Burp Suite Pro Web Vulnerability Scanner

Please read in reverse order, if you interest from the latest to old manner. As the latest release note and build always increment update on the bottom for this product update.

Professional 2020.4.1 Release 2020-May-18

This release provides the following minor improvements:

• Soft wrapping has been added to the HTTP message editor for any lines longer than 2000 characters.
• Resource management has been improved for the experimental browser-driven scanning option. This ensures that scans can be processed as efficiently as possible.

Bug fixes

In addition to general bug fixes, we have also resolved an issue that sometimes caused overlapping text in the message editor.

Professional 2020.4 Release 2020-Apr-27

This release mainly provides usability improvements to the HTTP message editor. It also upgrades both Java support and Burp Scanner’s embedded browser version.

HTTP message editor

The HTTP message editor now supports pretty printing of JSON, XML, HTML, CSS, and JavaScript. Take a look at the following video to see this feature in action:

Unformatted JSON data, for example, would previously be displayed as follows:

But as of version 2020.4, all of the supported formats mentioned above are prettified by default, meaning the JSON data in our example would now be displayed as follows:

You can toggle pretty printing on and off by clicking the “Pretty” button at the bottom of the editor. Alternatively, if you would prefer not to use pretty printing by default, you can disable this setting under “User options” > “Display” > “HTTP Message Display”.

Java support

As of this release, we now support Java 13. Unfortunately, we will no longer be able to support Java 8. The vast majority of users will be unaffected by this change. However, if you normally launch Burp directly from the JAR file instead of using the provided installer, you need to make sure that you have one of Java versions 9 to 13 before attempting to launch the new JAR file.

Chromium update

We have updated Burp Scanner’s experimental embedded browser to Chromium 81.0.4044.122 in order to implement the latest security fixes.

Other improvements

This release also provides the following minor improvements:

• Provided you have Java 13, Burp Proxy now supports TLS 1.3.
• Burp now notifies you if the proxy listener is disabled for any reason, and provides guidance on how to reactivate it.
• When running Burp in headless mode, you can now execute multiple commands at once by using pipes, heredocs, and so on.
• The search bar in the editor is now displayed correctly on smaller screens.

Bug fixes

We have also implemented several minor bug fixes, including:

• The response time is now displayed correctly for each request you send in Burp Repeater.
• Configured extensions are no longer lost when Burp Suite closes unexpectedly.
• The text editor no longer scrolls infinitely when embedded inside another scrolling component.

Professional 2020.2.1 Released 2020-Mar-16

This release contains minor updates to the 2020.2 release.

There are further enhancements to the custom Collaborator content options that were introduced in version 2020.2. You can now host custom robots.txt and crossdomain.xml files at arbitrary URLs on your Collaborator server.

We have also improved the handling of XML reports by stripping any null values.

The general improvements to the HTTP message editor continue, with this release providing the following bug fixes:

• The message editor no longer freezes when editing some requests containing JSON data.
• Binary data is now preserved in its original state even if you make changes to the request.
• Arrow keys no longer stop working if your request becomes longer than the viewport.
• Arrow keys now work with extensions, provided that they use the same key mappings.
• When clicking on a wrapped line, the cursor is now placed exactly where you click.

The issue definition links now also work correctly on the latest version of Kali Linux.

As always, we’ve also implemented several minor bug fixes across the product.

Professional 2020.2 Released 2020-Mar-02

This release builds on the general improvements we have been making to the HTTP message editor and incorporates some feedback from the community:

• Triple-clicking a word now selects the entire token, for example, the header value or a string literal of a JSON value.
• In editable messages, such as requests and responses in Burp Repeater, hovering over URL-encoded text now shows the decoded version in a tooltip.
• The “Convert selection” popup now works in responses as well as requests.
• In the user options for displaying HTTP messages, you can now choose to use any monospaced font that is installed on your system.
• Performance when analyzing responses with multiple code blocks has been improved.

The “Render” tab now enables you to view rendered HTML pages and images directly within the various tools instead of in a separate popup.

You can now add custom content to the Burp Collaborator service. For example, you could add a readme on the index page identifying the organization and the purpose of the service, or prove ownership of your domain to validate TLS certificate requests. To do this, you simply add new entries in the configuration file containing a path, contentType, and base64Content as follows:

"customHttpContent":
[
{ "path": "/", "contentType": "text/plain", "base64Content": "VGhpcyBpcyBhIHJhbmRvbSBsaW5lIG9mIHRleHQ="},
{ "path": "/foo", "contentType": "text/html", "base64Content": "dGhpcyBpcyBhbm90aGVyIG9uZSBmb3IgZ29vZCBtZWFzdXJlLiBOaWNlLg==" }
]

You can now initiate instant active or passive scans in Burp. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.

The following bugs fixes have also been implemented:

• A bug causing load/save filter dialogs to be hidden has been fixed.
• The “Scan defined insertion points” feature now works for all environments.
• Redirections are now shown in the site map when crawling.

Professional 2020.1 Released 2020-Jan-31

This release updates the HTTP message editor with various new capabilities:

• Syntax colorising for JavaScript, JSON, and CSS.
• Syntax colorising is now dynamically updated as you type.
• Line numbers.
• Code folding.
• Performance improvements.

We will soon continue improving the editor, with better prettifying of some formats and other helpful features.

Various improvements have been made to the efficiency and stability of Burp Scanner. We are working towards enabling the new experimental browser-driven scanning by default, which will pave the way for significant enhancements to the scanner’s capabilities over the coming year.

A number of bug fixes and other enhancements have been made, including:

• Issues negotiating TLS through some LAN firewalls have been resolved.
• Feedback messages during crawls have been improved.
• File dialogs now remember the last selected folder on a per-function basis.
• Improvements have been made to some UI elements in the dark theme.
• The expiration of auto-generated TLS certificates has been shortened to comply with modern browser requirements.
• You can now save performance feedback data to a local file, to be submitted via email rather than automatically.
• Some causes of project file corruption have been resolved.

Professional / Community 2.1.07 Released 2019-Dec-17

This release considerably improves Burp’s SSL/TLS coverage.  Historically, quirks in different server-side implementations together with bugs in the client-side Java stack led to problems connecting to some web sites. These have now been virtually eliminated.

The Venn diagram below shows how Burp’s coverage now compares with Google Chrome for the Alexa top 100,000 sites. Burp achieves substantial overlap with Chrome. Burp can connect to 1,696 sites that Chrome does not, and only fails to connect to 125 sites that Chrome can connect to.

(Note that Burp’s additional coverage is largely because Burp tolerates some older and weaker protocols and ciphers, in the interests of maximizing connectivity.)

Various improvements have been made to the crawling phase of scans:

• The event log contains improved feedback regarding account self-registration and login.
• Crawling is more efficient, with substantially fewer requests needed to discover the same range of locations.
• Various minor bugs have been fixed.

Professional 2.1.06 Released 2019-Nov-22

This release includes various bugfixes and performance enhancements to the new experimental browser-driven scanning feature.

Professional 2.1.05 Released 2019-Nov-05

This release adds experimental support for using Burp’s embedded Chromium browser to perform all navigation while scanning.

This new approach will provide a robust basis for future capabilities in Burp Scanner, enabling it to eventually deal with any client-side technologies and navigational structures that a modern browser is able to deal with. It has the potential to dramatically improve coverage of the scan, during both the crawling and auditing phases.

In this initial release, Burp Scanner now correctly deals with:

• Applications that dynamically construct the navigational UI (links and forms) using JavaScript.
• Applications that dynamically mutate the request when a link is clicked or a form is submitted, using JavaScript event handlers.

There are numerous caveats at this stage:

• Performance is poor and will be improved considerably over the next few releases.
• Navigational elements other than links and forms are not yet supported (such as DIV elements with an onclick handler that makes a request).
• Asynchronous requests such as XHR are honored during navigation but are not audited.
• Navigational actions that mutate the existing DOM without causing a request to the server are not properly handled.
• Frames and iframes are not properly supported.
• File uploads are not supported.

The new feature is currently experimental, and is being released to gather feedback from users who want to play with the new capability and assess its effectiveness. The new feature is not currently a suitable replacement for the existing default scanning mode: you are likely to gain some coverage of JavaScript-heavy applications, but also lose some coverage and experience poor performance. Rest assured that over the coming months the new feature will be considerably enhanced until it becomes a robust and superior replacement to the existing scanning mode.

To enable experimental support for browser-based scan navigation, create a new scan, add a crawl configuration, and under “Miscellaneous” select “Use embedded browser for navigation”. You can also configure whether to allow the browser to fetch page resources that are out-of-scope.

The release also includes various other bugfixes. The embedded JRE that is included in Burp’s installer has been updated to Java 12.

Professional 2.1.04 Released 2019-Sep-27

This release includes a number of minor enhancements and bugfixes.

In Burp Repeater, there are new options to close a tab, close all other tabs, and reopen a closed tab. You can access these actions via the context menu on the tab header, or by assigning hotkeys.

There is a new (default-on) scan option to ignore the protocols of URLs to scan. This is to avoid a  common user error where the scan is configured for http://example.com only, while it needs also to include https://example.com.

When a Burp update is available, there are options to mute the update notification for one week, for the currently offered update, or for all beta updates.

A bug affecting use of PKCS#11 smart cards affecting Burp 2.x has been fixed.

Professional 2.1.03 Released 2019-Aug-07

This release adds a brand new scan check, for HTTP request smuggling vulnerabilities:

This is a long-overlooked vulnerability class that is prevalent in modern cloud architectures, and which often has a critical impact.

• Read the full PortSwigger research post on HTTP desync attacks
• Play with real HTTP request smuggling vulnerabilities on the Web Security Academy

Professional 2.1.02 Released 2019-Jul-26

The support for WebSockets in Burp Repeater has been enhanced with a new WebSocket connection wizard that lets you:

• Attach to an existing WebSocket that is currently open.
• Reconnect to a WebSocket that has closed.
• Clone a WebSocket.
• Manually configure a new WebSocket connection.

The new capability gives you full manual control over the WebSocket negotiation request.

Some other minor enhancements have also been made:

• When creating a new project on disk, Burp will now automatically suggest a project filename, based on the project name and a timestamp.
• When loading a configuration file for project or user options, Burp now warns if the file doesn’t contain any options of the relevant type.
• Various minor bugs have been fixed.

Professional 2.1.01 Released 2019-Jul-16

This release adds support for WebSockets in Burp Repeater.

You can select a WebSocket message in the Proxy history or intercept tab, and choose “Send to Repeater” from the context menu:

Each message you send to Repeater opens in a new tab. Here, you can manually edit and send the message, view the full message history, pick a message from the history and manually edit and resend it, and manage the WebSocket connection:

As always, feedback about this new feature is welcome.

Have fun!

Professional 2.1 Released 2019-Jun-28

Burp Suite 2.x is now officially out of beta!

This is a huge upgrade over 1.7 with a wealth of new capabilities. We encourage anyone still using 1.7 to switch to 2.x.

Community Edition users can now enjoy Burp’s new dark theme. To enable the dark theme, go to User options / Display / User Interface / Look and feel, and select Darcula.

Coming out of beta means we regard Burp Suite 2.x as essentially stable and suitable for general usage. It doesn’t mean there are no bugs. All software has bugs, and feedback is always welcome about any problems that users observe.

We will, of course, be continuing to enhance Burp Suite 2.x with various new features over the coming months.

Professional 1.7.37 Released 2018-Aug-10

This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.

For full details of this awesome new research, see our blog post on practical web cache poisoning.

Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”:

Note: On 10 October 2018, the .DMG package was regenerated to be compatible with MacOS Mojave.

Professional 1.7.36 Released 2018-Jul-30

This release fixes a number of issues including:

• A bug that prevented the macro editor from correctly showing the Proxy history.
• A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
• A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.

Note: On 10 October 2018, the .DMG package for Community Edition was regenerated to be compatible with MacOS Mojave.

Professional 1.7.35 Released 2018-Jun-29

This release includes a number of fixes and minor enhancements:

• Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
• A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
• The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.

Professional 1.7.34 Released 2018-Jun-13

A number of bugs have been fixed:

• A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
• A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
• A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
• Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
• A bug that prevented autocomplete popups from closing on some Linux window managers.
• A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
• A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
• A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.

The following enhancements have been made:

• Burp ClickBandit has been updated to support sandboxed iframes.
• A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

Note that some of the security issues were reported through our bug bounty program, which pays generously for bugs large and small. Thanks are due to Bruno Morisson and Juho Nurminen.

Professional 1.7.33 Released 2018-Mar-28

This release significantly improves the effectiveness of project repair when project file corruption occurs. Some users still experience corrupted project files when using virtualized file systems (for example, using Burp within a guest VM can lead to project file corruption if the host OS terminates abnormally). Previously, if some key metadata near the start of the project file was lost, then Burp’s project repair feature would not recover any data. In the new release, uncorrupted data within the file can still be recovered even if this key metadata is lost. Further feedback is welcomed regarding the effectiveness of project repair.

To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.

Some bugs have been fixed:

• A bug in macro configuration where some settings for cookie handling might not be saved correctly across executions of Burp.
• Some minor bugs in the automatic project backup feature that was recently released.
• A bug where extensions could still gain API access to the Burp Collaborator client even when the user had disabled use of Collaborator.

Professional 1.7.32 Released 2018-Feb-02

This release adds a new automatic project file backup function. If you are using a disk-based project, this function automatically saves a backup copy of your project file periodically in the background. The options for the new function can be found at User options / Misc / Automatic Project Backup:

The new function is superior to the older function that saved a state file backup in several respects:

Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.

• You can optionally include in-scope items only, to reduce the size of the backup file.
  Available disk space is checked before performing a backup. If insufficient space is available, the backup is skipped and an alert is shown.
• A single backup file is saved alongside the main project file. On successful completion of a new backup, the previous backup file is deleted.
• On attempting to open a corrupted project file, Burp checks if a backup is available, and if so offers to open that as an alternative to repairing the original.
• By default, the backup file is deleted on clean shutdown of Burp. Since the main project file is saved incrementally in real time, and project file corruption is typically caused by abnormal termination of the OS, it is not normally necessary to retain backup files following a clean shutdown. You can choose to retain the backup file on shutdown in the automatic project backup options.
• You can optionally disable the progress dialog that is shown when a backup is performed, so you can continue working without interruption.
• Backups are enabled by default with no configuration required. If you don’t want to use the feature, you can quickly turn it off using the option that is shown in the progress dialog:

Other enhancements include:

• Installed BApps are now updated automatically on startup. We issue frequent updates to BApps and it is highly recommended to be using the latest versions. You can disable automatic BApp updates in Extender options.
• A bug in the import project function, which omitted to import the Scanner issue activity log, has been fixed.
• Requests made by extensions during custom scan checks are now correctly reflected in the scan queue request counts, and are correctly subjected to configured request throttling.

1.7.31 19-Jan-2018

1.7.32 2-Feb-2018

1.7.33 28-Mar-2018

1.7.34 13-Jun-2018

A number of bugs have been fixed:

• A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
• A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
• A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
• Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
• A bug that prevented autocomplete popups from closing on some Linux window managers.
• A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
• A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
• A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.

The following enhancements have been made:

• Burp ClickBandit has been updated to support sandboxed iframes.
• A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

1.7.35 29-Jun-2018

This release includes a number of fixes and minor enhancements:

• Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
• A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
• The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.

1.7.36 30-Jul-2018

This release fixes a number of issues including:

• A bug that prevented the macro editor from correctly showing the Proxy history.
• A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
• A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.

1.7.37 10-Aug-2018