Burp Suite Pro Web Vulnerability Scanner

Please read in reverse order, if you interest from the latest to old manner. As the latest release note and build always increment update on the bottom for this product update.

Professional 2020.7 Release 2020-Jul-17

In this release, we’ve greatly improved the usability of Burp Suite by removing the need to perform many of the initial configuration steps for Burp Proxy.

Use Burp’s preconfigured browser for testing

You can now use Burp’s embedded Chromium browser for manual testing. This browser is preconfigured to work with the full functionality of Burp Suite right out of the box. You no longer need to manually configure your browser’s proxy settings or install Burp’s CA certificate. The first time you launch Burp you can immediately start testing, even with HTTPS URLs.

To launch the embedded browser, go to the “Proxy” > “Intercept” tab and click “Open Browser”.

Note that if you want to use an external browser for testing. you can still configure any browser to work with Burp in the same way as you could before.

Other improvements

• Burp now provides feedback in the request and response when it successfully communicates using HTTP/2. The first request you send to a server will display HTTP/1. However, once Burp has established that the website supports HTTP/2, all subsequent messages will indicate this in the request line and status line respectively. For more information about Burp’s experimental HTTP/2 support, please refer to the documentation.
• Performance of the experimental browser-powered scanning feature has been improved.
• The embedded browser has been upgraded to Chromium 84.

Bug fixes

• Multiple Cookie headers are now displayed correctly in the “Params” tab.
• We have also fixed a security bug that was reported via our bug bounty program. With a significant amount of user interaction, an attacker could potentially steal comma-delimited files from the local filesystem. The attacker would have to induce a user to visit a malicious website, copy the request as a curl command, and then execute it via the command line.

Professional 2020.6 Release 2020-Jul-3

This release adds an option for using HTTP/2 and provides several minor improvements and bug fixes.

Experimental HTTP/2 support

This release provides experimental support for HTTP/2. From the “Project settings” > “HTTP” tab, you can now choose to use HTTP/2 for inbound and outbound communication over TLS.

As this is still an experimental feature, please use it at your own discretion.

Other improvements

You can now control the TLS protocols that Burp Proxy will use when performing TLS negotiation with the browser. You can configure Burp Proxy to use the default protocols of your Java installation, or override these defaults and enable custom protocols as required.

Bug fixes

In the HTTP history, you can now hover the mouse over URL encoded data to show the decoded data in a tooltip. Previously, this worked in Burp Repeater but not the “Proxy” > “HTTP history” tab.

Professional 2020.5.1 Release 2020-Jun-19

This release provides several bug fixes, including the following improvements to the HTTP message editor:

• Highlighting text no longer causes it to disappear and reappear after resizing the panel.
• Clicking on an empty line now positions the cursor where you click instead of at the end of the previous line.

We have also fixed a security bug that was reported via our bug bounty program. With a significant amount of user interaction, an attacker could potentially read local files. The attacker would have to induce a user to visit a malicious website, copy the request as a curl command, and then execute it via the command line. This was classed as a medium severity issue due to the level of user interaction required.

Professional 2020.5 Release 2020-Jun-5

This release provides a useful new feature for the HTTP message editor, as well as several general improvements.

You can now choose to display non-printing characters as “lozenges” in the HTTP message editor. This is supported for any bytes with a hexadecimal value lower than 20, which includes tabs, line feeds, carriage returns, and null bytes.

This feature will be greatly beneficial for many use cases, including:

• Spotting subtle differences between byte values in responses
• Experimenting with HTTP request smuggling vulnerabilities
• Studying line endings to identify potential HTTP header injection vulnerabilities
• Observing how null-byte injections are handled by the server

Non-printing characters are hidden by default, but you can toggle the lozenges on and off by clicking the “\n” button at the bottom of the editor.

These non-printing characters can currently only be displayed in the message editor. For now, you have to edit bytes using Burp’s hex view. However, we plan to enable you to do this directly in the message editor in the near future.

General improvements

This release also provides the following minor improvements to various areas of Burp:

• The embedded Chromium browser for the experimental browser-driven scanning mode has been upgraded to version 83.
• Java 14 is now supported for both Professional and Community Edition.
• Burp Proxy no longer intercepts requests for SVG or font files by default.
• Crawling of static content is now faster.

Bug fixes

We have also implemented several minor bug fixes, most notably:

• The response received/completed times are now displayed for 401 responses.
• The response time is now displayed even when the time taken was < 1ms.
• “Check session is valid” session handling rules are now applied properly when session tracing is running
• The content discovery tool no longer erroneously displays the “Session is not running” message.

Professional 2020.4.1 Release 2020-May-18

This release provides the following minor improvements:

• Soft wrapping has been added to the HTTP message editor for any lines longer than 2000 characters.
• Resource management has been improved for the experimental browser-driven scanning option. This ensures that scans can be processed as efficiently as possible.

Bug fixes

In addition to general bug fixes, we have also resolved an issue that sometimes caused overlapping text in the message editor.

Professional 2020.4 Release 2020-Apr-27

This release mainly provides usability improvements to the HTTP message editor. It also upgrades both Java support and Burp Scanner’s embedded browser version.

HTTP message editor

The HTTP message editor now supports pretty printing of JSON, XML, HTML, CSS, and JavaScript. Take a look at the following video to see this feature in action:

Unformatted JSON data, for example, would previously be displayed as follows:

But as of version 2020.4, all of the supported formats mentioned above are prettified by default, meaning the JSON data in our example would now be displayed as follows:

You can toggle pretty printing on and off by clicking the “Pretty” button at the bottom of the editor. Alternatively, if you would prefer not to use pretty printing by default, you can disable this setting under “User options” > “Display” > “HTTP Message Display”.

Java support

As of this release, we now support Java 13. Unfortunately, we will no longer be able to support Java 8. The vast majority of users will be unaffected by this change. However, if you normally launch Burp directly from the JAR file instead of using the provided installer, you need to make sure that you have one of Java versions 9 to 13 before attempting to launch the new JAR file.

Chromium update

We have updated Burp Scanner’s experimental embedded browser to Chromium 81.0.4044.122 in order to implement the latest security fixes.

Other improvements

This release also provides the following minor improvements:

• Provided you have Java 13, Burp Proxy now supports TLS 1.3.
• Burp now notifies you if the proxy listener is disabled for any reason, and provides guidance on how to reactivate it.
• When running Burp in headless mode, you can now execute multiple commands at once by using pipes, heredocs, and so on.
• The search bar in the editor is now displayed correctly on smaller screens.

Bug fixes

We have also implemented several minor bug fixes, including:

• The response time is now displayed correctly for each request you send in Burp Repeater.
• Configured extensions are no longer lost when Burp Suite closes unexpectedly.
• The text editor no longer scrolls infinitely when embedded inside another scrolling component.

Professional 2020.2.1 Released 2020-Mar-16

This release contains minor updates to the 2020.2 release.

There are further enhancements to the custom Collaborator content options that were introduced in version 2020.2. You can now host custom robots.txt and crossdomain.xml files at arbitrary URLs on your Collaborator server.

We have also improved the handling of XML reports by stripping any null values.

The general improvements to the HTTP message editor continue, with this release providing the following bug fixes:

• The message editor no longer freezes when editing some requests containing JSON data.
• Binary data is now preserved in its original state even if you make changes to the request.
• Arrow keys no longer stop working if your request becomes longer than the viewport.
• Arrow keys now work with extensions, provided that they use the same key mappings.
• When clicking on a wrapped line, the cursor is now placed exactly where you click.

The issue definition links now also work correctly on the latest version of Kali Linux.

As always, we’ve also implemented several minor bug fixes across the product.

Professional 2020.2 Released 2020-Mar-02

This release builds on the general improvements we have been making to the HTTP message editor and incorporates some feedback from the community:

• Triple-clicking a word now selects the entire token, for example, the header value or a string literal of a JSON value.
• In editable messages, such as requests and responses in Burp Repeater, hovering over URL-encoded text now shows the decoded version in a tooltip.
• The “Convert selection” popup now works in responses as well as requests.
• In the user options for displaying HTTP messages, you can now choose to use any monospaced font that is installed on your system.
• Performance when analyzing responses with multiple code blocks has been improved.

The “Render” tab now enables you to view rendered HTML pages and images directly within the various tools instead of in a separate popup.

You can now add custom content to the Burp Collaborator service. For example, you could add a readme on the index page identifying the organization and the purpose of the service, or prove ownership of your domain to validate TLS certificate requests. To do this, you simply add new entries in the configuration file containing a path, contentType, and base64Content as follows:

"customHttpContent":
[
{ "path": "/", "contentType": "text/plain", "base64Content": "VGhpcyBpcyBhIHJhbmRvbSBsaW5lIG9mIHRleHQ="},
{ "path": "/foo", "contentType": "text/html", "base64Content": "dGhpcyBpcyBhbm90aGVyIG9uZSBmb3IgZ29vZCBtZWFzdXJlLiBOaWNlLg==" }
]

You can now initiate instant active or passive scans in Burp. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.

The following bugs fixes have also been implemented:

• A bug causing load/save filter dialogs to be hidden has been fixed.
• The “Scan defined insertion points” feature now works for all environments.
• Redirections are now shown in the site map when crawling.

Professional 2020.1 Released 2020-Jan-31

This release updates the HTTP message editor with various new capabilities:

• Syntax colorising for JavaScript, JSON, and CSS.
• Syntax colorising is now dynamically updated as you type.
• Line numbers.
• Code folding.
• Performance improvements.

We will soon continue improving the editor, with better prettifying of some formats and other helpful features.

Various improvements have been made to the efficiency and stability of Burp Scanner. We are working towards enabling the new experimental browser-driven scanning by default, which will pave the way for significant enhancements to the scanner’s capabilities over the coming year.

A number of bug fixes and other enhancements have been made, including:

• Issues negotiating TLS through some LAN firewalls have been resolved.
• Feedback messages during crawls have been improved.
• File dialogs now remember the last selected folder on a per-function basis.
• Improvements have been made to some UI elements in the dark theme.
• The expiration of auto-generated TLS certificates has been shortened to comply with modern browser requirements.
• You can now save performance feedback data to a local file, to be submitted via email rather than automatically.
• Some causes of project file corruption have been resolved.

Professional / Community 2.1.07 Released 2019-Dec-17

This release considerably improves Burp’s SSL/TLS coverage.  Historically, quirks in different server-side implementations together with bugs in the client-side Java stack led to problems connecting to some web sites. These have now been virtually eliminated.

The Venn diagram below shows how Burp’s coverage now compares with Google Chrome for the Alexa top 100,000 sites. Burp achieves substantial overlap with Chrome. Burp can connect to 1,696 sites that Chrome does not, and only fails to connect to 125 sites that Chrome can connect to.

(Note that Burp’s additional coverage is largely because Burp tolerates some older and weaker protocols and ciphers, in the interests of maximizing connectivity.)

Various improvements have been made to the crawling phase of scans:

• The event log contains improved feedback regarding account self-registration and login.
• Crawling is more efficient, with substantially fewer requests needed to discover the same range of locations.
• Various minor bugs have been fixed.

Professional 2.1.06 Released 2019-Nov-22

This release includes various bugfixes and performance enhancements to the new experimental browser-driven scanning feature.

Professional 2.1.05 Released 2019-Nov-05

This release adds experimental support for using Burp’s embedded Chromium browser to perform all navigation while scanning.

This new approach will provide a robust basis for future capabilities in Burp Scanner, enabling it to eventually deal with any client-side technologies and navigational structures that a modern browser is able to deal with. It has the potential to dramatically improve coverage of the scan, during both the crawling and auditing phases.

In this initial release, Burp Scanner now correctly deals with:

• Applications that dynamically construct the navigational UI (links and forms) using JavaScript.
• Applications that dynamically mutate the request when a link is clicked or a form is submitted, using JavaScript event handlers.

There are numerous caveats at this stage:

• Performance is poor and will be improved considerably over the next few releases.
• Navigational elements other than links and forms are not yet supported (such as DIV elements with an onclick handler that makes a request).
• Asynchronous requests such as XHR are honored during navigation but are not audited.
• Navigational actions that mutate the existing DOM without causing a request to the server are not properly handled.
• Frames and iframes are not properly supported.
• File uploads are not supported.

The new feature is currently experimental, and is being released to gather feedback from users who want to play with the new capability and assess its effectiveness. The new feature is not currently a suitable replacement for the existing default scanning mode: you are likely to gain some coverage of JavaScript-heavy applications, but also lose some coverage and experience poor performance. Rest assured that over the coming months the new feature will be considerably enhanced until it becomes a robust and superior replacement to the existing scanning mode.

To enable experimental support for browser-based scan navigation, create a new scan, add a crawl configuration, and under “Miscellaneous” select “Use embedded browser for navigation”. You can also configure whether to allow the browser to fetch page resources that are out-of-scope.

The release also includes various other bugfixes. The embedded JRE that is included in Burp’s installer has been updated to Java 12.

Professional 2.1.04 Released 2019-Sep-27

This release includes a number of minor enhancements and bugfixes.

In Burp Repeater, there are new options to close a tab, close all other tabs, and reopen a closed tab. You can access these actions via the context menu on the tab header, or by assigning hotkeys.

There is a new (default-on) scan option to ignore the protocols of URLs to scan. This is to avoid a  common user error where the scan is configured for http://example.com only, while it needs also to include https://example.com.

When a Burp update is available, there are options to mute the update notification for one week, for the currently offered update, or for all beta updates.

A bug affecting use of PKCS#11 smart cards affecting Burp 2.x has been fixed.

Professional 2.1.03 Released 2019-Aug-07

This release adds a brand new scan check, for HTTP request smuggling vulnerabilities:

This is a long-overlooked vulnerability class that is prevalent in modern cloud architectures, and which often has a critical impact.

• Read the full PortSwigger research post on HTTP desync attacks
• Play with real HTTP request smuggling vulnerabilities on the Web Security Academy

Professional 2.1.02 Released 2019-Jul-26

The support for WebSockets in Burp Repeater has been enhanced with a new WebSocket connection wizard that lets you:

• Attach to an existing WebSocket that is currently open.
• Reconnect to a WebSocket that has closed.
• Clone a WebSocket.
• Manually configure a new WebSocket connection.

The new capability gives you full manual control over the WebSocket negotiation request.

Some other minor enhancements have also been made:

• When creating a new project on disk, Burp will now automatically suggest a project filename, based on the project name and a timestamp.
• When loading a configuration file for project or user options, Burp now warns if the file doesn’t contain any options of the relevant type.
• Various minor bugs have been fixed.

Professional 2.1.01 Released 2019-Jul-16

This release adds support for WebSockets in Burp Repeater.

You can select a WebSocket message in the Proxy history or intercept tab, and choose “Send to Repeater” from the context menu:

Each message you send to Repeater opens in a new tab. Here, you can manually edit and send the message, view the full message history, pick a message from the history and manually edit and resend it, and manage the WebSocket connection:

As always, feedback about this new feature is welcome.

Have fun!

Professional 2.1 Released 2019-Jun-28

Burp Suite 2.x is now officially out of beta!

This is a huge upgrade over 1.7 with a wealth of new capabilities. We encourage anyone still using 1.7 to switch to 2.x.

Community Edition users can now enjoy Burp’s new dark theme. To enable the dark theme, go to User options / Display / User Interface / Look and feel, and select Darcula.

Coming out of beta means we regard Burp Suite 2.x as essentially stable and suitable for general usage. It doesn’t mean there are no bugs. All software has bugs, and feedback is always welcome about any problems that users observe.

We will, of course, be continuing to enhance Burp Suite 2.x with various new features over the coming months.

Professional 1.7.37 Released 2018-Aug-10

This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.

For full details of this awesome new research, see our blog post on practical web cache poisoning.

Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”:

Note: On 10 October 2018, the .DMG package was regenerated to be compatible with MacOS Mojave.

Professional 1.7.36 Released 2018-Jul-30

This release fixes a number of issues including:

• A bug that prevented the macro editor from correctly showing the Proxy history.
• A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
• A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.

Note: On 10 October 2018, the .DMG package for Community Edition was regenerated to be compatible with MacOS Mojave.

Professional 1.7.35 Released 2018-Jun-29

This release includes a number of fixes and minor enhancements:

• Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
• A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
• The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.

Professional 1.7.34 Released 2018-Jun-13

A number of bugs have been fixed:

• A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
• A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
• A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
• Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
• A bug that prevented autocomplete popups from closing on some Linux window managers.
• A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
• A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
• A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.

The following enhancements have been made:

• Burp ClickBandit has been updated to support sandboxed iframes.
• A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

Note that some of the security issues were reported through our bug bounty program, which pays generously for bugs large and small. Thanks are due to Bruno Morisson and Juho Nurminen.

Professional 1.7.33 Released 2018-Mar-28

This release significantly improves the effectiveness of project repair when project file corruption occurs. Some users still experience corrupted project files when using virtualized file systems (for example, using Burp within a guest VM can lead to project file corruption if the host OS terminates abnormally). Previously, if some key metadata near the start of the project file was lost, then Burp’s project repair feature would not recover any data. In the new release, uncorrupted data within the file can still be recovered even if this key metadata is lost. Further feedback is welcomed regarding the effectiveness of project repair.

To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.

Some bugs have been fixed:

• A bug in macro configuration where some settings for cookie handling might not be saved correctly across executions of Burp.
• Some minor bugs in the automatic project backup feature that was recently released.
• A bug where extensions could still gain API access to the Burp Collaborator client even when the user had disabled use of Collaborator.

Professional 1.7.32 Released 2018-Feb-02

This release adds a new automatic project file backup function. If you are using a disk-based project, this function automatically saves a backup copy of your project file periodically in the background. The options for the new function can be found at User options / Misc / Automatic Project Backup:

The new function is superior to the older function that saved a state file backup in several respects:

Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.

• You can optionally include in-scope items only, to reduce the size of the backup file.
  Available disk space is checked before performing a backup. If insufficient space is available, the backup is skipped and an alert is shown.
• A single backup file is saved alongside the main project file. On successful completion of a new backup, the previous backup file is deleted.
• On attempting to open a corrupted project file, Burp checks if a backup is available, and if so offers to open that as an alternative to repairing the original.
• By default, the backup file is deleted on clean shutdown of Burp. Since the main project file is saved incrementally in real time, and project file corruption is typically caused by abnormal termination of the OS, it is not normally necessary to retain backup files following a clean shutdown. You can choose to retain the backup file on shutdown in the automatic project backup options.
• You can optionally disable the progress dialog that is shown when a backup is performed, so you can continue working without interruption.
• Backups are enabled by default with no configuration required. If you don’t want to use the feature, you can quickly turn it off using the option that is shown in the progress dialog:

Other enhancements include:

• Installed BApps are now updated automatically on startup. We issue frequent updates to BApps and it is highly recommended to be using the latest versions. You can disable automatic BApp updates in Extender options.
• A bug in the import project function, which omitted to import the Scanner issue activity log, has been fixed.
• Requests made by extensions during custom scan checks are now correctly reflected in the scan queue request counts, and are correctly subjected to configured request throttling.

1.7.31 19-Jan-2018

1.7.32 2-Feb-2018

1.7.33 28-Mar-2018

1.7.34 13-Jun-2018

A number of bugs have been fixed:

• A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
• A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
• A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
• Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
• A bug that prevented autocomplete popups from closing on some Linux window managers.
• A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
• A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
• A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.

The following enhancements have been made:

• Burp ClickBandit has been updated to support sandboxed iframes.
• A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

1.7.35 29-Jun-2018

This release includes a number of fixes and minor enhancements:

• Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
• A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
• The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.

1.7.36 30-Jul-2018

This release fixes a number of issues including:

• A bug that prevented the macro editor from correctly showing the Proxy history.
• A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
• A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.

1.7.37 10-Aug-2018