Burp Suite Pro Web Vulnerability Scanner

Please read in reverse order, if you interest from the latest to old manner. As the latest release note and build always increment update on the bottom for this product update.

Professional 2021.4 Released 2021-Apr-1

This release provides a native logging tool to Burp Suite. It also allows saving settings for Burp’s embedded browser and message editor’s search bar, and the ability to turn off Repeater’s line ending normalization. The release also provides several bug fixes.

Logger

Burp Suite now has a native logging tool called Logger, which is available from the main row of tool tabs. Some highlights of Logger are:

• You can view traffic made by all Burp tools, analyze messages, and send them to other Burp tools.
• You can configure separate capture and view filters to focus on the messages that you are interested in.
• Logger is optimised for performance and limits the amount of memory that is used. The default limit is 50MB (or 100MB if you give Burp Suite at least 1GB of memory), but you can change this. Once the memory limit has been reached, Logger will keep a rolling log of entries.
• You can turn off Logger if you prefer.

Here is a short video showing Logger in action:

Embedded browser settings

When using Burp’s embedded Chromium browser, your history and any changes you make to the browser settings are now saved even after you close Chromium. This means you no longer need to reconfigure your preferences each time you use the browser and can even keep any extensions that you install.

By default, your settings and history will be persisted. If you’d prefer to disable this behavior, go to User options > Misc and deselect the corresponding checkbox in the “Embedded browser” section.

Message editor search settings

You can now configure the default settings of the message editor’s search bar. Change the defaults by going to User options > Misc and selecting the check boxes under “Message search”.

Normalized line endings in Repeater

Repeater usually normalizes the line endings of requests. However, this behaviour may not always be useful, especially when you are testing request smuggling. You can now turn off normalizing line endings by going to the Repeater menu and unchecking “Normalize line endings”.

Bug fixes

This release provides several minor improvements and bug fixes, including:

• Message inspector buttons now work correctly when you paste content into a “Decoded from” panel.
• Burp Collaborator server now responds to CAA queries with a NOERROR rather than a SERVFAIL response code.
• Burp Collaborator server now supports custom CNAME and TXT records.
• Burp Suite is not entirely compatible with Java 16. It will now warn you if you try to launch it with Java 16, and provide a workaround to enable you to use both together.

Professional 2021.3.2 Released 2021-Mar-17

This release strengthens support for HTTP/2 and turns it on by default. It also fixes several bugs.

HTTP/2 support

We have strengthened support for HTTP/2 within Burp Suite. HTTP/2 support is now turned on by default and is no longer considered experimental. Burp will interact with targets via HTTP/2 when a target supports it.

HTTP/2 support brings a significant performance improvement to the network layer, benefiting Scanner and Intruder speed. It also provides future compatibility with any site that no longer supports HTTP/1.1.

If you prefer not to use HTTP/2, you can disable its use under Project Options / HTTP.

Bug fixes

This release provides several minor improvements and bug fixes, including:

• The crawler no longer produces an error when it encounters request bodies that contain JSON literals when it is crawling OpenAPI definitions.
• Burp Suite now shuts down correctly on macOS.
• The number of characters selected now shows in the message inspector when selecting non-editable messages.
• Custom menu items added by extensions are now shown in a sub-menu of the context menu, to avoid cluttering.
• The hash algorithm list within Burp Decoder is now sorted alphanumerically.
• The resource pool button is now disabled when configuring a live passive crawl, as this crawl does not make requests.
• The automatic backup progress dialog box no longer appears if Burp Suite is minimized.

Professional 2021.3.1 Released 2021-Mar-16

This release provides a security fix for the embedded Chromium browser, and several bug fixes.

Chromium security fix

This release includes an update of Burp’s embedded browser to Chromium 89.0.4389.90 which fixes a security issue that Google have classified as high.

Bug fixes

This release provides several bug fixes, including:

• Copy and cut hotkeys now work in inspector tables, and the copied data is formatted appropriately for the types of items in the table.
• Burp Suite now correctly deletes update files after they have been used.
• The title bar now displays the name of the update channel you have has chosen if it is not the Stable channel.
• We have improved the layout of the Intruder “Grep – Payloads” panel.
• Unwanted update behaviour no longer happens when you have more than one installation of Burp Suite on macOS.
• We have fixed an issue where the crawler encounters an error if it finds links with URL fragments during the “discovering hidden content” section of the crawl.
• We have converted filter pop-up windows to dialog boxes throughout Burp Suite, to improve consistency.

Professional 2021.3 Released 2021-Mar-3

This release provides several bug fixes. Most notably:

• Copy and cut hotkeys now work in inspector tables, and the copied data is formatted appropriately for the types of items in the table.
• Burp Suite now correctly deletes update files after they have been used.
• The title bar now displays the name of the update channel you have has chosen if it is not the Stable channel.
• We have improved the layout of the Intruder “Grep – Payloads” panel.
• Unwanted update behaviour no longer happens when you have more than one installation of Burp Suite on macOS.
• We have fixed an issue where the crawler encounters an error if it finds links with URL fragments during the “discovering hidden content” section of the crawl.
• We have converted filter pop-up windows to dialog boxes throughout Burp Suite, to improve consistency.

Professional 2021.2.1 Released 2021-Feb-16

This release provides multiple Burp Suite update channels, including an Early Adopter channel. It also provides improved Intruder payload lists and several bug fixes.

Multiple update channels

We now deliver automatic updates to Burp Suite via two channels: Stable and Early Adopter. The default channel for all users is Stable. New versions of Burp Suite will appear on the Early Adopter channel first, and then go to the Stable channel when any initial problems have been resolved. The update channel setting is per installation, so multiple installations set to different update channels are possible.

Choose the Early Adopter channel to get the latest features fast. Choose the Stable channel for the most robust and reliable version of Burp Suite.

To change your update channel, go to “User options” and select the “Misc” tab. Then scroll down to “Update” and select the channel you prefer.

Improved Intruder default payload lists

We have improved and expanded Intruder’s default payload lists. There are also new lists, such as SSRF payloads and common files and directories.

Bug fixes

This release also provides several bug fixes, such as:

• Custom User-Agent values will now save correctly if they contain a colon character.
• Using the rule to disable browser XSS protection in Proxy options no longer results in an error.
• Windows created by generating a CSRF PoC now open correctly, rather than opening behind the main Burp window.

Professional 2021.2 Released 2021-Feb-8

This release provides improvements to the message inspector, non-printing character display, platform authentication controls and the embedded browser. It also provides a new vulnerability definition and several bug fixes.

New vulnerability definition: vulnerable JavaScript dependencies

Burp Scanner will now detect when a target application imports a JavaScript dependency that has a known vulnerability, such as when a library is dangerously out of date or has other issues.

Non-printing characters improvement

When viewing non-printing characters in the text editor, characters with a hexadecimal code point below 20 are displayed as “lozenges” with their hex code. Now, characters with a code point from 7F to FF are also displayed in the same way.

Per-host controls for platform authentication

Platform authentication (under “User options” and the “Connections” tab) can now be turned on or off on a per-host basis.

Message inspector improvements

There have been significant performance improvements in the message inspector. Also, users can now resize the message inspector horizontally and select multiple entries at once.

Embedded browser improvements

HTTP requests initiated by the embedded Chromium browser itself, rather than the user, are no longer sent. Also, Burp’s embedded browser has been upgraded to Chromium 88.0.4324.150.

Bug fixes and minor improvements

This release also provides the following bug fixes and minor improvements:

• The HTTP history message filter no longer incorrectly opens a new window when in fullscreen mode on macOS.
• Streaming responses now show correctly in Burp Repeater.
• Regex-based session validation no longer fails after opening an existing project file.
• Activating a .burp file now opens Burp and loads the file rather than starting the Burp start-up wizard.
• The “Delete bytes” context menu option has been restored to Burp Decoder.
• The message editor now correctly highlights text in double quotation marks.
• The colour of the “Intercept is off” button now matches nearby buttons.
• Marks in check boxes are now displaying correctly in Burp extensions.
• Deselecting “URL-encode these characters” is now respected for Payload Processing rules and multiple payload sets when using Cluster bomb attacks in Burp Intruder.
• Burp Suite now makes use of the maximum size of messages that can be sent to Chromium DevTools, which is 100MB. This means that larger page resources can be loaded.
• Burp Suite’s MIME-type analysis now matches Chromium’s behavior. Where multiple Content-Type headers are present in a response, Burp chooses the last one. Where there are Content-Type headers and a <meta http-equiv="content-type"> tag, Burp chooses the Content-Type headers. This change affects MIME-type filters in the Proxy and Target tabs, and the Render tab in the response viewer.
• The icon for vulnerabilities with a severity of False Positive has changed from blue to green.

Professional 2020.12.1 Released 2020-Dec-17

This release provides performance and user interface improvements, a JavaScript analysis improvement, and several bug fixes.

Performance improvements

We have made significant improvements in both speed and memory usage in the message editor when handling large messages.

User interface improvements

We have improved several aspects of the user interface. There are new colors for various buttons, icons, check boxes, and radio buttons, to be in line with the new branding of Burp Suite. There are now tooltips for scan phases and issue counts in the scan task Audit Items view.

Processing dynamically created scripts

Burp Scanner‘s dynamic JavaScript analysis will now load dynamically created scripts, such as document.write('<script src="…">') or document.createElement('script’).

Bug fixes

This release also provides the following bug fixes:

• In Burp Proxy, the message editor now consistently displays the correct view when switching between items in the HTTP history.
• When using the context menu in the “Issue activity” section of Burp’s dashboard, options provided by extensions are now displayed correctly.
• Long payload lists in Burp Intruder now correctly include all entries from the corresponding short list, as well as extra items.

Professional 2020.12 Released 2020-Dec-11

This release provides the following improvements and bug fixes:

Dynamic switching between UI themes

When switching between the new light and dark themes in the display settings, you no longer have to restart Burp before this change is applied.

Scan URLs with fragments

You can now include fragments (#) in the seed URLs you specify for a scan. Note that this is only supported by browser-powered scans. If the “Use embedded browser for Crawl and Audit” option is disabled in your scan configuration, you will not be able to start a scan with seed URLs containing fragments.

Embedded browser upgrade

Burp’s embedded browser has been upgraded to Chromium 87.0.4280.88.

User interface improvements

The icons and icon colors for issue severity levels have changed. We’ve also adjusted the background color for the Suite tab bar, in both the light and dark themes.

Security fix

We have fixed a vulnerability that could result in Burp Suite issuing requests that do not respect its upstream proxy configuration and could leak NetNTLM hashes on Windows systems that fail to block outbound SMB.

This issue was reported through our bug bounty program.

Bug fixes

This release also provides the following bug fixes:

• Copying an intercepted request as a curl command no longer introduces duplicate Cookie headers.
• As long as your user has permission to use the selected port, you are no longer prevented from binding the proxy listener to ports < 1024. Previously, a bug meant that only root / super users could bind the listener to these ports.
• During scans, the crawler no longer uses cookies from Burp’s cookie jar when sending requests.
• Users can once again paste content into the message editor of the Extensions tab.

Professional 2020.11.3 Released 2020-Dec-1

This release provides several bug fixes. Most notably:

• We have fixed a bug that occasionally caused issues with the new UI, such as Burp appearing to lock up.
• When you forward an intercepted request without making any changes, it is no longer erroneously marked as “Edited” in the proxy history.
• The “Getting Started” links on the Proxy Intercept tab are now only displayed until you intercept your first request.

Professional 2020.11.2 Released 2020-Nov-27

This release updates the look of Burp’s UI and adds an option for watching crawls in a headed browser.

UI refresh

This release gives Burp’s UI a make-over, with a cleaner, more modern look.

You can choose between light or dark theme at User options / Display / User interface.

Crawling with a headed browser

You can now choose to start scans using a headed browser. In this case, when the crawl starts, a new browser window will open in which you can watch the crawler navigating around the target website in real time. This is useful for troubleshooting any issues.

You can enable this option from the miscellaneous crawl settings of your scan configuration.

If you enable this option, please note that Burp Scanner will occasionally open additional browser windows during the crawl and stop using the previous window. This is perfectly normal. Any redundant windows will automatically be closed after a period of time.

Other improvements

This release also provides the following improvements:

• A new search function has been added to the BApp Store tab.
• If you add a user.vmoptions file in the same folder as the BurpSuitePro.vmoptions file, Burp will load these settings instead. This file will not be changed by Burp, which means you no longer have to manually back up your custom vmoptions when updating Burp.
• Burp’s embedded browser has been upgraded to Chromium version 87.0.4280.66.

Bug fixes

All keyboard shortcuts now work as expected on the Intercept tab.

Professional 2020.11.1 Release 2020-Nov-19

This release adds the Burp Suite Navigation Recorder extension to Burp’s embedded browser and fixes a minor bug in the startup process.

Burp Suite Navigation Recorder preinstalled in the embedded browser

The Burp Suite Navigation Recorder extension is now preinstalled and ready to use in Burp’s embedded browser. This means you can immediately start recording login sequences for Burp Scanner without having to perform any manual setup.

Embedded browser upgrade

Burp’s embedded browser has been upgraded to Chromium version 86.0.4240.198

Bug fixes

This release also provides the following bug fixes:

• Highlighting a null character no longer causes extra characters to be included in the selection by mistake.
• After a failed startup, relaunching Burp and selecting an existing project no longer causes the startup to fail again.
• When the mouseover decoding popup is visible in Repeater, pressing the Ctrl + Space shortcut to send the request no longer causes Burp to crash.
• When entering a number range for payloads in Intruder, accidentally leaving a trailing space no longer causes the request and payload count to be set to zero.

Professional 2020.11 Release 2020-Nov-9

This release provides several new features for both manual and automated testing, as well as some major upgrades to the message editor UI.

Message inspector

The new message inspector is a collapsible panel displayed on the right-hand side of the message editor throughout Burp Suite. It provides a quick way to analyze and work with interesting features of HTTP and WebSocket messages without having to switch between different tabs.

The Hex, Params, Headers, and Cookies tabs that used to appear in the message editor have been removed. You can now access the same functionality, and some additional new features, directly in the inspector panel.

• Perform basic operations such as viewing and manipulating any headers, parameters, and cookies found in HTTP messages. You can also add new ones to the request.
• Instantly decode HTML, URL, and Base64-encoded values. The inspector automatically applies the appropriate sequence of transformations to decode headers, parameters, cookies, and any encoded text that you manually select in a message.
• Work with encoded data more easily by editing it in its decoded form. The inspector automatically reapplies the necessary encodings as you type so that you can inject your modified value into the request with a single click or key press.
• Inject non-printing characters by modifying the code point of a character.

You perform some of these actions by drilling down into items that were automatically identified by the inspector. Alternatively, you can manually select one or more characters in a message to work with them in the inspector panel.

For more information about using the inspector, please refer to the documentation.

API scanning

Burp Scanner is now able to scan both JSON and YAML-based APIs for vulnerabilities. By default, the crawler attempts to parse any API definitions that it encounters to identify potential endpoints, along with their supported methods and parameters. You can also explicitly provide the URL of an API definition when launching a scan. Based on the endpoints that it discovers, Burp Scanner is then able to derive new locations to crawl and audit.

If you prefer, you can disable API scanning by deselecting the “Parse API definitions” crawl option in your scan configuration. You can find this option under “Miscellaneous”.

Please note that this initial release only supports scanning of a fairly limited range of REST APIs. For a full list of the prerequisites and limitations, please refer to the documentation. We plan to further develop this feature and gradually add support for a wider range of APIs in future releases.

Test recorded login sequences

In the previous release, we added new functionality for recording and uploading full login sequences to help Burp Scanner handle more complex authentication mechanisms. This release adds a new feature that allows you to replay your recorded login sequences in an embedded browser.

This makes it much easier to check whether the recording accurately captured your browser interactions. It may also help you to diagnose any problems if the login sequence is failing during scans.

For more information, please refer to the documentation.

Automatic updates

By default, Burp now automatically downloads any available updates. When a new update has been downloaded, a notification will prompt you to restart Burp in order to install it. Note that you will still need to download the 2020.11 release manually.

If you prefer, you can disable automatic updates in the user options.

Note for Windows users

To support automatic updates, Burp can no longer be installed in a directory that requires admin privileges. As a result, installing 2020.11 on Windows will likely create a new instance of Burp rather than upgrading your existing installation. Unfortunately, this means you will have to manually uninstall your old version of Burp.

This is a one-off inconvenience. Upgrading to any subsequent releases will not require you to repeat this process.

Other improvements

To help reduce clutter, the custom views that some Burp extensions add to the message editor are no longer accessed via individual tabs. Instead, you can now alternate between your extension-specific views using a new drop-down menu.

Bug fixes

• We have fixed a bug that was causing the Burp UI to freeze in specific circumstances when the .NET Beautifier extension was enabled.
• When hovering the mouse over a long, encoded token in an HTTP message, the decoded text no longer overflows the tooltip. We have also extended the tooltip so that it can display up to 2000 characters.
• Launching an installed version of Burp now provides the same range of character sets as when launching Burp from a JAR file.

Professional 2020.9.2 Release 2020-Oct-2

This release enables support for recorded login sequences in Burp Scanner and provides several other minor improvements. It also includes a security fix for Burp Collaborator.

Recorded login sequences

Instead of entering basic sets of login credentials for Burp Scanner to use, you can now provide the full sequence of actions required to log in. This enables Burp Scanner to handle more complex login processes, including:

• Single sign-on
• Multi-step login where the username and password are not entered in the same form
• Login forms that contain extra fields, checkboxes, and so on

Our dedicated Chrome extension captures your actions while you perform the login sequence and generates a JSON-based “script”. You can then import this script in the Application Logins section of the scan launcher. When the crawler begins an authenticated crawl, it will open a new browser session and use the script to replicate your actions, performing the full login sequence from scratch.

For more details on how to use recorded login sequences, please refer to the scan launcher documentation.

Other improvements

You can now clear the interaction history in Burp Collaborator client.

Bug fixes

This release also implements several minor bug fixes, most notably:

• The TLS handshake no longer fails when the target site’s hostname contains an underscore.
• All bytes are now preserved correctly when pasting data from a file into an HTTP message
• Auto-modified responses resulting from match-and-replace rules are now paired with the correct request in the proxy history.

Security fix

This release resolves a security issue in the Collaborator server. Previously, an attacker in a position to perform an active, server-side MITM attack could obtain the contents of emails delivered using STARTTLS. If you are running your own Collaborator server, we recommend updating it.

This vulnerability was reported to us privately via our bug bounty program.

Professional 2020.9.1 Release 2020-Sep-4

This release fixes a bug that was preventing WebSocket messages from being displayed correctly in the message editor.

Professional 2020.9 Release 2020-Sep-3

This release provides some improvements to the HTTP message editor UI.

HTTP message editor toolbar

On the “Raw” tab, the various options you have for analyzing the HTTP message are now contained in a toolbar at the top of each request or response. From the toolbar, you can now:

• Alternate between the prettified, raw, or rendered HTML views where available
• Toggle whether non-printing characters are displayed as “lozenges” within the message
• Access a range of context-specific actions for the message from the new “Actions” menu

HTTP message editor layout options

In the upper-right corner of the message editor, you can now choose from three different layouts that determine how the request and response are arranged in the panel.

You can choose from the following options:

• Horizontal layout: The request and response are arranged side-by-side.
• Vertical layout: The request and response are stacked one on top of the other.
• Combined view: Either the request or response will fill the message editor panel. You can alternate between the two using the corresponding tabs.

These new layout options are available in various locations throughout Burp Suite, including the Target site map and Proxy history.

Other improvements

The embedded browser has been upgraded to Chromium 85.0.4183.83.

Professional 2020.8.1 Release 2020-Aug-20

After several months of live testing, we are pleased to announce that this release enables browser-powered scanning by default.

Browser-powered scanning

By default, Burp Scanner will now perform all navigation using an embedded Chromium browser, during both crawl and audit. This approach enables the scanner to accurately handle JavaScript and other navigational structures that modern browsers can. This has the potential to dramatically improve the coverage of the scan during both the crawl and audit phases.

To run browser-powered scanning efficiently, we recommend a machine with at least 2 CPU cores and 8 GB RAM. Burp Scanner automatically checks whether your machine appears to meet these requirements and will use the embedded browser if possible. Otherwise, scans will revert to the previous crawling engine.

If you prefer, you can also manually enable/disable browser-powered scanning in your scan configuration. You can find this option under “Crawl options” > “Miscellaneous” > “Embedded browser options”.

Note: Browser-powered scanning currently remains off by default for Burp Suite Enterprise Edition.

Other improvements

• Scan performance has been improved by reducing the number of duplicate locations that are scanned. Even when you choose to scan a URL using both HTTP and HTTPS, if Burp identifies that the content is the same, it will now only crawl and audit the location once.
• SVG images are now displayed correctly on the “Render” tab.
• The HTTP message editor now supports pretty printing of the content type image/svg+xml.
• The embedded browser has been upgraded to Chromium 84.0.4147.125.

Professional 2020.8 Release 2020-Aug-6

This release provides an upgrade to the web cache poisoning scan checks as well as several other minor improvements and bug fixes.

New web cache poisoning scan checks

Burp Scanner can now identify a variety of recently discovered cache poisoning issues. These checks are based on the techniques documented by James Kettle in his presentation “Web Cache Entanglement: Novel Pathways to Poisoning” at BlackHat USA 2020.

Other improvements

• We have improved the performance of Burp Intruder when using HTTP/2.
• We have reduced the amount of noise from the embedded browser by disabling Chromium’s random DNS checks during startup.

Bug fixes

• Closing the first tab in the embedded browser no longer causes the whole browser window to close.
• You can now launch the embedded browser on Kali Linux even as a non-root user

Professional 2020.7 Release 2020-Jul-17

In this release, we’ve greatly improved the usability of Burp Suite by removing the need to perform many of the initial configuration steps for Burp Proxy.

Use Burp’s preconfigured browser for testing

You can now use Burp’s embedded Chromium browser for manual testing. This browser is preconfigured to work with the full functionality of Burp Suite right out of the box. You no longer need to manually configure your browser’s proxy settings or install Burp’s CA certificate. The first time you launch Burp you can immediately start testing, even with HTTPS URLs.

To launch the embedded browser, go to the “Proxy” > “Intercept” tab and click “Open Browser”.

Note that if you want to use an external browser for testing. you can still configure any browser to work with Burp in the same way as you could before.

Other improvements

• Burp now provides feedback in the request and response when it successfully communicates using HTTP/2. The first request you send to a server will display HTTP/1. However, once Burp has established that the website supports HTTP/2, all subsequent messages will indicate this in the request line and status line respectively. For more information about Burp’s experimental HTTP/2 support, please refer to the documentation.
• Performance of the experimental browser-powered scanning feature has been improved.
• The embedded browser has been upgraded to Chromium 84.

Bug fixes

• Multiple Cookie headers are now displayed correctly in the “Params” tab.
• We have also fixed a security bug that was reported via our bug bounty program. With a significant amount of user interaction, an attacker could potentially steal comma-delimited files from the local filesystem. The attacker would have to induce a user to visit a malicious website, copy the request as a curl command, and then execute it via the command line.

Professional 2020.6 Release 2020-Jul-3

This release adds an option for using HTTP/2 and provides several minor improvements and bug fixes.

Experimental HTTP/2 support

This release provides experimental support for HTTP/2. From the “Project settings” > “HTTP” tab, you can now choose to use HTTP/2 for inbound and outbound communication over TLS.

As this is still an experimental feature, please use it at your own discretion.

Other improvements

You can now control the TLS protocols that Burp Proxy will use when performing TLS negotiation with the browser. You can configure Burp Proxy to use the default protocols of your Java installation, or override these defaults and enable custom protocols as required.

Bug fixes

In the HTTP history, you can now hover the mouse over URL encoded data to show the decoded data in a tooltip. Previously, this worked in Burp Repeater but not the “Proxy” > “HTTP history” tab.

Professional 2020.5.1 Release 2020-Jun-19

This release provides several bug fixes, including the following improvements to the HTTP message editor:

• Highlighting text no longer causes it to disappear and reappear after resizing the panel.
• Clicking on an empty line now positions the cursor where you click instead of at the end of the previous line.

We have also fixed a security bug that was reported via our bug bounty program. With a significant amount of user interaction, an attacker could potentially read local files. The attacker would have to induce a user to visit a malicious website, copy the request as a curl command, and then execute it via the command line. This was classed as a medium severity issue due to the level of user interaction required.

Professional 2020.5 Release 2020-Jun-5

This release provides a useful new feature for the HTTP message editor, as well as several general improvements.

You can now choose to display non-printing characters as “lozenges” in the HTTP message editor. This is supported for any bytes with a hexadecimal value lower than 20, which includes tabs, line feeds, carriage returns, and null bytes.

This feature will be greatly beneficial for many use cases, including:

• Spotting subtle differences between byte values in responses
• Experimenting with HTTP request smuggling vulnerabilities
• Studying line endings to identify potential HTTP header injection vulnerabilities
• Observing how null-byte injections are handled by the server

Non-printing characters are hidden by default, but you can toggle the lozenges on and off by clicking the “\n” button at the bottom of the editor.

These non-printing characters can currently only be displayed in the message editor. For now, you have to edit bytes using Burp’s hex view. However, we plan to enable you to do this directly in the message editor in the near future.

General improvements

This release also provides the following minor improvements to various areas of Burp:

• The embedded Chromium browser for the experimental browser-driven scanning mode has been upgraded to version 83.
• Java 14 is now supported for both Professional and Community Edition.
• Burp Proxy no longer intercepts requests for SVG or font files by default.
• Crawling of static content is now faster.

Bug fixes

We have also implemented several minor bug fixes, most notably:

• The response received/completed times are now displayed for 401 responses.
• The response time is now displayed even when the time taken was < 1ms.
• “Check session is valid” session handling rules are now applied properly when session tracing is running
• The content discovery tool no longer erroneously displays the “Session is not running” message.

Professional 2020.4.1 Release 2020-May-18

This release provides the following minor improvements:

• Soft wrapping has been added to the HTTP message editor for any lines longer than 2000 characters.
• Resource management has been improved for the experimental browser-driven scanning option. This ensures that scans can be processed as efficiently as possible.

Bug fixes

In addition to general bug fixes, we have also resolved an issue that sometimes caused overlapping text in the message editor.

Professional 2020.4 Release 2020-Apr-27

This release mainly provides usability improvements to the HTTP message editor. It also upgrades both Java support and Burp Scanner’s embedded browser version.

HTTP message editor

The HTTP message editor now supports pretty printing of JSON, XML, HTML, CSS, and JavaScript. Take a look at the following video to see this feature in action:

Unformatted JSON data, for example, would previously be displayed as follows:

But as of version 2020.4, all of the supported formats mentioned above are prettified by default, meaning the JSON data in our example would now be displayed as follows:

You can toggle pretty printing on and off by clicking the “Pretty” button at the bottom of the editor. Alternatively, if you would prefer not to use pretty printing by default, you can disable this setting under “User options” > “Display” > “HTTP Message Display”.

Java support

As of this release, we now support Java 13. Unfortunately, we will no longer be able to support Java 8. The vast majority of users will be unaffected by this change. However, if you normally launch Burp directly from the JAR file instead of using the provided installer, you need to make sure that you have one of Java versions 9 to 13 before attempting to launch the new JAR file.

Chromium update

We have updated Burp Scanner’s experimental embedded browser to Chromium 81.0.4044.122 in order to implement the latest security fixes.

Other improvements

This release also provides the following minor improvements:

• Provided you have Java 13, Burp Proxy now supports TLS 1.3.
• Burp now notifies you if the proxy listener is disabled for any reason, and provides guidance on how to reactivate it.
• When running Burp in headless mode, you can now execute multiple commands at once by using pipes, heredocs, and so on.
• The search bar in the editor is now displayed correctly on smaller screens.

Bug fixes

We have also implemented several minor bug fixes, including:

• The response time is now displayed correctly for each request you send in Burp Repeater.
• Configured extensions are no longer lost when Burp Suite closes unexpectedly.
• The text editor no longer scrolls infinitely when embedded inside another scrolling component.

Professional 2020.2.1 Released 2020-Mar-16

This release contains minor updates to the 2020.2 release.

There are further enhancements to the custom Collaborator content options that were introduced in version 2020.2. You can now host custom robots.txt and crossdomain.xml files at arbitrary URLs on your Collaborator server.

We have also improved the handling of XML reports by stripping any null values.

The general improvements to the HTTP message editor continue, with this release providing the following bug fixes:

• The message editor no longer freezes when editing some requests containing JSON data.
• Binary data is now preserved in its original state even if you make changes to the request.
• Arrow keys no longer stop working if your request becomes longer than the viewport.
• Arrow keys now work with extensions, provided that they use the same key mappings.
• When clicking on a wrapped line, the cursor is now placed exactly where you click.

The issue definition links now also work correctly on the latest version of Kali Linux.

As always, we’ve also implemented several minor bug fixes across the product.

Professional 2020.2 Released 2020-Mar-02

This release builds on the general improvements we have been making to the HTTP message editor and incorporates some feedback from the community:

• Triple-clicking a word now selects the entire token, for example, the header value or a string literal of a JSON value.
• In editable messages, such as requests and responses in Burp Repeater, hovering over URL-encoded text now shows the decoded version in a tooltip.
• The “Convert selection” popup now works in responses as well as requests.
• In the user options for displaying HTTP messages, you can now choose to use any monospaced font that is installed on your system.
• Performance when analyzing responses with multiple code blocks has been improved.

The “Render” tab now enables you to view rendered HTML pages and images directly within the various tools instead of in a separate popup.

You can now add custom content to the Burp Collaborator service. For example, you could add a readme on the index page identifying the organization and the purpose of the service, or prove ownership of your domain to validate TLS certificate requests. To do this, you simply add new entries in the configuration file containing a path, contentType, and base64Content as follows:

"customHttpContent":
[
{ "path": "/", "contentType": "text/plain", "base64Content": "VGhpcyBpcyBhIHJhbmRvbSBsaW5lIG9mIHRleHQ="},
{ "path": "/foo", "contentType": "text/html", "base64Content": "dGhpcyBpcyBhbm90aGVyIG9uZSBmb3IgZ29vZCBtZWFzdXJlLiBOaWNlLg==" }
]

You can now initiate instant active or passive scans in Burp. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.

The following bugs fixes have also been implemented:

• A bug causing load/save filter dialogs to be hidden has been fixed.
• The “Scan defined insertion points” feature now works for all environments.
• Redirections are now shown in the site map when crawling.

Professional 2020.1 Released 2020-Jan-31

This release updates the HTTP message editor with various new capabilities:

• Syntax colorising for JavaScript, JSON, and CSS.
• Syntax colorising is now dynamically updated as you type.
• Line numbers.
• Code folding.
• Performance improvements.

We will soon continue improving the editor, with better prettifying of some formats and other helpful features.

Various improvements have been made to the efficiency and stability of Burp Scanner. We are working towards enabling the new experimental browser-driven scanning by default, which will pave the way for significant enhancements to the scanner’s capabilities over the coming year.

A number of bug fixes and other enhancements have been made, including:

• Issues negotiating TLS through some LAN firewalls have been resolved.
• Feedback messages during crawls have been improved.
• File dialogs now remember the last selected folder on a per-function basis.
• Improvements have been made to some UI elements in the dark theme.
• The expiration of auto-generated TLS certificates has been shortened to comply with modern browser requirements.
• You can now save performance feedback data to a local file, to be submitted via email rather than automatically.
• Some causes of project file corruption have been resolved.

Professional / Community 2.1.07 Released 2019-Dec-17

This release considerably improves Burp’s SSL/TLS coverage.  Historically, quirks in different server-side implementations together with bugs in the client-side Java stack led to problems connecting to some web sites. These have now been virtually eliminated.

The Venn diagram below shows how Burp’s coverage now compares with Google Chrome for the Alexa top 100,000 sites. Burp achieves substantial overlap with Chrome. Burp can connect to 1,696 sites that Chrome does not, and only fails to connect to 125 sites that Chrome can connect to.

(Note that Burp’s additional coverage is largely because Burp tolerates some older and weaker protocols and ciphers, in the interests of maximizing connectivity.)

Various improvements have been made to the crawling phase of scans:

• The event log contains improved feedback regarding account self-registration and login.
• Crawling is more efficient, with substantially fewer requests needed to discover the same range of locations.
• Various minor bugs have been fixed.

Professional 2.1.06 Released 2019-Nov-22

This release includes various bugfixes and performance enhancements to the new experimental browser-driven scanning feature.

Professional 2.1.05 Released 2019-Nov-05

This release adds experimental support for using Burp’s embedded Chromium browser to perform all navigation while scanning.

This new approach will provide a robust basis for future capabilities in Burp Scanner, enabling it to eventually deal with any client-side technologies and navigational structures that a modern browser is able to deal with. It has the potential to dramatically improve coverage of the scan, during both the crawling and auditing phases.

In this initial release, Burp Scanner now correctly deals with:

• Applications that dynamically construct the navigational UI (links and forms) using JavaScript.
• Applications that dynamically mutate the request when a link is clicked or a form is submitted, using JavaScript event handlers.

There are numerous caveats at this stage:

• Performance is poor and will be improved considerably over the next few releases.
• Navigational elements other than links and forms are not yet supported (such as DIV elements with an onclick handler that makes a request).
• Asynchronous requests such as XHR are honored during navigation but are not audited.
• Navigational actions that mutate the existing DOM without causing a request to the server are not properly handled.
• Frames and iframes are not properly supported.
• File uploads are not supported.

The new feature is currently experimental, and is being released to gather feedback from users who want to play with the new capability and assess its effectiveness. The new feature is not currently a suitable replacement for the existing default scanning mode: you are likely to gain some coverage of JavaScript-heavy applications, but also lose some coverage and experience poor performance. Rest assured that over the coming months the new feature will be considerably enhanced until it becomes a robust and superior replacement to the existing scanning mode.

To enable experimental support for browser-based scan navigation, create a new scan, add a crawl configuration, and under “Miscellaneous” select “Use embedded browser for navigation”. You can also configure whether to allow the browser to fetch page resources that are out-of-scope.

The release also includes various other bugfixes. The embedded JRE that is included in Burp’s installer has been updated to Java 12.

Professional 2.1.04 Released 2019-Sep-27

This release includes a number of minor enhancements and bugfixes.

In Burp Repeater, there are new options to close a tab, close all other tabs, and reopen a closed tab. You can access these actions via the context menu on the tab header, or by assigning hotkeys.

There is a new (default-on) scan option to ignore the protocols of URLs to scan. This is to avoid a  common user error where the scan is configured for http://example.com only, while it needs also to include https://example.com.

When a Burp update is available, there are options to mute the update notification for one week, for the currently offered update, or for all beta updates.

A bug affecting use of PKCS#11 smart cards affecting Burp 2.x has been fixed.

Professional 2.1.03 Released 2019-Aug-07

This release adds a brand new scan check, for HTTP request smuggling vulnerabilities:

This is a long-overlooked vulnerability class that is prevalent in modern cloud architectures, and which often has a critical impact.

• Read the full PortSwigger research post on HTTP desync attacks
• Play with real HTTP request smuggling vulnerabilities on the Web Security Academy

Professional 2.1.02 Released 2019-Jul-26

The support for WebSockets in Burp Repeater has been enhanced with a new WebSocket connection wizard that lets you:

• Attach to an existing WebSocket that is currently open.
• Reconnect to a WebSocket that has closed.
• Clone a WebSocket.
• Manually configure a new WebSocket connection.

The new capability gives you full manual control over the WebSocket negotiation request.

Some other minor enhancements have also been made:

• When creating a new project on disk, Burp will now automatically suggest a project filename, based on the project name and a timestamp.
• When loading a configuration file for project or user options, Burp now warns if the file doesn’t contain any options of the relevant type.
• Various minor bugs have been fixed.

Professional 2.1.01 Released 2019-Jul-16

This release adds support for WebSockets in Burp Repeater.

You can select a WebSocket message in the Proxy history or intercept tab, and choose “Send to Repeater” from the context menu:

Each message you send to Repeater opens in a new tab. Here, you can manually edit and send the message, view the full message history, pick a message from the history and manually edit and resend it, and manage the WebSocket connection:

As always, feedback about this new feature is welcome.

Have fun!

Professional 2.1 Released 2019-Jun-28

Burp Suite 2.x is now officially out of beta!

This is a huge upgrade over 1.7 with a wealth of new capabilities. We encourage anyone still using 1.7 to switch to 2.x.

Community Edition users can now enjoy Burp’s new dark theme. To enable the dark theme, go to User options / Display / User Interface / Look and feel, and select Darcula.

Coming out of beta means we regard Burp Suite 2.x as essentially stable and suitable for general usage. It doesn’t mean there are no bugs. All software has bugs, and feedback is always welcome about any problems that users observe.

We will, of course, be continuing to enhance Burp Suite 2.x with various new features over the coming months.

Professional 1.7.37 Released 2018-Aug-10

This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.

For full details of this awesome new research, see our blog post on practical web cache poisoning.

Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”:

Note: On 10 October 2018, the .DMG package was regenerated to be compatible with MacOS Mojave.

Professional 1.7.36 Released 2018-Jul-30

This release fixes a number of issues including:

• A bug that prevented the macro editor from correctly showing the Proxy history.
• A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
• A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.

Note: On 10 October 2018, the .DMG package for Community Edition was regenerated to be compatible with MacOS Mojave.

Professional 1.7.35 Released 2018-Jun-29

This release includes a number of fixes and minor enhancements:

• Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
• A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
• The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.

Professional 1.7.34 Released 2018-Jun-13

A number of bugs have been fixed:

• A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
• A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
• A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
• Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
• A bug that prevented autocomplete popups from closing on some Linux window managers.
• A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
• A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
• A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.

The following enhancements have been made:

• Burp ClickBandit has been updated to support sandboxed iframes.
• A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

Note that some of the security issues were reported through our bug bounty program, which pays generously for bugs large and small. Thanks are due to Bruno Morisson and Juho Nurminen.

Professional 1.7.33 Released 2018-Mar-28

This release significantly improves the effectiveness of project repair when project file corruption occurs. Some users still experience corrupted project files when using virtualized file systems (for example, using Burp within a guest VM can lead to project file corruption if the host OS terminates abnormally). Previously, if some key metadata near the start of the project file was lost, then Burp’s project repair feature would not recover any data. In the new release, uncorrupted data within the file can still be recovered even if this key metadata is lost. Further feedback is welcomed regarding the effectiveness of project repair.

To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.

Some bugs have been fixed:

• A bug in macro configuration where some settings for cookie handling might not be saved correctly across executions of Burp.
• Some minor bugs in the automatic project backup feature that was recently released.
• A bug where extensions could still gain API access to the Burp Collaborator client even when the user had disabled use of Collaborator.

Professional 1.7.32 Released 2018-Feb-02

This release adds a new automatic project file backup function. If you are using a disk-based project, this function automatically saves a backup copy of your project file periodically in the background. The options for the new function can be found at User options / Misc / Automatic Project Backup:

The new function is superior to the older function that saved a state file backup in several respects:

Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.

• You can optionally include in-scope items only, to reduce the size of the backup file.
  Available disk space is checked before performing a backup. If insufficient space is available, the backup is skipped and an alert is shown.
• A single backup file is saved alongside the main project file. On successful completion of a new backup, the previous backup file is deleted.
• On attempting to open a corrupted project file, Burp checks if a backup is available, and if so offers to open that as an alternative to repairing the original.
• By default, the backup file is deleted on clean shutdown of Burp. Since the main project file is saved incrementally in real time, and project file corruption is typically caused by abnormal termination of the OS, it is not normally necessary to retain backup files following a clean shutdown. You can choose to retain the backup file on shutdown in the automatic project backup options.
• You can optionally disable the progress dialog that is shown when a backup is performed, so you can continue working without interruption.
• Backups are enabled by default with no configuration required. If you don’t want to use the feature, you can quickly turn it off using the option that is shown in the progress dialog:

Other enhancements include:

• Installed BApps are now updated automatically on startup. We issue frequent updates to BApps and it is highly recommended to be using the latest versions. You can disable automatic BApp updates in Extender options.
• A bug in the import project function, which omitted to import the Scanner issue activity log, has been fixed.
• Requests made by extensions during custom scan checks are now correctly reflected in the scan queue request counts, and are correctly subjected to configured request throttling.

1.7.31 19-Jan-2018

1.7.32 2-Feb-2018

1.7.33 28-Mar-2018

1.7.34 13-Jun-2018

A number of bugs have been fixed:

• A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
• A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
• A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
• Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
• A bug that prevented autocomplete popups from closing on some Linux window managers.
• A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
• A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
• A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.

The following enhancements have been made:

• Burp ClickBandit has been updated to support sandboxed iframes.
• A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

1.7.35 29-Jun-2018

This release includes a number of fixes and minor enhancements:

• Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
• A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
• The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.

1.7.36 30-Jul-2018

This release fixes a number of issues including:

• A bug that prevented the macro editor from correctly showing the Proxy history.
• A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
• A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.

1.7.37 10-Aug-2018