_loginPlease note that you can add either LoginCredential or RecordedLogin objects to a Site, but not both. Querying the application_logins field for a Site will return a single ApplicationLogins object for which only one of the login_credentials and recorded_logins fields will contain data.
We have improved the logging of certain processes, which should make it easier to troubleshoot any problems that arise. For example, there is now much greater transparency in the log entries when backing up your database. When errors occur with Jira, the log now also provides much more detail about what the problem is.
When a scan check is abandoned due to memory allocation issues, this is now indicated in the scan results, the list of scans, and the downloadable reports. Previously, this would only be mentioned in the event log, which meant that it was easy to miss.
This release also provides the following bug fixes:
If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred platform.
This release fixes a bug in the installer that affected some customers using an Oracle database. Previously, the installer would fail if the database schema name was anything other than burp_enterprise.
If you want to deploy this release of Burp Suite Enterprise Edition to the cloud, you can use the links below to access the corresponding templates and instructions for your preferred cloud platform.
This release further improves Burp Suite Enterprise Edition‘s support for single sign-on by enabling SAML integration. It also provides major improvements to the AWS deployment process.
Burp Suite Enterprise Edition now supports SAML-based single sign-on. This is particularly useful for managing user authentication for cloud-based deployments.
You can integrate SAML SSO using any identity provider (IdP), but the following ones have been fully tested:
To configure the connection to your preferred SAML IdP, log in to Burp Suite Enterprise Edition as an administrator, select “Single sign-on” from the settings menu, then open the “SAML connection” tab.
For more detailed information, please refer to the accompanying documentation.
This release also provides the following improvements:
This release provides major usability improvements to the deployment process for Burp Suite Enterprise Edition on AWS.
Most notably, the CloudFormation template now creates all of the required AWS infrastructure for you. This includes creating a new Virtual Private Cloud (VPC), so you no longer need to set this up manually. We hope that this will make it much easier to get up and running.
Secondly, there are now two CloudFormation templates for each release of Burp Suite Enterprise Edition:
Previously, some customers faced issues when the user performing the deployment did not have the appropriate permissions to create IAM users. Now that this is handled in a separate template, you can easily hand over this part of the setup process to the relevant team within your organization.
If you want to deploy Burp Suite Enterprise Edition 2020.10 to the cloud for beta testing, you can download the template for your preferred cloud platform from the links below.
We have also provided the following bug fixes:
This release provides several improvements to our APIs and continues the ongoing improvements to the Burp Suite Enterprise Edition UI.
We recently released a new GraphQL API to improve the integration of Burp Suite Enterprise Edition with other tools. This release implements the following changes:
site_id filter to the scans query. This enables you to fetch all scans for a given site.type_index is now optional. This enables you to fetch all issues for a scan directly. Previously, you first had to fetch the issues grouped by type.IssueType, which contains information relevant to a specific issue type, such as a description and remediation advice. Instances of the type Issue now also contain an issue_type field that allows you to fetch this information.We have also made the following adjustments to the names of some entities:
IssueType, the query issue_types has been renamed to issue_type_groups. Similarly, the existing type IssueType has now been renamed to IssueTypeGroup.DeauthorizeAgentInput, we have renamed the machine_id field to just id.When you apply a custom scan configuration to a scan using the REST API, you can now save it as a named configuration for reuse in future scans. Previously, a custom scan configuration assigned using the REST API would be deleted after the scan was completed.
This release provides more improvements to the Burp Suite Enterprise Edition UI. The placeholder pages that are displayed before you have added a site or run a scan are now much more intuitive.
We’ve also provided several minor bug fixes, most notably:
If you want to deploy Burp Suite Enterprise Edition 2020.7 to the cloud for beta testing, you can download the corresponding template for your preferred cloud platform AWS or Azure.
This release provides major usability improvements and adds support for single sign-on. We are also pleased to announce a beta release for the cloud-native Burp Suite Enterprise Edition on both AWS and Azure.
Over the next few months, we’re working on improving the usability of Burp Suite Enterprise Edition by upgrading the UI. This release includes the first set of these changes:
You can now configure an LDAP connection between Burp Suite Enterprise Edition and your Active Directory. This enables you to manage your Burp Suite Enterprise Edition users centrally using single sign-on, just like you might already do with other applications.
Once you configure the connection, you simply create user groups in Burp Suite Enterprise Edition that correspond to the groups in your Active Directory. Users can then log in using their existing credentials. User permissions within the application are controlled on the group level, removing the need to create and manage dedicated users for Burp Suite Enterprise Edition.
For more information, please refer to the product documentation.
A beta release is now available for deploying Burp Suite Enterprise Edition natively on both AWS and Azure.
Note that you will need a separate Burp Suite Enterprise Edition license for your cloud-based deployment, even if you already have a license for an on-premise installation. You can request a trial license or purchase a new license from portswigger.net.
You can use the links below to download the corresponding template for deploying to your preferred platform. We have also provided installation instructions to help get you started.
We have also implemented several minor bug fixes and performance improvements.
This release provides the ability to arrange your agent machines and target sites into pools, to better organize your scanning resources. It also includes significant improvements to the user interface and navigation such as a new scan results page design. The release also fixes several bugs.
Agent machines and sites are now organized into agent machine pools. All agent machines and all sites are assigned to one and only one agent machine pool. Unless you specify otherwise, all agent machines and sites will be assigned to the same default pool. An agent will only scan a site if the site belongs to the same agent machine pool as the agent’s machine.
Agent machine pools support the “agent affinity” concept and are useful if you have a need to limit which agent machines can scan certain sites. Agent machine pools stop the problem of a scan failing because the relevant machine is busy elsewhere, or an assigned agent being unable to access a restricted site for a scan. Sample uses for agent machine pools are:
We have improved the user interface and experience throughout Burp Suite Enterprise Edition. These improvements include:
We have created a new user permission for viewing login details (credentials and/or recorded login sequences) associated with sites. This permission is not assigned to any user by default.
This release also includes several bug fixes, including:
schedule_items query in GraphQL are now enums rather than strings.This release provides the ability to arrange your agent machines and target sites into pools, to better organize your scanning resources. It also includes significant improvements to the user interface and navigation such as a new scan results page design. The release also fixes several bugs.
Agent machines and sites are now organized into agent machine pools. All agent machines and all sites are assigned to one and only one agent machine pool. Unless you specify otherwise, all agent machines and sites will be assigned to the same default pool. An agent will only scan a site if the site belongs to the same agent machine pool as the agent’s machine.
Agent machine pools support the “agent affinity” concept and are useful if you have a need to limit which agent machines can scan certain sites. Agent machine pools stop the problem of a scan failing because the relevant machine is busy elsewhere, or an assigned agent being unable to access a restricted site for a scan. Sample uses for agent machine pools are:
We have improved the user interface and experience throughout Burp Suite Enterprise Edition. These improvements include:
We have created a new user permission for viewing login details (credentials and/or recorded login sequences) associated with sites. This permission is not assigned to any user by default.
This release also includes several bug fixes, including:
schedule_items query in GraphQL are now enums rather than strings.This release provides several major enhancements to our cloud-friendly version of Burp Suite Enterprise Edition, as well as support for a new database version.
You can now use an Oracle 19c database with Burp Suite Enterprise Edition. For a full list of supported database types, please refer to the system requirements.
Both the main AWS CloudFormation template and the Azure Resource Manager template now comprise multiple “nested” templates, each with their own URL. This gives you the option to skip parts of the template and perform some of the process independently.
For example, you may prefer to set up the required infrastructure on your own and just use the template to deploy the main application. In this case, instead of entering the top-level URL for the full template in AWS/Azure, you can now just enter the URL for the deployment part.
You can find the URLs for the nested templates within the main template for each platform. We’ve also provided direct links at the bottom of these release notes. If you still want to use the full template, you can just ignore the nested ones and use the main URL in the same way as before.
We now support role-based access control (RBAC) for the entire deployment process on AWS.
In previous releases, you had to provide an AWS access key and secret for the user who would be performing the deployment. This requirement has been removed completely. Instead, our IAM CloudFormation template now automatically generates roles that cover all of the required permissions, along with a corresponding group. Simply assigning the user to this group will allow them to perform the rest of the deployment.
The main AWS CloudFormation template now provides the option to automatically create and configure a new PostgreSQL database using Amazon’s Relational Database Service (RDS). This should make it much easier to get started as you won’t have to manually set up and connect to a database; most of the configuration will be done for you.
This is completely optional. If you prefer, you can still connect to any of our supported database types in the same way as before.
On AWS, application logging is now enabled at the beginning of the deployment phase. This means that any errors that occur during the database migration will now be captured in CloudWatch, which should help with debugging.
All credentials that you provide in the CloudFormation template are now obfuscated. This prevents them from being viewed by other users who have access to your Burp Suite Enterprise Edition resources in the AWS Management Console.
This release greatly improves the usability of Burp Suite Enterprise Edition’s generic, platform-agnostic CI/CD driver by adding a new “site-driven scan” integration option. Don’t worry, it still includes the legacy “Burp scan” option, which you can use in the same way as before. This means you can make the switch to the new driver without breaking your existing integrations.
Please note that in order to use the new site-driven scan option, you also need to upgrade Burp Suite Enterprise Edition to version 2021.3 or higher.
Our CI/CD driver enables you to integrate automated vulnerability scans into your existing pipelines on almost any platform. You can then configure rules for failing the build based on the scan’s results. This helps you to catch bugs earlier in your development process by adopting a DevSecOps approach, with minimal disruption to your existing workflow.
Our platform-agnostic driver comes in the form of a JAR file, which you simply run from a command-line build step in your CI/CD pipeline. Any configuration options are set using a series of parameters.
If you use Jenkins or TeamCity, please be aware we also provide native plugins for both of these platforms. The plugins offer all of the same functionality as our generic CI/CD driver, but they allow you to configure the various options via the native platform UI instead of using shell commands. Both of these plugins are also available from our releases page
The new “site-driven scan” integration option provides the following key advantages.
Your sites are automatically fetched from Burp Suite Enterprise Edition via its GraphQL API. This means that when adding a vulnerability scan to your pipeline, you can manually select the exact site that it relates to. Previously, you had to rely on the automated site-matching rules.
Manually matching your sites and scans ensures that all of your scan data is associated with the correct site and that results are seamlessly aggregated from both user-created and CI/CD-generated scans. This allows you to take full advantage of Burp Suite Enterprise Edition’s powerful analytics features and accurately monitor changes to your security posture over time.
Site-driven scans also have access to most of your site data from Burp Suite Enterprise Edition. This includes the default scan configurations, URL scope, false positive settings, and so on. As a result, you no longer need to manually provide this information in your build step. This makes the integration process much simpler and removes the need to create custom JSON scan definitions.
Instead, you simply create and configure your site as normal using Burp Suite Enterprise Edition’s intuitive web UI. You can then test your site and scan configuration by running a few scans manually, tweaking the behavior if necessary. Once you’re satisfied with everything, you just select this site from your CI/CD build step and all of these settings will be used automatically. Any subsequent changes you make to your site in the Burp Suite Enterprise Edition web UI will be automatically reflected in your CI/CD system the next time you run a build.
To provide continued support for any existing integrations that you may have configured, this release also retains the legacy “Burp scan” option in its original form.
This is useful in some cases, such as when you want to run a one-off scan and do not want its results to be linked to a particular site. However, for most new integrations, we recommend using the new site-driven scan option instead.
For more detailed information about the pros and cons of both approaches, please refer to the documentation.
This release greatly improves the usability of Burp Suite Enterprise Edition’s native Jenkins plugin by adding a new “site-driven scan” integration option. Don’t worry, it still includes the legacy “Burp scan” option, which you can use in the same way as before. This means you can upgrade to the new plugin without breaking your existing integrations.
Please note that in order to use the new site-driven scan option, you also need to upgrade Burp Suite Enterprise Edition to version 2021.3 or higher.
Our native Jenkins plugin enables you to integrate automated vulnerability scans into your existing pipelines and configure rules for failing the build based on the scan’s results. This helps you to catch bugs earlier in your development process by adopting a DevSecOps approach, with minimal disruption to your existing workflow.
The plugin offers all of the same functionality as our generic CI/CD driver, but also adds two custom build step types to Jenkins. This allows you to configure the various options using the Jenkins web interface rather than having to use a shell command.
The new “site-driven scan” integration option provides the following key advantages.
Your sites are automatically fetched from Burp Suite Enterprise Edition via its GraphQL API. This means that when adding a vulnerability scan to your pipeline, you can manually select the exact site that it relates to. Previously, you had to rely on the automated site-matching rules.
Manually matching your sites and scans ensures that all of your scan data is associated with the correct site and that results are seamlessly aggregated from both user-created and Jenkins-generated scans. This allows you to take full advantage of Burp Suite Enterprise Edition’s powerful analytics features and accurately monitor changes to your security posture over time.
Site-driven scans also have access to most of your site data from Burp Suite Enterprise Edition. This includes the default scan configurations, URL scope, false positive settings, and so on. As a result, you no longer need to manually provide this information in your build step. This makes the integration process much simpler and removes the need to create custom JSON scan definitions.
Instead, you simply create and configure your site as normal using Burp Suite Enterprise Edition’s intuitive web UI. You can then test your site and scan configuration by running a few scans manually, tweaking the behavior if necessary. Once you’re satisfied with everything, you just select this site from your Jenkins build step and all of these settings will be used automatically. Any subsequent changes you make to your site in the Burp Suite Enterprise Edition web UI will be automatically reflected in Jenkins the next time you run a build.
To provide continued support for any existing integrations that you may have configured, this release also retains the legacy “Burp scan” option in its original form.
This is useful in some cases, such as when you want to run a one-off scan and do not want its results to be linked to a particular site. However, for most new integrations, we recommend using the new site-driven scan option instead.
For more detailed information about the pros and cons of both approaches, please refer to the documentation.
This release greatly improves the usability of Burp Suite Enterprise Edition’s native TeamCity plugin by adding a new “site-driven scan” integration option. Don’t worry, it still includes the legacy “Burp scan” option, which you can use in the same way as before. This means you can upgrade to the new plugin without breaking your existing integrations.
Please note that in order to use the new site-driven scan option, you also need to upgrade Burp Suite Enterprise Edition to version 2021.3 or higher.
Our native TeamCity plugin enables you to integrate automated vulnerability scans into your existing pipelines and configure rules for failing the build based on the scan’s results. This helps you to catch bugs earlier in your development process by adopting a DevSecOps approach, with minimal disruption to your existing workflow.
The plugin offers all of the same functionality as our generic CI/CD driver, but also adds two custom build step runner types to TeamCity. This allows you to configure the various options using the TeamCity web interface rather than having to use a shell command.
The new “site-driven scan” option provides the following key advantages.
Your sites are automatically fetched from Burp Suite Enterprise Edition via its GraphQL API. This means that when adding a vulnerability scan to your pipeline, you can manually select the exact site that it relates to. Previously, you had to rely on the automated site-matching rules.
Manually matching your sites and scans ensures that all of your scan data is associated with the correct site and that results are seamlessly aggregated from both user-created and TeamCity-generated scans. This allows you to take full advantage of Burp Suite Enterprise Edition’s powerful analytics features and accurately monitor changes to your security posture over time.
Site-driven scans also have access to most of your site data from Burp Suite Enterprise Edition. This includes the default scan configurations, URL scope, false positive settings, and so on. As a result, you no longer need to manually provide this information in your build step. This makes the integration process much simpler and removes the need to create custom JSON scan definitions.
Instead, you simply create and configure your site as normal using Burp Suite Enterprise Edition’s intuitive web UI. You can then test your site and scan configuration by running a few scans manually, tweaking the behavior if necessary. Once you’re satisfied with everything, you just select this site from your TeamCity build step and all of these settings will be used automatically. Any subsequent changes you make to your site in the Burp Suite Enterprise Edition web UI will be automatically reflected in TeamCity the next time you run a build.
To provide continued support for any existing integrations that you may have configured, this release also retains the legacy “Burp scan” option in its original form.
This is useful in some cases, such as when you want to run a one-off scan and do not want its results to be linked to a particular site. However, for most new integrations, we recommend using the new site-driven scan option instead.
For more detailed information about the pros and cons of both approaches, please refer to the documentation.
This release includes several enhancements that help you to better integrate Burp Suite Enterprise Edition with other web applications. It also adds support for some additional database versions, along with a significant number of minor improvements and bug fixes.
If you want to integrate Burp Suite Enterprise Edition with a third-party web application, or one that you’ve developed yourself, it probably needs access to your sites and scan data. This release adds a new option that lets you whitelist trusted origins for cross-origin resource sharing (CORS) via the GraphQL API.
Once you’ve whitelisted the origin on which your other application is running, its client-side JavaScript will have access to the full functionality exposed by the GraphQL API. This allows you to develop more powerful integrated applications that can fetch the relevant data, create and edit sites, and launch new scans directly from the browser using AJAX.
By default, all cross-origin requests initiated by JavaScript in the browser will be blocked unless you have explicitly whitelisted their origin. To do this, go to the network settings page and add trusted origins to the “Allowed Origins for GraphQL API” list.
schedule_item_id parameter in a scans query. This makes it much easier to locate the Scan that was generated by a ScheduleItem you’ve just created.site query to fetch an individual Site by its ID. This means you no longer have to fetch the whole SiteTree in order to query a specific known Site.Burp Suite Enterprise Edition now supports the following additional database versions:
For a full list of databases that you can use with Burp Suite Enterprise Edition, please check the system requirements.
? icon to view the scan configuration, the configuration ID is now displayed in the URL in your browser’s address bar for easier access.burp_agent. You can now use the tool even if you assigned a different username when setting up your database.This release provides the following bug fixes:
This release provides the following improvements and bug fixes.
The UI now has a more modern look and feel. We hope you like the new design as much as we do.
Users with permission to modify the settings can access the new “Help center” by clicking the ? icon in the upper-right corner of the screen. This provides a range of new features to help troubleshoot issues with your setup:
This release also adds the following new options for downloading logs:
/home/user/example.directory/.burp_enterprise.This release provides a new application logins option that will enable scans to handle single sign-on and other complex login mechanisms. Please note that this upgrade includes some major changes to the GraphQL API as a result.
When adding application logins to a site, instead of simply adding basic sets of user credentials, you now have the option to upload recorded login sequences instead. A recorded login sequence is essentially a script that tells Burp Scanner exactly how to log in to the site. This enables it to handle more complex login mechanisms, including single sign-on.
To generate this script, you use our dedicated Chrome extension to record your browser interactions while you perform the login sequence manually. You then upload this script to the relevant site in Burp Suite Enterprise Edition. When scans of this site begin an authenticated crawl, Burp Scanner will start a new session in its embedded browser and use this script to replicate your actions, performing the full login sequence from scratch.
For more information, please refer to the documentation.
Burp Scanner is now able to scan both JSON and YAML-based APIs for vulnerabilities. By default, the crawler attempts to parse any API definitions that it encounters to identify potential endpoints, along with their supported methods and parameters. Based on the endpoints that it discovers, Burp Scanner is then able to derive new locations to crawl and audit.
You can also explicitly provide the URL of an API definition in the list of included URLs for a site.
Please note that this initial release only supports scanning of a fairly limited range of REST APIs. For a full list of the prerequisites and limitations, please refer to the Burp Scanner documentation. We plan to further develop this feature and gradually add support for a wider range of APIs in future releases.
In order to implement the new functionality for uploading recorded login sequences, we’ve had to make some changes to the GraphQL API. These changes may require you to refactor your existing integrations before they will work with this version of Burp Suite Enterprise Edition.
Generally speaking, the entities related to application logins have now been split in two. This is to create the distinction between sets of basic login credentials and recorded login sequences.
The full list of changes is as follows:
ApplicationLogin is now obsolete. This has been replaced by two new types, LoginCredential and RecordedLogin.ApplicationLogins has been added. This provides two fields, login_credentials and recorded_logins, which contain a list of LoginCredential and RecordedLogin objects respectively.ApplicationLogin objects now contain a single object of the new type ApplicationLogins. This affects the following fields:
site_application_logins and schedule_item_application_logins fields of Scan objectsapplication_logins field of Site objectscreate_site_application_loginupdate_site_application_logindelete_site_application_loginThese have been replaced by the following new mutations:
create_site_login_credentialcreate_site_recorded_loginupdate_site_login_credentialdelete_site_login_credentialdelete_site_recorded_loginPlease note that you can add either LoginCredential or RecordedLogin objects to a Site, but not both. Querying the application_logins field for a Site will return a single ApplicationLogins object for which only one of the login_credentials and recorded_logins fields will contain data.
We have improved the logging of certain processes, which should make it easier to troubleshoot any problems that arise. For example, there is now much greater transparency in the log entries when backing up your database. When errors occur with Jira, the log now also provides much more detail about what the problem is.
When a scan check is abandoned due to memory allocation issues, this is now indicated in the scan results, the list of scans, and the downloadable reports. Previously, this would only be mentioned in the event log, which meant that it was easy to miss.
This release also provides the following bug fixes:
This release fixes a bug in the installer that affected some customers using an Oracle database. Previously, the installer would fail if the database schema name was anything other than burp_enterprise.
This release further improves Burp Suite Enterprise Edition’s support for single sign-on by enabling SAML integration. It also provides major improvements to the AWS deployment process.
Burp Suite Enterprise Edition now supports SAML-based single sign-on. This is particularly useful for managing user authentication for cloud-based deployments.
You can integrate SAML SSO using any identity provider (IdP), but the following ones have been fully tested:
To configure the connection to your preferred SAML IdP, log in to Burp Suite Enterprise Edition as an administrator, select “Single sign-on” from the settings menu, then open the “SAML connection” tab.
For more detailed information, please refer to the accompanying documentation.
This release also provides the following improvements:
This release provides major usability improvements to the deployment process for Burp Suite Enterprise Edition on AWS.
Most notably, the CloudFormation template now creates all of the required AWS infrastructure for you. This includes creating a new Virtual Private Cloud (VPC), so you no longer need to set this up manually. We hope that this will make it much easier to get up and running.
Secondly, there are now two CloudFormation templates for each release of Burp Suite Enterprise Edition:
Previously, some customers faced issues when the user performing the deployment did not have the appropriate permissions to create IAM users. Now that this is handled in a separate template, you can easily hand over this part of the setup process to the relevant team within your organization.
If you want to deploy Burp Suite Enterprise Edition 2020.10 to the cloud for beta testing, you can download the template for your preferred cloud platform.
We have also provided the following bug fixes:
This release provides several improvements to our APIs and continues the ongoing improvements to the Burp Suite Enterprise Edition UI.
We recently released a new GraphQL API to improve the integration of Burp Suite Enterprise Edition with other tools. This release implements the following changes:
site_id filter to the scans query. This enables you to fetch all scans for a given site.type_index is now optional. This enables you to fetch all issues for a scan directly. Previously, you first had to fetch the issues grouped by type.IssueType, which contains information relevant to a specific issue type, such as a description and remediation advice. Instances of the type Issue now also contain an issue_type field that allows you to fetch this information.We have also made the following adjustments to the names of some entities:
IssueType, the query issue_types has been renamed to issue_type_groups. Similarly, the existing type IssueType has now been renamed to IssueTypeGroup.DeauthorizeAgentInput, we have renamed the machine_id field to just id.When you apply a custom scan configuration to a scan using the REST API, you can now save it as a named configuration for reuse in future scans. Previously, a custom scan configuration assigned using the REST API would be deleted after the scan was completed.
This release provides more improvements to the Burp Suite Enterprise Edition UI. The placeholder pages that are displayed before you have added a site or run a scan are now much more intuitive.
We’ve also provided several minor bug fixes, most notably:
This release provides major usability improvements and adds support for single sign-on. We are also pleased to announce a beta release for the cloud-native Burp Suite Enterprise Edition on both AWS and Azure.
Over the next few months, we’re working on improving the usability of Burp Suite Enterprise Edition by upgrading the UI. This release includes the first set of these changes:
You can now configure an LDAP connection between Burp Suite Enterprise Edition and your Active Directory. This enables you to manage your Burp Suite Enterprise Edition users centrally using single sign-on, just like you might already do with other applications.
Once you configure the connection, you simply create user groups in Burp Suite Enterprise Edition that correspond to the groups in your Active Directory. Users can then log in using their existing credentials. User permissions within the application are controlled on the group level, removing the need to create and manage dedicated users for Burp Suite Enterprise Edition.
For more information, please refer to the product documentation.
A beta release is now available for deploying Burp Suite Enterprise Edition natively on both AWS and Azure.
Note that you will need a separate Burp Suite Enterprise Edition license for your cloud-based deployment, even if you already have a license for an on-premise installation.
You can use the links below to download the corresponding template for deploying to your preferred platform.
This release fixes an issue that was causing some customers to see the “Lost communication with Burp Suite” error during scans
This release provides several minor bug fixes. Most notably:
This release provides a beta version of our brand new GraphQL-based API, which exposes most of the core functionality of Burp Suite Enterprise Edition. Among other things, you can use the new API to:
You can find more detailed information about how to use the API and the full range of supported operations in the API documentation. This also includes example payloads for typical queries.
As this is a beta version of the API, we would be grateful if customers could inform us of any problems that they encounter so that we can continue to optimize the behavior over the coming months. The Jenkins/TeamCity CI plugins and the generic CI driver will continue to use the existing public REST API. However, we are planning to release additional GraphQL-based versions in the near future.
Note: As a workaround for accessing functionality that was not supported by the public REST API, a small number of customers have integrated their own tools with Burp Suite Enterprise Edition using our internal REST API. Unfortunately, after upgrading to version 2020.4, these integrations will no longer be supported because the internal REST API has largely been replaced. However, you should be able to refactor your integrations to achieve the same results using the new GraphQL API. The vast majority of customers will be unaffected by this issue.
This release also marks the start of beta testing for the cloud-native version of Burp Suite Enterprise Edition. Over the next quarter, a small number of customers will be beta testing on both AWS and Azure.
We have also implemented several minor performance improvements and bug fixes. Most notably, the following issues have been resolved:
This release adds a number of new features to help simplify and streamline your post-scan activities. You can now:
This release contains a number of valuable enhancements.
There is a new scan configuration library that replicates the Burp Suite Pro feature. You can:
For each scan, you can now view full details of the individual URLs that were scanned, together with the numbers of issues, requests, and insertion points. You can drill into each URL to view the details of individual issues:
You can now download the scan event log, via the “More actions” button on the scan results page.
There is a new database migration tool that lets you migrate from the bundled database to an external database. See documentation on database migration.
There are various other enhancements and bug fixes:
This release includes various enhancements and bugfixes:
This release adds some new dashboard views.
There is a new site-level dashboard showing various information about the issues that have been found for the site, and its security posture over time. There are new tabs on the site page that let you switch between the dashboard, scan history, issues, and site details:
The sites area has new aggregated issues views. For a selected folder (or for all sites), this view shows all of the issues from the latest scans grouped by issue type. You can expand each aggregated issue to view the details of individual occurrences, and you can filter the view by severity, date, and whether issues are new or regressed:
Various performance improvements have been made. The sites page now loads considerably faster, and large folders are collapsed by default.
Various bugs have been fixed.
In a large organization with many sites and folders, the new folder-level dashboards let you drill down into parts of the organization and understand the vulnerabilities and trends within each area.
This release contains a new database backup feature. This is currently only available when using the internal bundled database (H2).
Automatic backups are enabled by default. The following options can be configured:
You can also trigger a manual database backup at any time.
A number of minor bugs have also been fixed.
Burp Suite Enterprise Edition is now officially out of beta!
This release also adds a beautiful new home page dashboard, with various charts showing an at-a-glance view of your overall security posture:
The new charts show:
Coming out of beta means we regard Burp Suite Enterprise Edition as essentially stable and suitable for general usage. It doesn’t mean there are no bugs. All software has bugs, and feedback is always welcome about any problems that users observe.
PortSwigger will, of course, be continuing to enhance Burp Suite Enterprise Edition with various new features over the coming months.
Related Post you may be interest
