Burp Suite Professional Latest Release and Update, please read in reverse order, if you interest from the old to latest manner. As the latest release note and build always increment update on the top for this product update.
The rational to keep for this post is combine all the related latest release and update for easy reading in single post for the user.
This release enables you to add tabs to the message editor that provide the same features as the Inspector panel. It also adds a new domain name for the public Burp Collaborator server, as well as some enhancements to Burp Scanner.
Professional 2023.10.3.1 Release 2023-Oct-20
We have upgraded Burp’s built-in browser to 118.0.5993.88 for Mac / Linux and 118.0.5993.88/.89 for Windows. This update contains a security fix. For more information, see the Chromium release notes.
Professional 2023.10.2.3 Release 2023-Oct-20
We have upgraded Burp’s built-in browser to 118.0.5993.88 for Mac / Linux and 118.0.5993.88/.89 for Windows. This update contains a security fix. For more information, see the Chromium release notes.
Professional 2023.10.3 Release 2023-Oct-16
This release introduces Bambdas into the HTTP history filter, the ability to export BChecks, the rollout of notes in other areas of Burp, TLS passthrough for out-of-scope items, and the ability to include subdomains in your target scope.
In Burp Scanner, we have made improvements to the Task details dialog to make it easier to find information about scan results and live tasks.
Advanced HTTP history filtering using Bambdas
Bambdas are a new way to customize Burp Suite directly from the UI, using small snippets of Java code. This release introduces Bambdas into the Proxy > HTTP history tab, enabling you to write custom filters for your HTTP history. These highly customizable filters can help you cut out white noise in your HTTP history, helping you to focus on only the exact items you’re interested in seeing.
To try Bambdas for yourself, go to the Proxy > HTTP history tab filter, switch to Bambda mode, and write a custom filter using your own code.
Keep an eye out for Bambdas appearing in more Burp tools over the next few months.
Exporting BChecks
You can now export BChecks, making it easier to share them between different instances of Burp. Just select the BChecks you want, then click Export.
Check out our BChecks GitHub repository for BChecks from PortSwigger and from the Burp Suite community.
Increased support for notes throughout Burp
We’re rolling out the notes feature into more areas of Burp. This feature enables you to record key information on tabs, making it easier to return to at a later time. Notes are copied when items are sent between different tabs. Use the Notes panel in the tab sidebar to add a note.
This update also introduces functionality that copies your notes when you send items between different tools in Burp.
This release introduces notes into:
- Target > Site map
- Proxy > Intercept
- Proxy > HTTP history
- Proxy > WebSockets history
TLS passthrough for out-of-scope items
You can now apply TLS passthrough for out-of-scope items automatically when you set the target scope, which can greatly improve performance. This behavior is automatically enabled when you accept the option to Stop logging out-of-scope items.
Include subdomains in target scope
You can now include subdomains of hosts you’ve included or excluded from your target scope. Enable this feature by selecting the Include subdomains checkbox in Target > Scope settings.
Improved Task details dialog
We’ve made some improvements to the Task details dialog to make it easier to find information about scan results and live tasks:
- We’ve replaced the Details tab with a new Summary tab. The Summary tab contains all the information that the Details tab did, but also features a list of the most serious vulnerabilities found, more detailed information on task progress, and a task log to give you real-time information on the task’s actions.
- We’ve added a new Issues tab listing all of the issues found during a scan. As part of this change, we’ve renamed the Issue activity tab (which also details changes from previous scans, such as an issue being deleted or more evidence being found) to the Audit log tab.
- You can now view further details on an item in the Event log by selecting it. Previously, you had to double-click an item to display the Event detail dialog.
BChecks grammar enhancements
We have added some new features to the BChecks grammar, including:
- A
removing query_string
action that removes an entire query string from a request. - A new variable that returns Burp’s
User-Agent
header. - A new pre-defined variable called
insertion_point_base_value
that contains the base value of the current insertion point. - A new per-path BCheck template that you can base your checks on.
- BChecks can now return more than one issue. As a result of this, the issues reported by BChecks can now have individual names.
As a result of these changes, we have updated the grammar version to v2-beta
. Please use this value in the metadata.language
property when writing a check that uses these new features.
Browser upgrade
We have upgraded Burp’s built-in browser to 118.0.5993.70 for Mac and Linux and 118.0.5993.70/.71 for Windows. This update contains security fixes.
Professional 2023.10.2.1 Release 2023-Sept-29
We have upgraded Burp’s built-in browser to 117.0.5938.132 for Mac, Linux, and Windows. This update contains security fixes. For more information, see the Chromium release notes.
Professional 2023.10.1.2 Release 2023-Sept-29
We have upgraded Burp’s built-in browser to 117.0.5938.132 for Mac, Linux, and Windows. This update contains security fixes. For more information, see the Chromium release notes.
Professional 2023.10.2 Release 2023-Sept-14
This release introduces new functionality for BChecks, including the ability to test your checks from within the editor and create definitions from a blank template. We have also added a notes feature to Repeater tabs.
For Burp Scanner, we have added new issue filters to the Issue Activity Dashboard panel and improved the quality of the text displayed on the Crawl paths tab.
Test BChecks in the editor
You can now test your BChecks from within the editor, enabling you to quickly confirm whether a check is working as expected without having to run a scan manually.
BCheck tests use pre-selected requests and responses as test cases. When you run a test, Burp Scanner runs the BCheck on the selected HTTP messages and reports the results.
For more information about the new BCheck test features, see Testing BChecks.
Make notes on Repeater tabs
You can now add notes to Repeater tabs. This feature enables you to record key information about a tab, making it easier to return to at a later time. If you subsequently send the item to Organizer, the new Organizer entry contains the existing note content.
To record a Repeater note, select the Notes panel in the tab sidebar and enter the required text.
Blank BCheck template
You can now start from a blank template when creating BChecks, rather than copying and modifying one of the default checks. We have added the new template to the BCheck templates list, which is displayed when creating a new BCheck.
Scanner improvements
We have made the following improvements to the Scanner:
- The crawler can now access any available alt text for its target items. This has enabled us to improve the quality of the information displayed on the Crawl paths tab.
- We have added three new filter buttons to the Issue Activity Dashboard panel:
- BCheck generated filters the list to display only issues that were identified via a BCheck.
- Extensions filters the list to display only issues that were identified via an extension-generated scan check.
- Scan checks filters the list to display only issues that were found by a regular Burp scan check (i.e. not by a BCheck or extension).
Brotli and Deflate decoding support for the Montoya API
The Montoya API’s decode method now supports Brotli and Deflate encodings.
Decoder improvements
When you pass a base64 string without padding to Decoder, it now decodes the string as if it were padded. This brings Decoder’s behavior in line with that of the Inspector. Previously, Decoder required the appropriate padding to be added before the string was passed.
Bug fixes
We have fixed the following bugs:
- Previously, the Send to Repeater context menu option was not sending WebSocket tabs to Repeater in certain circumstances. This function now works as expected.
- We have fixed an issue with the BCheck validator whereby variables incorrectly defined outside of the
define
block were not causing the check to fail validation. - We have fixed some performance issues when viewing and searching large responses in the request/response viewer.
Browser upgrade
We have upgraded Burp’s built-in browser to Chromium 117.0.5938.62 for Mac / Linux and 117.0.5938.63 for Windows. This update contains several security fixes, including one for a critical vulnerability.
Professional 2023.10.1.1 Release 2023-Sept-14
This release introduces the ability to unpack Brotli-compressed messages in the Proxy and Repeater tools, and adds Organizer functionality to the Montoya API.
In Burp Scanner, we have introduced some new features to help keep you better informed of the progress of your scans, and reduced the overall load time of pages.
We’ve also made some minor improvements and fixed a few bugs.
Brotli-compression now supported
We’ve added Brotli to our list of supported compression types. This means you can now unpack Brotli-compressed messages in the Proxy and Repeater tools.
Montoya API changes
We have made the following changes to the Montoya API:
- You can now send requests and responses to Burp Organizer via the Montoya API.
- The Montoya API’s decode method now supports Brotli and Deflate encodings.
You can now send requests and responses to Burp Organizer via the Montoya API.
Scanner improvements
We’ve made a number of improvements to Burp Scanner, including:
Overall load time breakdown
On the Crawl paths tab, we’ve added a hover-over that shows a breakdown of the overall load time of a page to show initial load time, time waiting for background requests, and time waiting for page to stabilize.
Scan progress indicators
We’ve added some new features to help keep you better informed of the progress of your scans:
- The current crawl depth and the number of pending actions have been added to the First crawl path to location panel of the Crawl paths tab.
- Pending URLs (links that the crawler has found but not yet sent a request to) have been added to the Tree view panel of the Site map tab.
Other Scanner improvements
We’ve made a number of additional improvements to the Scanner, including:
- Reducing the time it takes to wait for a page to stabilize, which has decreased the overall load time of pages.
- Improving the functionality of recorded login sequences.
Bug fixes
We’ve fixed some minor bugs, including:
- A bug that caused some extensions to return an incorrect indexOf() value when using the Montoya or Wiener APIs.
- A bug that caused hidden tabs to remain hidden when requests or responses were sent to them.
- A bug in Burp’s search that said there were 0 highlights in the request and response panels, even when results had been found.
- Performance issues when viewing and searching large responses in the request/response viewer.
Browser upgrade
We have upgraded Burp’s built-in browser to Chromium 117.0.5938.62 for Mac / Linux and 117.0.5938.63 for Windows. This update contains several security fixes, including one for a critical vulnerability.
Professional 2023.10.1 Release 2023-Sept-01
We have upgraded Burp’s built-in browser to 116.0.5845.140 for Mac and Linux and 116.0.5845.140/.141 for Windows. This update contains security fixes.
Professional 2023.9.4 Release 2023-Sept-01
We have upgraded Burp’s built-in browser to 116.0.5845.140 for Mac and Linux and 116.0.5845.140/.141 for Windows. This update contains security fixes.
Professional 2023.10 Release 2023-Aug-25
This release introduces the ability to unpack Brotli-compressed messages in the Proxy and Repeater tools, and adds Organizer functionality to the Montoya API.
In Burp Scanner, we have introduced some new features to help keep you better informed of the progress of your scans, and reduced the overall load time of pages.
We’ve also made some minor improvements and fixed a few bugs.
Brotli-compression now supported
We’ve added Brotli to our list of supported compression types. This means you can now unpack Brotli-compressed messages in the Proxy and Repeater tools.
Montoya API changes
You can now send requests and responses to Burp Organizer via the Montoya API.
Scanner improvements
We’ve made a number of improvements to Burp Scanner, including:
Overall load time breakdown
On the Crawl paths tab, we’ve added a hover-over that shows a breakdown of the overall load time of a page to show initial load time, time waiting for background requests, and time waiting for page to stabilize.
Scan progress indicators
We’ve added some new features to help keep you better informed of the progress of your scans:
- The current crawl depth and the number of pending actions have been added to the First crawl path to location panel of the Crawl paths tab.
- Pending URLs (links that the crawler has found but not yet sent a request to) have been added to the Tree view panel of the Site map tab.
Other Scanner improvements
We’ve made a number of additional improvements to the Scanner, including:
- Reducing the time it takes to wait for a page to stabilize, which has decreased the overall load time of pages.
- Improving the functionality of recorded login sequences.
Bug fixes
We’ve fixed some minor bugs, including:
- A bug that caused some extensions to return an incorrect indexOf() value when using the Montoya or Wiener APIs.
- A bug that caused hidden tabs to remain hidden when requests or responses were sent to them.
- A bug in Burp’s search that said there were 0 highlights in the request and response panels, even when results had been found.
Professional 2023.9.3 Release 2023-Aug-25
This release upgrades Burp’s built-in browser and fixes a bug when scanning GraphQL APIs.
Browser upgrade
We have upgraded Burp’s built-in browser to 116.0.5845.110 for Mac and Linux and 116.0.5845.110/.111 for Windows. For more information, see the Chromium release notes.
Bug fix
We’ve fixed a bug in Burp Scanner that interfered with scanning of GraphQL introspection requests.
Professional 2023.9.2 Release 2023-Aug-17
This release upgrades Burp’s built-in browser and fixes a bug when scanning GraphQL APIs.
Browser upgrade
We have upgraded Burp’s built-in browser to 116.0.5845.96 for Mac and Linux and 116.0.5845.96/.97 for Windows. For more information, see the Chromium release notes.
Bug fix
We’ve fixed a bug in Burp Scanner whereby the crawler would stop enumerating potential GraphQL endpoints for some responses.
Professional 2023.9.1 Release 2023-Aug-10
This release introduces new Repeater functionality based on the techniques discussed in James Kettle’s talk “Smashing the State Machine: The True Potential of Web Race Conditions”, first presented at Black Hat USA 2023. Repeater’s new single-packet attack feature nullifies network jitter, enabling you to send multiple requests in parallel. These requests are synchronized to arrive within a very small time window, making it much simpler to test for race conditions.
We have also introduced various other improvements for Burp Suite Professional and Burp Scanner, including the ability to reuse HTTP/1 connections in Intruder, a new project-level Crawl paths tab in the Target tool, and support for GraphQL introspection during scans.
Repeater send group in parallel
We have added a Send group (parallel) option to Repeater’s Group send options menu. When you select this option for a tab group, Repeater sends the requests from all of the group’s tabs at once.
Repeater synchronizes parallel requests to ensure that they all arrive in full at the same time. It uses different synchronization techniques depending on the HTTP version used:
- When sending over HTTP/2, Repeater sends the group using a single packet attack. This is where multiple requests are sent via a single TCP packet.
- When sending over HTTP/1, Repeater uses last-byte synchronization. This is where multiple requests are sent over concurrent connections, but the last byte of each request in the group is withheld. After a short delay, these last bytes are sent down each connection simultaneously.
Sending synchronized requests in parallel makes it much easier to test for race conditions. For more information about how to do this, as well as some deliberately vulnerable labs for you to practice on, check out the Race conditions topic on the Web Security Academy.
For more information on sending Repeater groups in parallel, see Sending grouped HTTP requests.
Montoya API changes
As part of these new Repeater features, we have added two sendRequests methods to the Http interface. These methods enable you to build extensions that can send HTTP requests in parallel and retrieve their responses. You can also explicitly specify the HTTP mode that the requests should use, if required.
Reuse HTTP/1 connections in Intruder to speed up attacks
You can now control whether Intruder reuses connections to issue multiple HTTP/1 requests. This can greatly increase the speed of your attacks when using HTTP/1, as Burp does not need to open a new connection for each request and close it after receiving a response. Find this in Intruder > Settings > HTTP/1 connection reuse. For more information, see HTTP/1 connection reuse.
Safely open third-party project files
We’ve introduced a new startup setting that enables you to trust or untrust projects. If you deselect Trust this project, Burp can now remove potentially harmful settings that could be configured within project files.
This is especially useful if you are opening project files that came from unknown or untrusted sources. Find this setting on the startup wizard, or in Settings > Suite > Startup behavior > Unrecognized project files. For more information, see Startup behavior.
Specify intermediate CA certificates for hardware tokens and smart cards
You can now set intermediate certificates when you add a new PKCS#11 certificate for hardware token and smart cards. This enables you to test target applications that don’t directly trust your intermediate CA. For more information, see Client TLS certificates.
Set custom SNI values in Repeater
You can now set custom SNI values in Repeater. This enables you to reproduce external service interaction issues detected by Scanner using Collaborator payloads within the SNI. For more information, see HTTP Repeater tab.
Project-level scan crawl paths
All scans in a project can now share crawl path information. This improves scan efficiency, enabling Burp Scanner to build on the paths it has already discovered as new scans are run.
As a result of this, we have added a new Crawl paths tab to the Target tool. This tab displays path information in the same way as the existing scan results Crawl path tab, but is populated by all scans rather than one individual scan. Any new scans that you run can draw on and add to the information displayed in this tab.
Isolated scans
As part of the global crawl path work, we have added a Run isolated scan option to the scan launcher. Results from isolated scans do not appear in the Target > Site map or Target > Crawl paths tabs. This feature is useful if you want to test settings without impacting “live” scan results, for example.
You can view site map and crawl path information for isolated scans from the Tasks > View details > Target tab. The information displayed on this tab applies to the selected scan task only.
GraphQL introspection
Burp Scanner can now run introspection queries on GraphQL endpoints to gain information on available queries and mutations. If the introspection query is successful, Burp Scanner sends further requests to each query and mutation discovered in an attempt to discover as much attack surface as possible. To enable GraphQL introspection, select the new Perform GraphQL introspection setting in the Miscellaneous section of the scan configuration.
If it does not find any GraphQL endpoints in the crawl, Burp Scanner can also now attempt to guess GraphQL endpoints using a list of common endpoint suffixes. To enable GraphQL endpoint guessing, select the new Test common GraphQL endpoints setting in the Miscellaneous section of the scan configuration.
Automatic scan throttling
We have added a new Automatic throttling setting to the Resource pool section of the scan launcher. You can now configure which HTTP response codes should cause Burp Scanner to introduce a short delay between requests. Previously, Burp Scanner could only throttle requests when the server responded with a HTTP 429 code.
Other Burp Scanner improvements
We have improved crawl optimization to reduce the chance of interesting content being missed. Specifically, Burp Scanner now treats clickables that are using the same event listener with different visible text as separate entities, and visits them all.
Bug fixes
We’ve fixed a number of minor bugs, including:
- We’ve fixed an issue that was causing the Proxy response panel to freeze when inspecting a 200 response after inspecting a 302/400 response.
- We’ve improved the reliability of the Send to Organizer function.
- We’ve fixed an issue where requests / responses generated by Intruder in some older versions of Burp could not be seen in newer versions.
- We have fixed a bug whereby the crawler was not always waiting for slow asynchronous queries that cause a DOM mutation to return. This was resulting in slow page loads and missing elements in certain circumstances.
- We have fixed a bug whereby Burp Organizer items weren’t retained when Burp was upgraded to the latest version.
Professional 2023.8.1 Release 2023-Aug-4
We have upgraded Burp’s built-in browser to 115.0.5790.170 for Mac and Linux and 115.0.5790.170/.171 for Windows. This update contains multiple high-severity security fixes.
Professional 2023.7.3 Release 2023-Aug-4
We have upgraded Burp’s built-in browser to 115.0.5790.170 for Mac and Linux and 115.0.5790.170/.171 for Windows. This update contains multiple high-severity security fixes.
Professional 2023.8 Release 2023-July-27
This release introduces the ability to reuse HTTP/1 connections in Intruder, specify intermediate CA certificates when authenticating using hardware tokens and smart cards, safely open third-party project files, and set custom SNI values in Repeater.
In Burp Scanner, we have introduced a new project-level Crawl paths tab in the Target tool, and support for GraphQL introspection during scans. We have also made several minor improvements and fixed a few bugs.
Reuse HTTP/1 connections in Intruder to speed up attacks
You can now control whether Intruder reuses connections to issue multiple HTTP/1 requests. This can greatly increase the speed of your attacks when using HTTP/1, as Burp does not need to open a new connection for each request and close it after receiving a response. Find this in Intruder > Settings > HTTP/1 connection reuse. For more information, see HTTP/1 connection reuse.
Safely open third-party project files
We’ve introduced a new startup setting that enables you to trust or untrust projects. If you deselect Trust this project, Burp can now remove potentially harmful settings that could be configured within project files.
This is especially useful if you are opening project files that came from unknown or untrusted sources. Find this setting on the startup wizard, or in Settings > Suite > Startup behavior > Unrecognized project files. For more information, see Startup behavior.
Specify intermediate CA certificates for hardware tokens and smart cards
You can now set intermediate certificates when you add a new PKCS#11 certificate for hardware token and smart cards. This enables you to test target applications that don’t directly trust your intermediate CA. For more information, see Client TLS certificates.
Set custom SNI values in Repeater
You can now set custom SNI values in Repeater. This enables you to reproduce external service interaction issues detected by Scanner using Collaborator payloads within the SNI. For more information, see HTTP Repeater tab.
Project-level scan crawl paths
All scans in a project can now share crawl path information. This improves scan efficiency, enabling Burp Scanner to build on the paths it has already discovered as new scans are run.
As a result of this, we have added a new Crawl paths tab to the Target tool. This tab displays path information in the same way as the existing scan results Crawl path tab, but is populated by all scans rather than one individual scan. Any new scans that you run can draw on and add to the information displayed in this tab.
Isolated scans
As part of the global crawl path work, we have added a Run isolated scan option to the scan launcher. Results from isolated scans do not appear in the Target > Site map or Target > Crawl paths tabs, or on the Dashboard’s issue activity log. This feature is useful if you want to test settings without impacting “live” scan results, for example.
You can view site map and crawl path information for isolated scans from the Tasks > View details > Target tab. The information displayed on this tab applies to the selected scan task only.
GraphQL introspection
Burp Scanner can now run introspection queries on GraphQL endpoints to gain information on available queries and mutations. If the introspection query is successful, Burp Scanner sends further requests to each query and mutation discovered in an attempt to discover as much attack surface as possible. To enable GraphQL introspection, select the new Perform GraphQL introspection setting in the Miscellaneous section of the scan configuration.
If it does not find any GraphQL endpoints in the crawl, Burp Scanner can also now attempt to guess GraphQL endpoints using a list of common endpoint suffixes. To enable GraphQL endpoint guessing, select the new Test common GraphQL endpoints setting in the Miscellaneous section of the scan configuration.
Automatic scan throttling
We have added a new Automatic throttling setting to the Resource pool section of the scan launcher. You can now configure which HTTP response codes should cause Burp Scanner to introduce a short delay between requests. Previously, Burp Scanner could only throttle requests when the server responded with a HTTP 429 code.
Other Burp Scanner improvements
We have improved crawl optimization to reduce the chance of interesting content being missed. Specifically, Burp Scanner now treats clickables that are using the same event listener with different visible text as separate entities, and visits them all.
Bug fixes
We’ve fixed a number of minor bugs, including:
- We’ve fixed an issue that was causing the Proxy response panel to freeze when inspecting a 200 response after inspecting a 302/400 response.
- We’ve improved the reliability of the Send to Organizer function.
- We’ve fixed an issue where requests / responses generated by Intruder in some older versions of Burp could not be seen in newer versions.
- We have fixed a bug whereby the crawler was not always waiting for slow asynchronous queries that cause a DOM mutation to return. This was resulting in slow page loads and missing elements in certain circumstances.
Browser upgrade
We have upgraded Burp’s built-in browser to 115.0.5790.110 for Windows and Linux, and 115.0.5790.114 for Mac.
Professional 2023.7.2 Release 2023-July-27
We have upgraded Burp’s built-in browser to 115.0.5790.110 for Windows and Linux and 115.0.5790.114 for Mac.
Professional 2023.7.1 Release 2023-July-25
This release introduces the ability to easily customize the layout of Burp Suite’s top-level tabs. We’ve also made some other improvements and fixed a few bugs.
Customizing Burp’s layout
You can now customize the layout of Burp’s top-level tabs. This enables you to tweak Burp’s user interface to better suit your preferences. For example, you can now:
- Change the order of tabs.
- Detach tabs. This enables you to open a tab, or groups of tabs, in a new window. You can open and arrange windows to suit your work style.
- Hide tabs. This enables you to limit the number of tabs that you can view, to focus on particular tools and extensions that you use more frequently.
Burp remembers these preferences, so you won’t need to reorder your tabs every time you start Burp.
For more information on how you can customize Burp’s layout, see our reference documentation.
Scanner improvements
We’ve made some improvements to Burp Scanner, including:
- We have added a Status column to the Crawl Paths > Outlinks tab, giving more information on the actions that Burp Scanner took to discover each location in the crawl.
- You can now replay recorded login sequences that contain shadow DOM elements.
Other improvements
We have some additional improvements, including:
- We’ve added a setting that switches off the confirmation dialog that appears when you close Burp Suite. Find this in Settings > Suite > Burp’s closing behavior.
- We’ve configured Burp Intruder to populate number fields by default when you select a
Numbers
payload type. - We’ve standardized Burp Intruder’s payload placeholders, making it simpler for you to configure payloads.
Bug fixes
We have fixed a number of minor bugs, including:
- Content in extension-generated editor tabs now updates correctly.
- Burp’s browser no longer erroneously sends HTTPS requests for HTTP URLs.
- Burp Scanner no longer erroneously reports a
Content Type Incorrectly Stated
issue when scanning font files, or content types that Burp does not recognize. - Live passive audits now run any passive BChecks that have been marked as enabled.
Browser upgrade
We have upgraded Burp’s built-in browser to Chromium 115.0.5790.102 for Windows, Linux and Mac.
Professional 2023.7 Release 2023-July-6
This release introduces the ability to easily customize the layout of Burp Suite’s top-level tabs. We’ve also made some other improvements and fixed a few bugs.
Customizing Burp’s layout
You can now customize the layout of Burp’s top-level tabs. This enables you to tweak Burp’s user interface to better suit your preferences. For example, you can now:
- Change the order of tabs.
- Detach tabs. This enables you to open a tab, or groups of tabs, in a new window. You can open and arrange windows to suit your work style.
- Hide tabs. This enables you to limit the number of tabs that you can view, to focus on particular tools and extensions that you use more frequently.
Burp remembers these preferences, so you won’t need to reorder your tabs every time you start Burp.
For more information on how you can customize Burp’s layout, see our reference documentation.
Scanner improvements
We’ve made some improvements to Burp Scanner, including:
- We have added a Status column to the Crawl Paths > Outlinks tab, giving more information on the actions that Burp Scanner took to discover each location in the crawl.
- You can now replay recorded login sequences that contain shadow DOM elements.
Other improvements
We have made some additional improvements, including:
- We’ve added a setting that switches off the confirmation dialog that appears when you close Burp Suite. Find this in Settings > Suite > Burp’s closing behavior.
- We’ve configured Burp Intruder to populate number fields by default when you select a
Numbers
payload type. - We’ve standardized Burp Intruder’s payload placeholders, making it simpler for you to configure payloads.
Bug fixes
We fixed a number of minor bugs, including:
- Content in extension-generated editor tabs now updates correctly.
- Burp’s browser no longer erroneously sends HTTPS requests for HTTP URLs.
- Burp Scanner no longer erroneously reports a
Content Type Incorrectly Stated
issue when scanning font files, or content types that Burp does not recognize.
Professional 2023.6.2 Release 2023-Jun-29
This release introduces BChecks, which are custom scan checks. It also provides improvements to Burp Scanner‘s live crawl path views, GraphQL scan checks, and a number of additional improvements and bug fixes.
Custom scan checks
This release introduces BChecks, which are scan checks that you can create and import. Burp Scanner runs these checks in addition to its built-in scanning routine. This enables you to fine-tune your scans and make your testing workflow as efficient as possible.
You can use our custom definition language to easily create BChecks. Burp includes a range of templates to get you started. To test your BChecks, you can use the built-in scan configuration Audit checks – BChecks only. If you use this configuration, Burp Scanner only uses BChecks when scanning.
We have also created a BChecks GitHub repository. This includes example BChecks from PortSwigger, as well as BChecks developed by the Burp Suite community. We look forward to accepting pull requests and celebrating your awesome work!
In the future, we’re planning to improve the BCheck language and testing experience. We’d love your feedback. Contact our support team at [email protected].
For more information on how to create and manage your BChecks, see Adding custom scan checks and BCheck definitions.
Live crawl paths view improvements
We have made a number of improvements to Burp Scanner’s live crawl paths view:
- You can now view details of all the possible navigation actions that the crawler was able to take from a given location on the crawl path. This enables you to better understand the structure of your site. To view these details, go to the Crawl paths > Outlinks tab of the scan task details window.
- You can now view a screenshot of Burp’s browser at any crawl location. Go to the Crawl paths tab of the scan task details window and click Show screenshot.
- The shortest crawl path tree is now retained when you reopen a project file.
GraphQL scan checks
We have introduced a number of GraphQL scan checks. The new scan checks enable you to:
- Identify if introspection queries are enabled.
- Find out if GraphQL suggestions are enabled.
- Test for CSRF vulnerabilities in all discovered GraphQL endpoints.
Montoya API
We have updated the Montoya API, to enable you to create extensions with additional functionality. You can now:
- Convert
ByteArray
data to different integer bases. This means you no longer need to use additional libraries to complete this task. - Log exceptions to the error output. This means that you don’t need to format and convert exceptions manually.
Other improvements
We have made a number of additional improvements, including:
- You can now quickly switch to the Organizer tab using the hotkey Ctrl + Shift + O.
- In the Issue activity table on the Dashboard, you can now filter issues by your target scope.
- We have changed the way we launch Burp’s browser. It now works with accounts for sites that fingerprint the presence of the DevTools listener, such as Google accounts.
Bug fixes
We fixed a number of minor bugs:
- If you change the highlight in the Organizer table, it no longer deselects the current row.
- For Burp Suite Community Edition, filters are now correctly applied to Intruder attack results.
- Burp Collaborator DNS interactions are now correctly reported by BCheck scan checks.
Browser upgrade
We have upgraded Burp’s built-in browser to 114.0.5735.198 for Mac and Linux and 114.0.5735.198/199 for Windows. This update contains multiple security fixes.
Professional 2023.6.1 Release 2023-Jun-15
We have upgraded Burp’s built-in browser to 114.0.5735.133 for Mac and Linux and 114.0.5735.133/134 for Windows. This update contains multiple security fixes.
Professional 2023.5.4 Release 2023-Jun-15
Bug fix
We have fixed an issue whereby Burp’s browser was unable to start on some Linux distributions.
Browser upgrade
We have upgraded Burp’s built-in browser to 114.0.5735.133 for Mac and Linux and 114.0.5735.133/134 for Windows. This update contains multiple security fixes.
Professional 2023.6 Release 2023-Jun-7
This release introduces BChecks, which are custom scan checks. It also provides improvements to Burp Scanner‘s live crawl path views, GraphQL scan checks, and a number of additional improvements and bug fixes.
Custom scan checks
This release introduces BChecks, which are scan checks that you can create and import. Burp Scanner runs these checks in addition to its built-in scanning routine. This enables you to fine-tune your scans and make your testing workflow as efficient as possible.
You can use our custom definition language to easily create BChecks. Burp includes a range of templates to get you started.
We have also created a BChecks GitHub repository. This includes example BChecks from PortSwigger, as well as BChecks developed by the Burp Suite community. We look forward to accepting pull requests and celebrating your awesome work.
In the future, we’re planning to improve the BCheck language and testing experience. We’d love your feedback. Contact our support team at [email protected].
Live crawl paths view improvements
We have made a number of improvements to Burp Scanner’s live crawl paths view:
- You can now view details of all the possible navigation actions that the crawler was able to take from a given location on the crawl path. This enables you to better understand the structure of your site. To view these details, go to the Crawl paths > Outlinks tab of the scan task details window.
- You can now view a screenshot of Burp’s browser at any crawl location. Go to the Crawl paths tab of the scan task details window and click Show screenshot.
- The shortest crawl path tree is now retained when you reopen a project file.
GraphQL scan checks
We have introduced a number of GraphQL scan checks. The new scan checks enable you to:
- Identify and maintain a list of any GraphQL endpoints discovered during the crawl.
- Identify if introspection queries are enabled.
- Find out if GraphQL suggestions are enabled.
- Test for CSRF vulnerabilities in all discovered GraphQL endpoints.
Montoya API
We have updated the Montoya API, to enable you to create extensions with additional functionality. You can now:
- Convert
ByteArray
data to different integer bases. This means you no longer need to use additional libraries to complete this task. - Log exceptions to the error output. This means that you don’t need to format and convert exceptions manually.
Other improvements
We have made a number of additional improvements, including:
- You can now quickly switch to the Organizer tab using the hotkey Ctrl + Shift + O.
- In the Issue activity table on the Dashboard, you can now filter issues by your target scope.
- We have changed the way we launch Burp’s browser. It now works with accounts for sites that fingerprint the presence of the DevTools listener, such as Google accounts.
Bug fixes
We fixed a number of minor bugs:
- If you change the highlight in the Organizer table, it no longer deselects the current row.
- For Burp Suite Community Edition, filters are now correctly applied to Intruder attack results.
Browser upgrade
We have upgraded Burp’s built-in browser to 114.0.5735.110 for Windows and 114.0.5735.106 for Mac and Linux. This update contains multiple security fixes.
Professional 2023.5.3 Release 2023-Jun-6
We have upgraded Burp’s built-in browser to 114.0.5735.110 for Windows and 114.0.5735.106 for Mac and Linux. This update contains multiple security fixes.
Professional 2023.5.2 Release 2023-Jun-1
This release introduces the new Burp Organizer tool, a live crawl paths view, upgrades for the Montoya API, and a number of minor improvements.
We have added a new Crawl paths tab to the Task details dialog. This tab gives you real-time updates on crawls, displaying all the locations found in the target site and the actions taken by Burp Scanner to reach each of those locations.
For audit scans, the Crawl paths tab also shows details of any issues discovered in each location.
Please note that the Crawl paths tab is still under active development, and the contents of the tab are not currently saved to Burp Suite project files. As such, if you close and re-open the project the tab does not display any information for previously-run scans.
To learn more about the crawl paths view, see our documentation.
Burp Organizer
This release introduces Burp Organizer, which enables you to store copies of HTTP messages that you want to come back to later. Use Organizer to better manage your penetration testing workflow. For example, you can:
- Store messages that you want to investigate later.
- Save messages that you’ve already identified as interesting.
- Save messages that you want to add to a report later.
Organizer is designed to provide an alternative to storing messages in Burp Repeater. Organizer’s table structure makes it easier to work with large numbers of stored messages. It also enables you to add notes to your messages, so you can capture your thoughts to review later. These are displayed in the collapsible Notes panel.
To learn more about Burp Organizer, see our documentation.
In the future, we may add the notes function to other Burp tools. If you think this would be useful, please let us know how you would use notes in your penetration testing workflow. Contact our support team at [email protected].
Recorded login improvements
We have made the following minor changes to the Burp Suite Navigation Recorder browser extension:
- When the login sequence that you’re recording uses a type of platform authentication that is not supported by the extension, such as an NTLM-based mechanism, we now warn you of this during the recording.
- When recording a login sequence, you no longer need to use the browser’s incognito mode. However, we strongly recommend using incognito mode whenever possible to avoid issues with stateful behavior. We implemented this change to support users who would otherwise be unable to use the extension at all due to restrictions imposed by their organization.
Montoya API
We have updated the Montoya API, to enable you to create extensions with additional functionality. You can now:
- Access font information for the message editor and display.
- Access the insertion points that are automatically detected by Burp Intruder.
- Update and add headers or parameters. Burp adds the header or parameter if it isn’t already present in a request.
- Create Collaborator payloads so that any resulting interactions appear in the Collaborator tab.
- Retrieve the details of any Collaborator interactions from issues identified by Burp Scanner in an audit.
We have fixed a bug so that extension settings from earlier versions of Burp now carry over to the Montoya API versions of Burp.
Minor improvements
We have added a number of minor improvements, including:
- You can now choose to apply enabled match and replace rules to in-scope items only.
- You can now generate a project file that includes high, medium, low, and informational issues, but doesn’t include false positives.
- Burp Scanner now audits requests issued by iframes.
- You can now use wildcard domains when you set a simple scope for Burp Scanner under Detailed scope configuration in the New scan dialog. This enables you to quickly and easily add all subdomains of a target domain to scope. For more information, see Setting the scan scope – Wildcards.
- The Click all clickable elements setting has been moved into the Miscellaneous section in the crawler scan configuration options. It has also been enabled by default. You should see an increase in scanning coverage for single-page applications that use non-traditional navigational elements.
Bug fixes
- We have fixed an issue with DOM Invader that prevented it from working properly with newer versions of Chromium.
- Previously, the crawler could erroneously consolidate separate locations into one under certain circumstances. The fix for this issue may result in you seeing an increase in locations discovered by the crawler.
- We have fixed a bug that sometimes prevented applications from reaching a logged-in state when crawling sites with input elements that are not enclosed within a
<form>
tag. - When checking for SQL and XPath vulnerabilities, issues are now correctly linked to the first response in a redirection chain that includes the error string. Previously, issues continued to be reported for each response with the error string.
Browser upgrade
We have upgraded Burp’s built-in browser to 114.0.5735.91 for Windows and 114.0.5735.90 for Mac and Linux.
Professional 2023.4.5 Release 2023-May-25
In this release, we have fixed a bug that sometimes prevented Burp Scanner from crawling floating input fields.
Professional 2023.4.3 Release 2023-May-15
This release introduces improvements to Burp Intruder and Burp Scanner, ARM64 support for Linux, and a number of minor improvements and bug fixes.
Improvements to Burp Scanner
We have made a number of improvements to Burp Scanner:
- You can now scan YAML API definitions.
- You can now scan floating input fields, which enables Burp Scanner to better handle single-page applications (SPAs).
- We have reduced the amount of noise in the event log that recorded logins produce when pop-ups close.
Improvements to Burp Intruder
We have made a number of improvements to Burp Intruder:
- Payload positions are no longer predefined when you send a request to Intruder. This means that you no longer need to clear payload positions before you start to configure your attack. You can still set the automatic payload positions if required – click Auto § in the Intruder > Positions tab.
- You can now preset a payload position before you send a request to Intruder, to streamline your workflow. To do this, highlight the part of the request that you want to set as a payload position, then send the request to Intruder.
- We have added the ability to control whether Intruder uses HTTP/1 or HTTP/2 for a specific attack.
ARM64 on Linux
We have introduced support for ARM64 on Linux. Note that Burp’s browser will only work with the installer build, not the plain JAR file.
Montoya API
We have continued to update the Montoya API, which enables you to create extensions with additional functionality:
- You can now pause and resume the task execution engine.
- You can now load and export user settings in JSON. This gives you more control over Burp’s configuration.
- You can now add custom tabs to WebSocket message editors.
Display scaling
We have added a Scaling setting to the Settings dialog. This enables you to view Burp correctly when you use a high resolution display with custom scaling.
Bugs
We have fixed a number of minor bugs:
- When you add further items to a finished task, it is now correctly relabelled as Running.
- When you reopen a project file that contains completed scan tasks, they now remain completed with no further scanning actions taken.
- We have fixed a bug whereby you received an error message when you loaded an extension to a temporary file with a path that contains spaces.
- We have fixed a bug whereby extension popups displayed incorrectly when Burp was set to automatically recognize character sets.
- We have fixed a bug in Burp Scanner that caused issues when crawling some API definitions.
- We have fixed a bug that was preventing Burp Intruder tasks from loading properly in some cases.
- We have fixed a bug that sometimes prevented applications from reaching a logged-in state when crawling sites with input elements that are not enclosed within a
<form>
tag. - We found a bug in our Copy as curl command function which could result in unexpected behavior when pasted into a Windows shell. As a result, we have changed the label for this command to Copy as curl command (bash).
Chromium upgrade
We have upgraded Burp’s built-in browser to 113.0.5672.92/.93 for Windows and 113.0.5672.92 for Mac and Linux.
Note
We have also updated Burp so that all feedback is now attributable to a Burp license. We will use this information to continue to improve your Burp experience and provide you with more targeted support. No sensitive information is transmitted in your feedback, and you can still choose to opt out of feedback at any time.
Professional 2023.3.3 Release 2023-Apr-13
This release fixes a bug whereby users of Linux ARM64 weren’t able to launch Burp using the JAR file.
Professional 2023.3.2 Release 2023-Apr-6
This release introduces support for Collaborator payloads in Intruder attacks, some SPA scanning improvements, and more upgrades for the the Montoya API, and upgrades to the browser and JRE.
Collaborator payloads in Intruder attacks
We have updated Burp Intruder to enable the use of Collaborator payloads in attacks. This update includes:
- A new payload type that generates Collaborator payloads, then inserts these at your configured payload positions.
- A payload processing rule that replaces a specified placeholder regex with a collaborator payload. The default placeholder regex already matches a placeholder in the predefined payload lists.
Collaborator interactions that result from an Intruder attack are shown in the Intruder results window, instead of the Collaborator tab.
Montoya API
We have continued to update the Montoya API:
- Every request and response now has a unique ID, so you can track which request caused each response.
- We have fixed a bug that prevented report generation through the Montoya API. In addition, issue references are now present on extension-generated reports.
We have also continued to update our Montoya API support for WebSockets. You can now right-click a WebSocket message and use the context menu to send the message to your extension.
SPA scanning improvements
This release includes changes that enable Burp Scanner to better handle single-page applications (SPAs).
Bug fix
We have upgraded DOM Invader to fix a bug whereby if a user disabled CSP with prototype pollution functionality enabled, then the system would continue to ignore CSP security headers when the user disabled prototype pollution.
Browser upgrade
This release upgrades Burp’s browser to Chromium 112.0.5615.49 for Linux and Mac and 112.0.5615.49/50 for Windows.
Java Runtime Environment (JRE) upgrade
This release upgrades Burp installer JRE to 19.0.2. This upgrade gives several security and performance benefits.
Professional 2023.2.3 Release 2023-Mar-10
This release provides improved support for WebSocket functionality in the Montoya API, as well as a number of minor improvements and bug fixes.
Montoya API WebSocket support
We have improved Montoya API support for WebSockets. This enables you to create extensions that interact more effectively with WebSockets. You can now:
- Create WebSockets.
- Create WebSocket message editors.
- Retrieve WebSocket messages from the Proxy history. This enables you to search the messages for interesting content.
- Send binary messages on both proxied and non-proxied WebSockets. This enables you to interact with services that process binary messages.
- Add comments and highlights to proxied WebSocket messages.
Minor improvements
We have made a number of minor improvements, including:
- We have added an entry for the Support HTTP/2 setting to the proxy listeners table.
- We have updated the proxy listener to automatically restart when the Support HTTP/2 setting is changed.
- When you reopen the Settings dialog your previous search is now displayed, so that you can quickly be in context.
Bug fixes
We have fixed a number of minor bugs:
- Checkboxes now scale correctly when you modify the font size.
- We have fixed a bug whereby if you generated a tab with a Burp extension, the tab did not display correctly.
- We have fixed a bug whereby responses were erroneously marked as edited when using extensions in Montoya-compatible builds of Burp.
- We have fixed a bug whereby the Hackvertor tab was not displaying correctly in the message editor when using the Hackvertor BApp.
- We have fixed a bug whereby Intruder attack results windows sometimes displayed requests and responses from multiple Intruder attacks that were launched from the same tab. Each window now only displays requests and responses relating to the originating attack.
Browser update
This release upgrades Burp’s browser to Chromium 111.0.5563.64/65. This upgrade contains a critical security fix, as well as several high-severity fixes.
Note for Windows Server 2012 and Windows 7/8/8.1 users
Due to a recent Chrome upgrade, Burp Scanner is no longer compatible with the Windows Server 2012 and Windows 7/8/8.1 operating systems. For more information, see the related Chrome announcement.
Professional 2023.1.3 Release 2023-Mar-1
This release upgrades Burp’s browser to Chromium 110.0.5481.177 / 178. This upgrade contains a critical security fix, as well as several high-severity fixes.
Note for Windows Server 2012 and Windows 7/8/8.1 users
Due to a recent Chrome upgrade, Burp Scanner is no longer compatible with the Windows Server 2012 and Windows 7/8/8.1 operating systems. For more information, see the related Chrome announcement.
Professional 2023.1.2 Release 2023-Feb-9
In this release, we have moved more of Burp Suite’s settings into the Settings dialog, making them easier to find and use. We have also upgraded the Montoya API, made improvements to macro functionality, and made various minor improvements.
Settings restructure
We have moved more settings into Burp’s Settings dialog. In particular, we have added:
- All settings related to the following Burp tools into the Tools section:
- Proxy.
- Repeater.
- Sequencer.
- Intruder – User settings only. Intruder attack configuration settings remain in the Intruder attack tab.
- A new page for extensions.
- A new page for the configuration library.
- Target scope settings into the Scope section.
- Resource pools and task auto-start settings into the Tasks section.
As part of this restructuring, we have also:
- Added the Repeater Default tab group setting. This enables you to configure the tab group that requests are added to by default when sent to Repeater.
- Updated the viewing panel for the Hotkeys settings. This enables you to edit hotkeys from this panel directly.
- Moved Inspector settings into the Message editor page.
Montoya API persistence
We have upgraded the Montoya API to version 2023.1, which enables Burp extensions to store and manage data in project files. Any BApps that you develop with version 2023.1 will be compatible with future versions of Burp, as all future changes to the API will be backwards compatible.
You can now use the Montoya API to:
- Store extension settings and data in the current Burp project. The API can store data both to project files that were created on startup and to temporary projects that you subsequently save to a project file. Each extension can only access its own data.
- Select whether or not extension data is saved when you save a copy of the current project.
- Import extension data from another project file.
The Montoya API offers support for the following data types:
- Primitives.
- Strings.
- Booleans.
- Requests.
- Responses.
- Byte arrays.
- Lists.
- Hierarchies.
Macro updates
You can now define a prefix and suffix for a custom macro parameter. This can be useful, for example, to support Authorization
headers, which require a static prefix followed by a dynamic value.
In addition, you can now set headers using macro parameters. When a parameter matches a request header, then Burp replaces the header value with the macro parameter value. This enables you to test APIs without configuring a Burp Extension.
Improvements to Burp Scanner
This release includes several minor improvements to authenticated crawling with popup-based login mechanisms:
- We have added a wait after the final event in a recorded sequence. This means that the sequence now captures links that are added by the final page after a delay.
- When you login after receiving a temporary failure status code, Burp now authenticates subsequent requests for the same resource.
- When you change the Await navigation timeout in a crawler configuration, it now automatically updates in the recorded login sequence replayer. It is also stored in the crawler tuning.
Bug fixes
We have fixed a bug whereby Burp Repeater tabs were not functioning correctly when there was an absolute URL in the request line.
We have also released a couple of bug fixes related to the Montoya API:
- Previously, the Javadoc incorrectly stated that the
passiveAudit()
method of theScanCheck
interface returns null if no issues are identified. The method in fact returns an emptyAuditResult
object if no issues are identified. We have updated the Javadoc. - We have fixed a bug whereby the
copyToTempFile()
was causing null pointer exceptions.
Browser update
This release upgrades Burp’s browser to Chromium 110.0.5481.77/.78.
Note for Windows Server 2012 and Windows 7/8/8.1 users
Due to a recent Chrome upgrade, Burp Scanner is no longer compatible with the Windows Server 2012 and Windows 7/8/8.1 operating systems. For more information, see the related Chrome announcement.
Professional 2022.12.5 Release 2022-Dec-21
This release contains a bug fix for Burp’s diagnostics.
Previously, Burp was not returning details of the installed extensions in its diagnostics reports. We have fixed this issue, and all installed extensions are now listed.
Professional 2022.12.6 Release 2023-Jan-12
This release upgrades Burp’s browser to a later version of Chromium and fixes a minor bug.
Browser upgrade
This release upgrades Burp’s browser to Chromium 109.0.5414.74/.75/.87.
Bug fix
We have enabled both the Auto backoff and Enable concurrent request limiting settings in Burp Scanner by default, and set Enable concurrent request limiting to 10. These settings were disabled by default in the Professional / Community 2022.12.5 release.
Professional 2022.12.4 Release 2022-Dec-15
This release introduces support for popup windows when recording logins and a new live crawl view for Burp Scanner. We have also added several new features to DOM Invader, including the ability to detect DOM clobbering vulnerabilities, and various minor improvements and bug fixes for Burp Suite. It also upgrades Burp’s browser to a later version of Chromium.
Authenticated crawling of applications with popup-based login mechanisms
Burp Scanner can now replay recorded login sequences that open new windows or tabs. This enables you to run authenticated scans on websites with login mechanisms that require you to interact with popups, such as Microsoft and Amazon’s SSO services.
Live crawl view for Burp Scanner
We have added a new Live crawl view tab to the Scan details dialog. This tab enables you to watch Burp Scanner render web pages in real time, helping you to diagnose unusual crawl activity or simply get a better understanding of Burp Scanner’s behaviors when scanning a particular target.
Major improvements to Burp Scanner
This release significantly improves Burp Scanner’s resilience and provides increased support for a wider range of applications, especially SPAs.
Most importantly, we’ve fundamentally changed the way Burp Scanner navigates using its built-in browser. As a result, you may now be able to successfully scan a number of sites that were previously incompatible with automated vulnerability scans. In particular, you should see much better results on sites that rely heavily on navigation initiated by client-side JavaScript.
We’ve also dramatically improved our browser process management, resulting in much lower memory usage during scans.
DOM Invader enhancements
This release adds a number of new features to DOM Invader, as well as some usability improvements.
- Detect DOM clobbering vulnerabilities – DOM Invader can now scan for DOM clobbering vulnerabilities as you browse. This feature is disabled by default as it can potentially interfere with your other testing activities. You can enable it from the DOM Invader settings menu.
- Detect injectable service workers – DOM Invader now attempts to inject the canary into service workers during registration and flags any controllable properties. You can then manually investigate whether the service worker uses these properties in an unsafe way.
- Improved URL injection – We’ve removed the Inject URL button, which injected a test string into every URL parameter at once. In most cases, this wasn’t very useful as it just prevented the site from working properly. Instead, you can now click Inject URL params to inject the canary into each URL parameter separately in individual windows. This is far more practical and yields significantly better results.
- Restrict the parameters used for auto-injection – When using the Inject into all sources option, you can now define a custom list of parameters that DOM Invader uses to inject the canary. This makes this feature more useful as injecting all parameters at once typically just prevents the site from working at all.
We have also divided the main settings menu into collapsible categories to make it easier to use.
Rolling licenses
We have added support for rolling licenses in Burp Suite. If your Burp license key has expired but you have a new, valid license associated with your account, then Burp Suite automatically applies your new license key the next time it starts up.
Change to Java requirements
Burp Suite now requires Java 17 or later to run. This change should not impact you unless you launch Burp Suite from the command line, as the installer includes a bundled private Java Runtime Environment so that you don’t need to worry about installing or updating Java.
Minor improvements
This release includes several minor improvements, including:
- The Collaborator client now shows the source port in the interaction details panel. This can help you to gauge how vulnerable a particular server is to certain attacks.
- In Repeater, you can now drag and drop a tab into a collapsed group. The dragged tab is added to the end of the group.
- We have changed the way in which Intruder attack results are stored in order to minimize the impact on project file size.
Bug fixes
We have fixed the following bugs:
- Previously, Burp was stripping out manually-modified Connection headers when using NTLM authentication. This has now been fixed.
- We have fixed a request time discrepancy between Intruder and Logger, in which Intruder was incorrectly reporting that requests were sent to the server a few seconds before the request was actually sent.
- We have fixed a bug whereby reports were not saving correctly on Windows machines. Burp was displaying a “Failed to open file” error at the point the report was saved.
- We have fixed a bug whereby Burp’s browser was unable to register service workers, causing issues with recorded login sequences and manual testing.
- We have fixed a bug whereby if you attempted to cancel while loading a user configuration file, then Burp was displaying a “Configuration File” error.
Browser upgrade
This release upgrades Burp’s browser to Chromium 108.0.5359.124/.125.
Professional 2022.11.2 Release 2022-Nov-25
In this release, we have significantly improved the usability of Burp’s user and project options. We have also added new functionality to DOM Invader and the Montoya API.
User and project options refactor
We have moved all of the options in the User options and Project options tabs to a new Settings dialog, accessible from a button on the main toolbar or by a configurable hotkey.
This new dialog improves the layout and navigation of Burp’s options in several ways:
- You can now access all user and project settings in one window.
- You can now use search and filter commands to find the settings you need.
- Following extensive UX research, we have rearranged the available settings into a more logical structure.
Each setting in the dialog has a marker indicating whether it is a user-level or project-level setting. For settings that can apply at either level, there is an Override options for this project only toggle that enables you to select the level at which the setting should apply.
DOM Invader: Detect cross-origin data leaks via web messages
DOM Invader can now detect when the current page sends a web message containing data from the URL to a different target origin. In this case, an attacker can potentially steal sensitive data, such as OAuth tokens, by embedding the affected page in an iframe
, along with an event listener that extracts the data.
Testing for these vulnerabilities manually is a laborious task, but DOM Invader can automate most of this process for you. Just enable the Detect cross-domain leaks option from DOM Invader’s web message settings:
DOM Invader: Remove Permissions-Policy header
You can now configure DOM Invader to strip the Permissions-Policy
header from responses.
Some websites set directives via the Permissions-Policy
header that block features that are essential to DOM Invader’s functionality, such as synchronous XHR. In this case, DOM Invader informs you via the console and prompts you to enable the Remove permissions policy header option from the settings menu.
Proxy WebSocket listener support for Montoya API
You can now use the Montoya API to intercept and modify proxied WebSocket messages.
Minor improvements
This release includes several minor improvements to Burp Suite’s tools, including:
- You can now scan a selected insertion point only, without the need to run a full scan.
- You can now load or unload multiple extensions at once via a new context menu option on the Extensions table.
- We have added a search text field to the Edit hotkeys dialog, enabling you to filter the table of hotkeys.
Browser upgrade
We have upgraded Burp’s browser to Chromium 107.0.5304.110, which fixes a number of high-severity security issues.
Bug fix
We have fixed a bug whereby requests were sometimes not rendering correctly in the message editor.
Professional 2022.9.5 Release 2022-Oct-27
This release introduces the Montoya API, an all-new replacement for the Extender API. It also includes improvements to the Burp Collaborator client and adaptive request throttling for Burp Scanner.
Montoya API
We have released the Montoya API, an all-new API that enables you to develop extensions for Burp Suite. The new API offers a more modern design than the existing Extender API, making it easier to use and enabling us to add future features that we could not have supported with the old API.
This change will not affect any current BApps, and the existing Extender API will continue to work as normal for the immediate future. However, we strongly recommend that you write any new extensions using the new Montoya API, as we will eventually end support for the Extender API.
The Montoya API offers all of the same features as the existing version. It also includes several new features, such as:
- New methods to create, modify, and delete request / response headers.
- The ability for an extension to query which edition of Burp (that is, Professional, Community Edition, or Enterprise Edition) it is currently running in.
- The ability to generate Collaborator payloads from your own custom data.
- The ability to export the secret key that the Collaborator uses for extensions and restore a previous Collaborator client session from it.
- New utilities to generate random sequences and manipulate byte arrays.
Collaborator client improvements
This release introduces various usability improvements for the Burp Collaborator client, including:
- We have moved the client from the Burp menu to its own top-level tab.
- You can now open multiple Collaborator client tabs, enabling you to track interactions from multiple payloads in separate tables.
- Collaborator interactions are now persisted in the project file, meaning that any interactions in the table are retained if you close and reopen your project. You can also now save Collaborator interaction data directly to your project file.
- You can now insert a Collaborator payload in the message editor by selecting Insert Collaborator payload from the context menu. This pastes in a new ID from the most recently-created Collaborator client tab.
- The interaction table now displays interaction timings in milliseconds and the source IP of the interaction.
Automatic license key updates
Renewed license keys now update automatically. If your existing license is expiring or has expired altogether, Burp Suite automatically checks your account for a renewed license key. If you have a renewed key associated with your account, then the system retrieves and activates that key.
Please note that you will need to allow network access to https://portswigger.net
for this process to work.
Adaptive request throttling for Burp Scanner
When Burp Scanner receives a 429 response due to sending too many requests in quick succession, it now incrementally adds a short delay between requests until it complies with the server’s rate limit. This enables the scan to continue as normal, albeit with an increased duration.
If you prefer, you can disable this behavior using a custom scan configuration – just go to Request throttling configuration and deselect Adaptive request throttling.
Security patch
We have fixed an HTML injection vulnerability that could be triggered by attackers with direct access to the proxy listener. Note that the proxy listener only accepts connections from localhost by default. This issue was privately reported via our bug bounty program.
Browser upgrade
We have upgraded Burp’s browser to Chromium 107.0.5304.62, which fixes a number of high-severity security issues.
Bug fixes
We have also fixed some minor bugs, including:
- Previously, you could still use the Collaborator client to generate payloads and poll manually even if the Collaborator was disabled in the project options. We have now amended this so that disabling the Collaborator disables all of the Collaborator client’s functions.
- We have fixed a bug whereby disabling the Collaborator did not stop the Collaborator client from polling for payloads that had already been created.
- We have fixed a bug whereby the Learn More link on the Collaborator client tab was pointing to an invalid URL.
- We have fixed a bug that prevented the crawler from handling links that are added to a page by JavaScript following a delay.
- We have fixed a bug whereby Burp Scanner was failing to find CSRF vulnerabilities on sites that return a 302 response when CSRF is exploited.
- We have fixed a bug whereby Repeater was not identifying streaming responses correctly, meaning that the affected responses would never complete.
- We have fixed a UI issue whereby checkboxes and radio buttons were not displaying correctly on the Extensions tab when using the Light display theme.
Professional 2022.9.4 Release 2022-Oct-20
This release implements a back-end change to the way we check the validity of licenses.
Professional 2022.9.3 Release 2022-Oct-14
This release provides some minor bug fixes and upgrades Burp’s browser.
Browser upgrade
We have upgraded Burp’s browser to Chromium 106.0.5249.119, which fixes a number of high-severity security issues.
Security patch
This release also patches a low-severity security issue that was reported via our bug bounty program. We will provide further details once the patch is available on our Stable release channel.
Bug fixes
This release also includes a couple of bug fixes, including:
- We have fixed a bug whereby Repeater was not identifying streaming responses correctly, meaning that the affected responses would never complete.
- We have fixed a UI issue whereby checkboxes and radio buttons were not displaying correctly on the Extensions tab when using the Light display theme.
Professional 2022.9.2 Release 2022-Oct-4
This release provides various new features for the Montoya API. It also includes some bug fixes for Burp Scanner and an update for Burp’s browser.
New Montoya API features
We have added several new features to the Montoya API. These include:
- New methods to create, modify, and delete request / response headers.
- The ability for an extension to query which edition of Burp (that is, Professional, Community Edition, or Enterprise Edition) it is currently running in.
- The ability to generate collaborator payloads from your own custom data.
- The ability to export the secret key that the Collaborator uses for extensions and restore a previous Collaborator client session from it.
- New utilities to generate random sequences and manipulate byte arrays.
Browser update
This release updates Burp’s browser to Chromium 106.0.5249.61, which fixes a number of high-severity security issues.
Bug fixes
This release also includes a couple of bug fixes for Burp Scanner, including:
- We have fixed a bug that prevented the crawler from handling links that are added to a page by JavaScript following a delay.
- We have fixed a bug whereby Burp Scanner was failing to find CSRF vulnerabilities on sites that return a 302 response when CSRF is exploited.
Professional 2022.8.1 Release 2022-Aug-10
This release provides new scan checks based on James Kettle’s Browser-Powered Desync Attacks, first presented at Black Hat USA 2022. It also introduces the new capabilities for Burp Repeater that enable you test for these vulnerabilities manually.
New scan checks for client-side desync and CL.0 request smuggling
Burp Scanner now reports client-side desync vulnerabilities. We’ve also upgraded our existing HTTP request smuggling checks to detect CL.0 vulnerabilities.
For more details on both of these issues, check out James’s whitepaper and the new Web Security Academy content.
Send a sequence of requests in Burp Repeater
You can now send the requests from a group of Repeater tabs as an automated sequence. When viewing a tab that belongs to a group, there is now a drop-down menu next to the Send button that lets you choose how your request sequence is sent. You can either send all of the requests over a single connection or use a separate connection for each request.
This release upgrades Burp’s browser to Chromium 106.0.5249.61, which fixes a number of high-severity security issues.
Sending requests over a single connection enables you to test for client-side desync vulnerabilities. For more information about how to do this, as well as some deliberately vulnerable labs for you to practice on, check out the new content on the Web Security Academy.
Sending over a single connection is also useful for timing-based attacks that rely on being able to compare responses with very small differences in timings as it reduces the “jitter” that can occur when establishing TCP connections.
Sending requests over separate connections is primarily useful when testing for vulnerabilities that require a multi-step process.
Adjusted issue severity – External service interaction (DNS)
Burp Scanner uses OAST techniques to identify critical vulnerabilities via DNS pingbacks to Burp Collaborator. Both the DNS interaction itself and the identified vulnerability are reported as separate issues. In some cases, such as when testing for SSRF, we may induce the application to perform a DNS lookup without this leading to the discovery of any further vulnerability. To better reflect this latter scenario, we have adjusted the severity of the External service interaction (DNS) issue.
We previously classed this as a high-severity issue on the assumption that a corresponding HTTP request was probably sent by the server, but subsequently blocked by a firewall’s egress filters. Although we can’t detect this externally, it could still provide a vector for pivoting attacks against the internal network.
However, we’ve increasingly encountered cases where systems perform a DNS lookup with no intention of ever connecting to the remote host, meaning that no HTTP request ever existed. For example, this could be triggered simply by adding a URL as the key of a Java Map.
This behavior can still indicate a serious vulnerability, and is worthy of further investigation, but we have reduced the reported severity to reflect the typical impact.
Handling changes for Unknown Host errors
Previously, Burp Scanner automatically terminated audits if it encountered Unknown Host errors, even if the scan scope also included separate, valid domains. Unknown host errors are now treated in the same way as other scanner errors, and the audit does not automatically terminate if one is encountered.
Browser upgrade
We have upgraded Burp’s browser to Chromium 104.0.5112.79.
Bug fixes
This release also provides some minor bug fixes, including:
- You can now use shift-click to select any tabs on the Create new group dialog. Previously, this functionality did not work with preselected tabs.
- We have fixed an issue whereby tab groupings were being lost if you selected Save in-scope items only on projects with groups where some of the group’s tabs were in-scope and some were not.
- We have fixed a bug whereby under certain circumstances Burp Scanner was not detecting a multiple content type issue for responses with multiple
Content-Type
headers. - We have fixed a bug whereby scans were hanging during the crawl phase if they could not find any reachable destinations to scan.
Professional 2022.7.1 Release 2022-Jul-22
This release introduces tab-specific options in Repeater and client-side prototype pollution reporting in Burp Scanner. It also provides a change to the way Burp’s browser handles the User-Agent header and a minor bug fix.
Tab-specific options in Repeater
You can now set tab-specific Repeater options, giving you finer control over how Repeater behaves when sending requests and receiving responses. To configure tab-specific options, click the new settings icon next to the Send button.
If you select specific options for a tab then Repeater ignores the global settings for that tab altogether. You can return a tab to global settings by clicking the new Restore global defaults button. This button is highlighted when a tab has specific settings configured.
Client-side prototype pollution reporting in Burp Scanner
Burp Scanner can now detect client-side prototype pollution. For more information on this vulnerability, see the new “Client side prototype pollution” issue definition that has been added to the Target > Issue definitions page.
Changes to User-Agent header handling
We have amended Burp’s browser so that it respects the configured User-Agent header when scanning rather than generating a random User-Agent string. The original approach was used as a means of tracking requests, but is no longer needed.
Browser upgrade
We have upgraded Burp’s browser to Chromium 103.0.5060.134.
Bug fixes
- We have fixed a bug whereby dynamic analysis was frequently timing out due to the system not factoring in the time that the page took to load. The dynamic analysis timer now starts once the page is loaded and the analysis itself starts.
- We have fixed a bug that prevented some event log messages from being displayed correctly.
Professional 2022.6.1 Release 2022-June-23
This release introduces several improvements to the Intruder and Repeater tab bars which include the ability to select between a scrolling or wrapped tab view as well as, the ability to organize tabs into groups for Repeater. This release also introduces HTTP/1 keep-alive, where Burp Suite is now able to reuse a single TCP connection to send multiple HTTP/1 requests, and adds a selection of preset scan modes to the Scan Configuration menu. Lastly, several key improvements for DOM Invader, including the ability to test for client-side prototype pollution.
Grouped Tabs
Now, users can organise Repeater tabs into color-coded groups. Grouping tabs makes simplifies work with large numbers of open tabs and keep track of related requests.
Search function to the tab bar allows users to search for individual tabs or groups.
Scrollable tab view
Two views for tabs from Intruder and Repeater. As well as the standard wrapped view, users are able to display tabs as a single, scrollable row. This feature helps to free up on-screen real estate, especially on smaller displays.
DOM Invader improvements
This release includes the following key improvements to DOM Invader:
- Ability to use DOM Invader to test for client-side prototype pollution.
- The augmented DOM view now displays additional information that assist users to analyze vulnerabilities and potentially craft exploits, such as the frame path, the outer HTML of the element, and the event that occurred when your payload was passed to the sink. Similarly, the Messages view inform users both the frame that each message was sent from and the frame that it was sent to.
- Ability to set a callback function for each sink, source, and message that DOM Invader finds enable users to log the results using custom JavaScript code.
- Prevent DOM Invader from consolidating messages with duplicate values which is useful in cases where usrs need to see every single message being sent.
- Ability to disable specific sources and sinks to decrease noise.
HTTP/1 keep-alive
Users can send multiple HTTP/1 requests using the same TCP connection. In the previous time, Burp always closed the connection after each request / response pair, even if the server supported connection reuse.
This way, reusing connections is highly beneficial in terms of request speed and timing accuracy.
To enable HTTP/1 keep-alive, go to Project options > HTTP > HTTP/1 and select the Use keep-alive for HTTP/1 if the server supports it option. Users can override this setting in Repeater using the Enable HTTP/1 keep-alive reuse menu option.
Preset scan modes
Users can now select from four preset scan modes during configuring a scan. These preset scan modes provides a quick way to adjust how the scan balances speed and coverage, without the need to set up a custom scan configuration.
These new scan modes can be applied by selecting Use a preset scan mode from the Scan Configuration menu and choosing one of the available options.
Other improvements
Numerous improvements to Burp Scanner to enhance stability, performance, and progress estimation.
Security fixes
The security improvements included in this release are:
- Burp’s browser upgraded to Chromium 103.0.5060.53, which patches a critical security issue. Also included are several minor bugs fixes related to Repeater tabs.
- Resolved a low-severity security issue that can cause Repeater and Intruder disclosing URLs due to incorrectly interpreting a crafted response as a redirect. This issue was privately reported to us using our bug bounty program.
- Hardened Burp’s Referer calculation by bringing it in line with the default Referrer-Policy settings used in modern browsers.
Bug fixes
This release also gives a number of bug fixes. Most importantly:
- Burp’s browser have no more issues on unnecessary requests to Google on launch.
- Fixed an issue in which Repeater responses could be overwritten by long-running requests.
- Fixed an issue with logging in headless mode, in which the log file was being created but no data was being written to the log.
Professional 2022.5.2 (Stable) Release 2022-June-23
Burp’s browser upgraded to Chromium 103.0.5060.53, which patches a critical security issue.
Professional 2022.6 Release 2022-June-22
This release introduces several improvements to the Intruder and Repeater tab bars which include the ability to select between a scrolling or wrapped tab view as well as, the ability to organize tabs into groups for Repeater. This release also introduces HTTP/1 keep-alive, where Burp Suite is now able to reuse a single TCP connection to send multiple HTTP/1 requests, and adds a selection of preset scan modes to the Scan Configuration menu. Lastly, several key improvements for DOM Invader, including the ability to test for client-side prototype pollution.
Grouped Tabs
Now, users can organise Repeater tabs into color-coded groups. Grouping tabs makes simplifies work with large numbers of open tabs and keep track of related requests.
Search function to the tab bar allows users to search for individual tabs or groups.
Scrollable tab view
Two views for tabs from Intruder and Repeater. As well as the standard wrapped view, users are able to display tabs as a single, scrollable row. This feature helps to free up on-screen real estate, especially on smaller displays.
DOM Invader improvements
This release includes the following key improvements to DOM Invader:
- Ability to use DOM Invader to test for client-side prototype pollution.
- The augmented DOM view now displays additional information that assist users to analyze vulnerabilities and potentially craft exploits, such as the frame path, the outer HTML of the element, and the event that occurred when your payload was passed to the sink. Similarly, the Messages view inform users both the frame that each message was sent from and the frame that it was sent to.
- Ability to set a callback function for each sink, source, and message that DOM Invader finds enable users to log the results using custom JavaScript code.
- Prevent DOM Invader from consolidating messages with duplicate values which is useful in cases where usrs need to see every single message being sent.
- Ability to disable specific sources and sinks to decrease noise.
HTTP/1 keep-alive
Users can send multiple HTTP/1 requests using the same TCP connection. In the previous time, Burp always closed the connection after each request / response pair, even if the server supported connection reuse.
This way, reusing connections is highly beneficial in terms of request speed and timing accuracy.
To enable HTTP/1 keep-alive, go to Project options > HTTP > HTTP/1 and select the Use keep-alive for HTTP/1 if the server supports it option. Users can override this setting in Repeater using the Enable HTTP/1 keep-alive reuse menu option.
Preset scan modes
Users can now select from four preset scan modes during configuring a scan. These preset scan modes provides a quick way to adjust how the scan balances speed and coverage, without the need to set up a custom scan configuration.
These new scan modes can be applied by selecting Use a preset scan mode from the Scan Configuration menu and choosing one of the available options.
Professional 2022.5.1 Release 2022-June-16
This release includes a number of enhancements to Burp Scanner, such as several new JWT-based scan checks and an option to skip unauthenticated crawling when users have been provided application logins. The BApp Store as well provides in-app feedback on how much load BApps are placing on your system.
JWT scan checks
Burp Scanner is now able to detect 8 common JWT-based vulnerabilities, enabling users to save time, and easier to secure sites that use JWTs.
More details can be found from the individual issue definitions in Burp on the Target > Issue definitions tab.
Feedback on BApp performance impact
On the Extender > BApp store tab, we now display an indication of how much load we estimate that each BApp places on your system.
The estimated system impact can be divided into the:
- Memory shows what impact the BApp is likely to have on Burp Suite’s memory usage.
- CPU shows an estimate of how much additional load the BApp places on your CPU.
- Time shows the BApp’s impact on the speed of Burp Suite. This includes the responsiveness of the interface and how long tools take to complete tasks.
- Scanner shows the likely impact on how long scans take to complete.
- Overall shows the highest impact rating across all of these categories.
When Burp is performing slower than it should be, it is recommended to check these estimates for any BApps that have been loaded and removing those that are not actively using. This will help extend Burp’s capabilities without impairing performance.
Performance may be effected due to the use of multiple extensions at the same time. The bar at the top of the screen displays the cumulative impact of all of the BApps that are currently loaded.
Skip unauthenticated crawling during scans
Users are has option to skip unauthenticated crawling in certain cases where you have provided application logins for Burp Scanner to use. This helps to reduce the crawl time.
How to enable enable this option? Users need to go to the Crawl Optimization settings in the scan configuration and select Crawl using my provided logins only. Note that if you do not provide any application logins, the crawler automatically reverts to performing an unauthenticated crawl instead.
Improved Repeater tab behavior
Several minor tweaks to the appearance and behavior of tabs in Burp Repeater are included. These will pave the way for some additional features in the future.
- When Repeater tabs overflow onto a new row, these now stay the same size rather than stretching to fill the entire row. Thus, easier to keep track of where tabs are.
- From the context menu, users have options for renaming tabs and deleting all tabs to the left or right of the current tab.
- New actions menu (3 dots) in the upper-right corner of the screen ewhich for now provides a limited range of options and will be improved for more in in the future.
Set headers in session handling options
Use Burp Suite’s session is now available to handleoptions to add headers and values to requests. When you create a session handling rule using the new Set a specific header value action, the header and value pair provided are added to any requests that are within the rule’s scope.
Verify upstream TLS
Burp Suite has always used fully verified TLS to connect to known services, such as portswigger.net and the public Burp Collaborator server. Nevertheless, when communicating with arbitrary websites, it does not verify upstream TLS certificates and supports weak ciphers by default. This optimises compatibility at the expense of protection against active man-in-the-middle (MITM) attacks.
For concern on the possibility of an active MITM attack on the communication with the site being tested, you can now configure Burp to verify upstream TLS certificates. To do this, go to Project settings > TLS and select the Verify upstream TLS checkbox.
In this scenario, we recommend also selecting the Use default protocols and ciphers of your Java installation option to prevent Burp from using weak ciphers.
Please note that additional hardening is planned for this feature in the future.
Improved Repeater tab behavior
We have made several minor tweaks to the appearance and behavior of tabs in Burp Repeater. These will pave the way for some additional features in the future.
- When Repeater tabs overflow onto a new row, these now stay the same size rather than stretching to fill the entire row. This makes it easier to keep track of where tabs are.
- From the context menu, you now have options for renaming tabs and deleting all tabs to the left or right of the current tab.
- There is a new actions menu (3 dots) in the upper-right corner of the screen. At the moment, this provides a limited range of options, but we’ll continue to add to this in the future.
Browser upgrade
Burp’s browser upgraded to Chromium 102.0.5005.61
Changes to Java requirements
For running, Burp Suite requires Java 11 ++ . This change will have no impact unless for installed Burp Suite as a .jar file, as the installer includes a bundled private Java Runtime Environment so that you don’t need to worry about installing or updating Java. Note that, any extensions written in a version of Java earlier than 11 may not run correctly from this release onward.
Other improvements
- A range of common Google Analytics cookies to the list of ignored insertion points for scans.
- Improved performance of Burp Scanner – tweaking the way we identify locations to audit after the crawl is completed.
- In your scan configuration, ability to define separate timeout settings for the crawl and audit phases of a scan, overriding the global project setting.
Bug fixes
Resolved certain performance issues that some users faced when using Intruder with large resource pools.
Professional 2022.3.9 (Stable) Release 2022-May-27
Burp’s browser upgraded to Chromium 102.0.5005.61, which resolves a number of security issues.
Professional 2022.5 Release 2022-May-26
This release includes a number of enhancements to Burp Scanner, such as several new JWT-based scan checks and an option to skip unauthenticated crawling when users have been provided application logins. The BApp Store as well provides in-app feedback on how much load BApps are placing on your system.
JWT scan checks
Burp Scanner is now able to detect 8 common JWT-based vulnerabilities, enabling users to save time, and easier to secure sites that use JWTs.
More details can be found from the individual issue definitions in Burp on the Target > Issue definitions tab.
Feedback on BApp performance impact
On the Extender > BApp store tab, we now display an indication of how much load we estimate that each BApp places on your system.
The estimated system impact can be divided into the:
- Memory shows what impact the BApp is likely to have on Burp Suite’s memory usage.
- CPU shows an estimate of how much additional load the BApp places on your CPU.
- Time shows the BApp’s impact on the speed of Burp Suite. This includes the responsiveness of the interface and how long tools take to complete tasks.
- Scanner shows the likely impact on how long scans take to complete.
- Overall shows the highest impact rating across all of these categories.
When Burp is performing slower than it should be, it is recommended to check these estimates for any BApps that have been loaded and removing those that are not actively using. This will help extend Burp’s capabilities without impairing performance.
Performance may be effected due to the use of multiple extensions at the same time. The bar at the top of the screen displays the cumulative impact of all of the BApps that are currently loaded.
Skip unauthenticated crawling during scans
Users are has option to skip unauthenticated crawling in certain cases where you have provided application logins for Burp Scanner to use. This helps to reduce the crawl time.
How to enable enable this option? Users need to go to the Crawl Optimization settings in the scan configuration and select Crawl using my provided logins only. Note that if you do not provide any application logins, the crawler automatically reverts to performing an unauthenticated crawl instead.
Improved Repeater tab behavior
Several minor tweaks to the appearance and behavior of tabs in Burp Repeater are included. These will pave the way for some additional features in the future.
- When Repeater tabs overflow onto a new row, these now stay the same size rather than stretching to fill the entire row. Thus, easier to keep track of where tabs are.
- From the context menu, users have options for renaming tabs and deleting all tabs to the left or right of the current tab.
- New actions menu (3 dots) in the upper-right corner of the screen ewhich for now provides a limited range of options and will be improved for more in in the future.
Set headers in session handling options
Use Burp Suite’s session is now available to handleoptions to add headers and values to requests. When you create a session handling rule using the new Set a specific header value action, the header and value pair provided are added to any requests that are within the rule’s scope.
Browser upgrade
Burp’s browser upgraded to Chromium 102.0.5005.61
Changes to Java requirements
For running, Burp Suite requires Java 11 ++ . This change will have no impact unless for installed Burp Suite as a .jar file, as the installer includes a bundled private Java Runtime Environment so that you don’t need to worry about installing or updating Java. Note that, any extensions written in a version of Java earlier than 11 may not run correctly from this release onward.
Other improvements
- A range of common Google Analytics cookies to the list of ignored insertion points for scans.
- Improved performance of Burp Scanner – tweaking the way we identify locations to audit after the crawl is completed.
- In your scan configuration, ability to define separate timeout settings for the crawl and audit phases of a scan, overriding the global project setting.
Bug fixes
Resolved certain performance issues that some users faced when using Intruder with large resource pools.
Professional 2022.3.8 Release 2022-May-20
Kubernetes memory fix
Issue fixed with Burp Scanner that was causing Kubernetes deployments of Burp Suite Enterprise Edition to crash because of insufficient shared memory.
Copying temporary projects fix
Issue fixed in which users were unable to save more than one copy of a temporary project. Save multiple copies of temporary projects is now available through this release.
Browser upgrade
Burp’s browser upgraded to Chromium 101.0.4951.64.
Professional 2022.3.7 Release 2022-May-20
This release includes Burp’s browser upgrade and a couple of bug fixes.
Browser upgrade
Burp’s browser upgraded to Chromium 101.0.4951.54
Bug fixes
- Bug fixes on bug that lead to project files to be corrupted after saving an Intruder attack.
- Bug fixes on bug with the optional Headers tab in the message editor. Previously, the data shown in the tab failed to update when you switched between different requests.
- Bug fixes that could cause issues with extension-generated tabs in the message editor.
Professional 2022.3.6 Release 2022-Apr-29
Customizable message editor tabs
In addition to the existing Pretty, Raw, Hex, and Render tabs, adding the following tabs to the message editor are now possible:
- Headers
- Query params
- Body params
- Cookies
- Attributes
While some of the tabs were available in older versions of Burp Suite, they are now reintroduced and enhanced with the same powerful features for working with HTTP messages as the Inspector. This is a great alternative for users that do not have room on their screen for the side panel but want to take advantage of the Inspector’s functionalit
n order to control which tabs are displayed, and in which order, users can click the settings icon in the upper-right corner of the message editor (above the Inspector panel), then select Message editor.
New domain name for the public Burp Collaborator server
This release comes with a new domain name for the public Burp Collaborator server. , Burp Scanner and the Burp Collaborator client will now use oastify.com
for their Collaborator payloads instead of burpcollaborator.net
. unless Burp has been configured to use a private Collaborator server). This features help reduce false negatives, thus users can identify out-of-band vulnerabilities that were previously hidden due to widespread blocking of the old domain name.
This new domain name is in addition to the old one. Users are still able to view interactions with any of your existing burpcollaborator.net
payloads.
Take note that if you’re running Burp within a closed network and previously had to allow connections to burpcollaborator.net
on port 443 in order to poll for interactions, it is essential to carry out the same for step for oastify.com
.
Detect DOM-based vulnerabilities that rely on API calls
Ability to fetch data from out-of-scope API endpoints if required to load the page correctly using Burp Scanner’s dynamic JavaScript analysis. plus able to detect DOM-based vulnerabilities where malicious input is only passed to a sink if an API call is made.
Importantly, although Burp Scanner fetches external resources and data when required, it will not perform any additional crawl or audit of out-of-scope URLs.
Rows of tabs no longer switch places when selected
This change dismisses inconvenient in Burp Repeater where users experience difficulty in keeping track of the order of tab the faced in the previous versions of Burp.
This behavior has been disabled, therefore, tabs no longer move when selected.
Browser upgrade
Burp’s browser upgraded to Chromium 101.0.4951.41.
Bug fixes
- Burp Scanner has no more issues when redirects are triggered by
onload
event handlers in the HTML<body>
tag. - Bug fixes that prevent users from reading or editing long lines of JSON in several of the message editor panels.
- Fixed a syntax error on the splash screen that appears during launching Burp.
- When manually following redirections, no more getting stuck in an infinite redirect loop.
- The cursor in the message editor no longer jumps to the beginning of the request after you sending.
- Resolved issue where the Proxy’s HTTP history tab was not displaying responses on MacOS.
- Bug fixes on performance issues when testing recorded login sequences.
Professional 2022.3.5 Release 2022-Apr-19
This release includes Burp’s browser to Chromium 100.0.4896.127. Also, several minor bug fixes. Most importantly, issue that was preventing some extensions from loading correctly and one other that involves errors when starting Burp in headless mode.
Professional 2022.3.4 Release 2022-Apr-11
This release gives Java 17 support for some extensions which previously failed to load.
Professional 2022.3.3 Release 2022-Apr-8
This release involves Burp’s browser upgrade to Chromium 100.0.4896.75 as well as the installer Java version to 17.0.2.
Professional 2022.3.2 Release 2022-Apr-4
This release includes a number of bug fixes and an upgrade for Burp’s browser.
Browser upgrade
Upgraded Burp’s browser to Chromium 100.0.4896.60
Bug fixes
- When manually following redirections, user will not get stuck in an infinite redirect loop.
- Resolved issue where the Proxy’s HTTP history tab was not displaying responses on MacOS.
- Fixed a bug causing performance issues when testing recorded login sequences.
Professional 2022.3.1 Release 2022-Mar-29
This release offers the following bug fixes for Burp Repeater:
- User will not get stuck in an infinite redirect loop when manually following redirections.
- The cursor in the message editor not jumping to the beginning of the request after sending.
Browser upgrade
Burp’s browser upgraded to Chromium 99.0.4844.84
Professional 2022.3 Release 2022-Mar-21
This release lets user to insert tabs to the message editor that give the same features as the Inspector panel. Furthermore, it adds a new domain name for the public Burp Collaborator server and includes some enhancements to Burp Scanner. Lastly, rows of tabs will no longer switch places when selected.
Customizable message editor tabs
In addition to the existing Pretty, Raw, Hex, and Render tabs, user can now add these tabs to the message editor:
- Headers
- Query params
- Body params
- Cookies
- Attributes
While some of the tabs were available in older versions of Burp Suite, they are now reintroduced and enhanced with the same powerful features for working with HTTP messages as the Inspector. This is a great alternative for users that do not have room on their screen for the side panel but want to take advantage of the Inspector’s functionality.
In order to control which tabs are displayed, and in which order, users can click the settings icon in the upper-right corner of the message editor (above the Inspector panel), then select Message editor.
New domain name for the public Burp Collaborator server
This release comes with a new domain name for the public Burp Collaborator server. , Burp Scanner and the Burp Collaborator client will now use oastify.com
for their Collaborator payloads instead of burpcollaborator.net
. unless Burp has been configured to use a private Collaborator server). This features help reduce false negatives, thus users can identify out-of-band vulnerabilities that were previously hidden due to widespread blocking of the old domain name.
This new domain name is in addition to the old one. Users are still able to view interactions with any of your existing burpcollaborator.net
payloads.
Take note that if you’re running Burp within a closed network and previously had to allow connections to burpcollaborator.net
on port 443 in order to poll for interactions, it is essential to carry out the same for step for oastify.com
.
Detect DOM-based vulnerabilities that rely on API calls
In this version, Burp Scanner’s dynamic JavaScript analysis can fetch data from out-of-scope API endpoints if required to load the page correctly. This allows it to detect DOM-based vulnerabilities where malicious input is only passed to a sink if an API call is made.
Note that Burp Scanner will not perform any additional crawl or audit of out-of-scope URLs fetches external eventhough resources and data when needed
Rows of tabs no longer switch places when selected
This change dismisses inconvenient in Burp Repeater where users experience difficulty in keeping track of the order of tab the faced in the previous versions of Burp.
This behavior has been disabled, therefore, tabs no longer move when selected.
Security fix
We have upgraded Burp’s browser to Chromium 99.0.4844.74, which fixes one critical bug and a number of high / medium severity bugs.
Bug fixes
This release provides a number of bug fixes. Importantly:
- Burp Scanner has no issues when redirects are triggered by
onload
event handlers in the HTML<body>
tag. - Resolved A bug that prevented users from reading or editing long lines of JSON in some of the message editor panels.
- Fixed syntax error on the splash screen that appears when launching Burp.
Professional 2022.2.4 Release 2022-Mar-17
Security fix
Burp’s browser upgraded to Chromium 99.0.4844.74, that fixes one critical bug and a number of high or medium severity bugs.
Professional 2022.2.3 Release 2022-Mar-11
This release gives ultra-fast crawling of static content, advanced scanning of single-page applications and several minor bug fixes.
Ultra-fast crawling of static content
The Fastest crawl strategy of Burp Scanner is now optimized for crawling static sites as fast as possible. This is achieved through disabling irrelevant features for static content like automated session handling and state recovery.
How exactly it works? The changes decrease the time taken to crawl our static documentation site (from around 45 minutes to below 10 minutes.
Long-time Burp users can benefits this strategy as it effectively an improved version of the Spider tool from Burp Suite 1.7, emulated by the new crawling engine.
Improved scanning of single-page applications
This release greatly improves the ability of Burp Scanner in handling single-page applications (SPAs) built on frameworks such as React.
- The crawler is now able to detect and then adapt accordingly when a website uses URL fragments for client-side routing. Subsequently, content that is reached without sending additional requests to the server can be scanned successfully.
- The crawler can now detect API calls triggered when the browser renders components on the page and send them for audit when necessary.
Security fix
A few months ago, Portswigger has resolved HTML injection vulnerability that may cause Burp Suite to sending requests that did not respect its upstream proxy configuration. This issue is due to Swing GUI components that were insecurely configured to render HTML that can result in leak NetNTLM hashes on Windows systems that unable to block outbound SMB.
This release provides additional mitigation that prevents BApps from introducing this vulnerability even though they contain Swing components that enables HTML rendering.
This issue was reported through the bug bounty program.
Browser upgrade
Burp’s browser is upgraded to Chromium 99.0.4844.51.
Bug fixes
Several minor bugs fixes such as
- Resolved an issue that lead to some Windows users to view a “No JVM found on your system” error when restarting Burp after an update.
- Resolved an issue that meant recorded login sequences were sometimes cut short during testing.
Professional 2022.2.2 Release 2022-Mar-3
This release gives several minor bug fixes. Most importantly, an issue that meant recorded login sequences were sometimes cut short when testing them.
Professional 2022.2 Release 2022-Feb-16
This release gives ultra-fast crawling of static content, advanced scanning of single-page applications and several minor bug fixes.
Ultra-fast crawling of static content
The Fastest crawl strategy of Burp Scanner is now optimized for crawling static sites as fast as possible. This is achieved through disabling irrelevant features for static content like automated session handling and state recovery.
How exactly it works? The changes decrease the time taken to crawl our static documentation site (from around 45 minutes to below 10 minutes.
Long-time Burp users can benefits this strategy as it effectively an improved version of the Spider tool from Burp Suite 1.7, emulated by the new crawling engine.
Improved scanning of single-page applications
This release greatly improves the ability of Burp Scanner in handling single-page applications (SPAs) built on frameworks such as React.
- The crawler is now able to detect and then adapt accordingly when a website uses URL fragments for client-side routing. Subsequently, content that is reached without sending additional requests to the server can be scanned successfully.
- The crawler can now detect API calls triggered when the browser renders components on the page and send them for audit when necessary.
Browser upgrade
Burp’s browser has been upgraded to Chromium 98.0.4758.102.
Bug fixes
This release has fixed several minor bugs. Most importantly to issue that caused some Windows users to see a No JVM found on your system error when restarting Burp after an update.
Professional 2022.1.1 Release 2022-Feb-9
This release includes new options for customizing the appearance and behavior of the Inspector panel. Now, you can keep it collapsed by default depending on preference.
The presence of settings icon in the upper-right corner of the panel allows you to:
- Hide widgets that you are not interested in.
- Adjust the order in which the widgets are shown.
- Select whether specific widgets are automatically expanded when they contain data.
- Enable line wrapping for specific widgets by default.
- Choose whether the Inspector panel is docked to the left or right of the message editor by default.
- Choose to always keep the Inspector collapsed by default.
Browser upgrade
Burp’s browser upgraded to Chromium 98.0.4758.80.
Professional 2021.12.1 Release 2022 Jan-11
This release let you configure Intruder attacks against multiple hosts and adds several new options for customising the Inspector. These include:
- docking the panel to the left or right of the screen
- toggling line wrapping within each widget
- dedicated installer for Mac machines with the M1 chip
Multi-host Intruder attacks
You can now add payload positions to the target host field in Burp Intruder. This feature is useful in situations where you want to test for issues across many web applications simultaneously as you are able to target multiple hosts from a single attack with this feature.
Due to this adjustment, the settings which was previously included in Intruder’s Target tab is now incorporated into its Positions tab.
New Inspector panel options
New toolbar at the top of the Inspector panel contains buttons that let you:
- Toggle whether the Inspector is docked to the left or right of the screen
- Collapse all widgets
- Expand all widgets that contain data
You are also able to toggle line wrapping by clicking the icon in the upper-right corner of each table.
Support for Mac M1(Arm64) chips
This recent supports the latest Apple Mac models equipped with M1 (Arm64) processors with a dedicated installer.
Please refer to the documentation for details to identify the installer you need.
Proxy Intercept is now off by default (new installations only)
For new installation of Burp Suite, the Burp Proxy’s Intercept feature is now off by default to remove the common problem of users forgetting to disable it before attempting to use the browser.
Embedded browser upgrade
Burp’s browser upgraded to Chromium 96.0.4664.45.
Bug fixes
This release involves several minor bug fixes. The most notable changes bug fixes that prevented Burp from completing the TLS handshake with servers whose certificate chain was longer than 10 but less than 30.
Professional 2021.10.3 Release 2021-Dec-2
This release gives a security patch and several minor bug fixes.
Security patch
In this release, fixed a medium-severity security issue in the way Burp Suite processed HTTP/2 responses that may introduced XSS in certain circumstances has been fixed. The issue has been reported by Ademar Nowasky Junior | @nowaskyjr, through our bug bounty program.
Browser upgrade
Burp’s browser to Chromium 96.0.4664.45 has been upgraded in this release.
Bug fixes
In order to prevent accidental loss of Burp project files, this release include several adjustments such as
- New project file that is created without explicit specification of a directory be created in user’s home directory by default.
- On MacOS, in a case where there are project (.burp) files being detected within the Burp Suite installation directory, or any of its subdirectories, new updates will be prevented from running. Users will receive notification where they need to move your project files before they are able to update Burp Suite.
Professional 2021.10.2 Release 2021-Nov-19
This release offers a few updates to DOM Invader, line wrapping in Burp’s message editor and several bug fixes.
DOM Invader improvements
There are minor improvements done to DOM Invader. Those include:
- The DOM Invader icon showing the number of items that DOM Invader has flagged.
- DOM Invader icon badge will turn red if interesting items are identified by DOM Invader such as an eval sink.
- The number of items is displayed in the DevTools panel.
- DOM Invader tab in DevTools which contains both the Messages and DOM views in replacement of Augmented DOM and Postmessage tabs.
- Improved Performance as DOM Invader is now set to only injecting messages which haven’t previously been injected.
- Added with refreshed UI.
Line wrapping in message editor
Added support for line wrapping in Burp’s message editor is now made available to ease work with messages that contain lengthy strings like authorisation tokens.
Line wrapping can be enabled by default in the Pretty and Raw views. The feature however allows you to toggle it on and off via the button above each message.
Security fix
Burp’s browser is updated to Chromium version 95.0.4638.69 that is capable in fixing various high severity bugs.
Other improvements
The inspector in the latest release now supports Base64url encoding.
Bug fixes
This release solves the occasional visual issue that occurs when line wrapping is enabled in message editors wtih large font sizes.
Professional 2021.9.1 Release 2021-Oct-26
This release enables manual testing of hidden HTTP/2 attack surface and adds a number of improvements to Burp Intruder and Burp Scanner.
Manually test hidden HTTP/2 attack surface in Burp Repeater
You can now send HTTP/2 requests from Burp Repeater even if the server doesn’t explicitly advertise HTTP/2 support via ALPN. This allows you to manually explore additional “hidden” HTTP/2 attack surface.
To enable this behavior, first select the Allow HTTP/2 ALPN override option from the Repeater menu, then switch the protocol to HTTP/2 from the Inspector panel.
Burp Intruder improvements
We have made the following improvements to Burp Intruder:
- When configuring a list of payloads to send during your attack, you can now click the Deduplicate button to remove any duplicate entries. This helps to increase the efficiency of your attacks as you can avoid sending redundant, duplicate requests when combining multiple wordlists for example.
- When using the Grep – Match or Grep – Payloads options, the results table now contains a column displaying the number of matches found in the response rather than just a checkbox.
- In the resource pool configuration, there is now an option for setting the delay between requests to an incremental value. This enables you to study how the target application’s behavior changes as requests become more spread out. You can use this to determine how long a session is kept alive between requests for example.
- You can now select multiple rows and perform bulk operations on some of the tables in the Intruder configuration settings.
Improved scan check for server-side template injection
We have added payloads to the server-side template injection (SSTI) scan check to detect vulnerabilities in the following Java-based template engines:
- SpEl
- JSF
- Freemarker
- Thymeleaf
- Velocity
- JSTL
We have also integrated additional out-of-band detection methods using Burp Collaborator.
Audit asynchronous traffic in Burp Scanner
API calls that are triggered by the crawler interacting with elements on the page will now be sent for audit.
We have also improved the way the crawler interacts with forms on a page to better support modern single-page applications.
Improved handling of XML and JSON insertion points in Burp Scanner
We have made the following changes to improve the handling of XML and JSON insertion points during scans:
- Payloads injected into unquoted JSON contexts are now automatically wrapped with quotation marks to ensure that Burp Scanner always generates valid JSON documents.
- Insertion points in standard XML attributes such as
xml:lang
andxmlns:*
are now ignored by default. If you prefer, you can override this setting in your scan configuration under Audit options > Ignored insertion points. - When appending payloads to insertion points within XML CDATA sections, Burp Scanner now removes the CDATA block and correctly entity-encodes the payloads.
Recorded login improvements
Burp Scanner can now handle iframes, multi-selects, scrolling elements, and SVG elements in recorded login sequences. We have also improved reliability of recorded logins by changing the way we locate and interact with elements on the page. For more details, please see our blog post on authenticated scanning improvements.
Other improvements
- On the Logger tab, we have added an option to the context menu for exporting the log as a CSV file.
- On the Dashboard tab, you can now rename tasks to help you identify them more easily. You can now also search for tasks by their name or other details.
- You can now set a default preference for whether tasks are resumed or paused when you launch Burp. To change the default setting, go to User options > Misc > Tasks.
Security fix
We have updated Burp’s embedded browser to Chromium version 95.0.4638.54, which fixes a number of high-severity bugs.
Bug Fixes
This release also provides a number of bug fixes, most notably for a bug when highlighting or selecting text in Burp Repeater.
Profesional 2021.8.2 Release 2021-Aug-24
This release upgrades the embedded browser and fixes an issue that was reported to our bug bounty program.
Embedded browser upgrade
Burp’s embedded Chromium browser has been updated to version 92.0.4515.159.
Security fix
We have fixed a vulnerability that could result in Burp Suite issuing requests that do not respect its upstream proxy configuration and could leak NetNTLM hashes on Windows systems that fail to block outbound SMB.
This issue was reported to our bug bounty program.
Professional 2021.8.1 Release 2021-Aug-12
This release provides several bug fixes, most notably a fix for a memory leak issue that affects some extensions.
Professional 2021.8 Release 2021-Aug-5
This release provides a range of powerful new enhancements to Burp’s HTTP/2 support. This enables you to identify and exploit a number of HTTP/2-exclusive vulnerabilities, including those presented by James Kettle at Black Hat USA 2021. It also implements a security fix for the embedded browser and some minor bug fixes for recorded login sequences.
Control the protocol for individual requests
In Burp Repeater and Proxy Intercept, you can now choose whether to send each request using HTTP/1 or HTTP/2. When you switch protocols, Burp will automatically perform the necessary transformations behind the scenes to generate an equivalent request suitable for the new protocol. For example, the HTTP/1 request line is mapped to HTTP/2’s :method
and :path
pseudo-headers.
This enables you to easily upgrade and downgrade requests to experiment with protocol-specific vulnerabilities.
Test for HTTP/2-exclusive vulnerabilities
We are excited to announce that Burp Suite Professional now provide native support for viewing and manipulating HTTP/2 requests.
In addition to the HTTP/1-style representation of the request that you can see in the message editor, the Inspector now lets you work with HTTP/2 headers and pseudo-headers in a way that more closely resembles what will be sent to the server. As this view doesn’t rely on HTTP/1 syntax, you’re able to construct attacks using a number of HTTP/2-exclusive vectors that are impossible to reproduce in HTTP/1. This gives you the opportunity to explore a whole new attack surface that has barely been audited due to the complete lack of any suitable tooling until now.
For some real-world examples of what’s possible, check out the whitepaper for James Kettle’s latest research, HTTP/2: The Sequel Is Always Worse, which he recently presented at Black Hat USA 2021.
Burp’s message editor still lets you work with an HTTP/1-style representation of the request and converts this to an equivalent HTTP/2 request under the hood. This is great for performing general testing where the protocol you’re using isn’t important.
For more information about these features, the configuration options, and a breakdown of some HTTP/2 fundamentals, please refer to the accompanying documentation
New HTTP/2 scan checks
In addition to the new manual HTTP/2 tooling, this release adds some HTTP/2-specific improvements to Burp Scanner:
- Two new HTTP/2-exclusive methods of obfuscating the transfer-encoding header for HTTP request smuggling.
- A new detection method for HTTP/2 request tunnelling.
- A new scan check for “hidden” HTTP/2 support. Scanner can now detect when a server supports HTTP/2 but doesn’t advertise this in the ALPN during the TLS handshake.
We’ve also improved the issue details for HTTP request smuggling to flag when server-side countermeasures have limited the impact to request tunnelling.
These enhancements are also based on James’s research.
Embedded browser security fix
We have updated Burp Suite’s embedded browser to fix a clickjacking-based remote code execution bug in Burp Suite, as reported to our bug bounty program. We have updated to Chromium 92.0.4515.131, which fixes several bugs that Google has classified as high.
Bug fixes
This release fixes several bugs that should improve the reliability of recorded login playback.
Professional 2021.6.2 Release 2021-Jun-18
This release includes the return of the hex view, enabling HTTP/2 for extensions, task pausing improvements, an embedded browser upgrade, and several bug fixes.
Hex view
You wanted it back so it has returned, and it’s better than ever! The hex view in the message editor returns to Burp Suite, allowing you to display and edit messages in hexadecimal notation. This is especially useful when dealing with binary formats. You can also choose to copy text or hex codes when using the context menu to copy single or multiple cells in the message editor’s hex view.
HTTP/2 enabled for extensions
HTTP/2 is now enabled for requests issued by extensions. Additionally, we have added two new methods to IBurpExtenderCallbacks
, which can be used to force HTTP/1 usage when issuing requests. These methods are:
IHttpRequestResponse makeHttpRequest(IHttpService httpService,
byte[] request,
boolean forceHttp1);
and
byte[] makeHttpRequest(String host,
int port,
boolean useHttps,
byte[] request,
boolean forceHttp1);
These new methods are analogous to the existing makeHttpRequest()
methods with the addition of the forceHttp1
flag, which when set will ensure that HTTP/1 is used.
Task pausing improvements
Burp Suite now remembers your preference for pausing tasks on starting.
Chromium version update and security fix
We have updated Burp Suite’s embedded browser to Chromium version 91.0.4472.114, which fixes several security issues that Google has classified as high.
Bug fixes
This release fixes several minor bugs.
Professional 2021.5.3 Release 2021-Jun-14
We have updated Burp Suite’s embedded browser to Chromium version 91.0.4472.101, which fixes several security issues, one of which Google has classified as critical.
Professional 2021.5.2 Released 2021-Jun-2
This release fixes a bug with selecting individual scan checks in an audit configuration.
Professional 2021.6 Released 2021-May-26
This release includes the return of the hex view to the message editor, HTTP/2 requests for extensions, and several bug fixes.
Hex view
You wanted it back so it has returned, and it’s better than ever! The hex view in the message editor returns to Burp Suite, allowing you to display and edit messages in hexadecimal notation. This is especially useful when dealing with binary formats.
HTTP/2 enabled for extensions
HTTP/2 is now enabled for requests issued by extensions. Additionally, we have added two new methods to IBurpExtenderCallbacks
, which can be used to force HTTP/1 usage when issuing requests. These methods are:
IHttpRequestResponse makeHttpRequest(IHttpService httpService,
byte[] request,
boolean forceHttp1);
and
byte[] makeHttpRequest(String host,
int port,
boolean useHttps,
byte[] request,
boolean forceHttp1);
These new methods are analogous to the existing makeHttpRequest()
methods with the addition of the forceHttp1
flag, which when set will ensure that HTTP/1 is used.
Bug fixes
This release includes the following bug fixes.
- Playing back recorded login sequences is now more reliable when one of the elements in the series is hidden by other elements on the page.
- Recorded login sequences can now be tested correctly when you play them from the configuration library.
- Changes to the configuration of Burp Collaborator server will now be honored across extensions as well as Burp Suite.
- Burp Logger’s context menu now works correctly.
- Multiple requests are now correctly sent when using a null payload with Burp Intruder.
- Rules added to a target scope now display correctly if the rule was added after loading a configuration file that contains other target scope rules.
- We corrected ALPN settings, which previously led to
No application protocols
errors with some servers. - We fixed incorrect parsing of redirect URLs within meta tags.
- HTTP/2 will now be correctly used when testing macros within the macro editor.
- Burp Suite now correctly handles HTTP/2 settings frames with zero initial window size.
- Intruder redirection configurations are now honored in the grep extract “fetch response” feature.
Professional 2021.5.1 Released 2021-May-13
This release includes several improvements to Intruder, one of which allows you to save Intruder attacks to project files. The release also includes other minor Burp Suite improvements.
Persistable Intruder attacks
You can now save Intruder attacks to project files, so you can close Burp Suite and come back later to continue your attacks, or view the results of completed attacks. This is done on an opt-in basis: attacks are not saved by default, to avoid bloating project files. An attack can be saved before, during, or after it has been performed. The title bar of an attack window shows whether it has been saved or not.
We have made several other improvements to Intruder. These include:
- Intruder attacks are now visible in the task list of the Dashboard. The Dashboard’s task list can filter tasks to show only scans or only Intruder attacks, to allow a granular view of your running tasks.
- Intruder attacks are no longer ended if the attack window is closed, and can be re-opened from the Dashboard’s task list. This allows you to run multiple attacks in the background without needing to keep several windows open.
- Intruder attacks are managed with resource pools in the same way as scans. Resource pools can be configured to limit the frequency of requests, so as not to overload network resources or the target.
- Saving attacks to project files means that you no longer need to use the old way of saving Intruder attacks to a file, although legacy files can still be loaded into Burp Suite.
TTL value for DNS records in Burp Collaborator
You can now optionally supply a specific TTL value when configuring custom DNS records in Burp Collaborator.
New to 2021.5.1
- We have updated Burp Suite’s embedded browser to Chromium version 90.0.4430.212, which fixes several security issues that Google has classified as high.
- Bug fix: Payload processing rules that invoke extensions now display correctly.
Professional 2021.4.3 Released 2021-May-4
Chromium version update and security fix
This release updates Burp Suite’s embedded browser to Chromium version 90.0.4430.93, which fixes several security issues that Google have classified as high.
Professional 2021.4 Released 2021-Apr-1
This release provides a native logging tool to Burp Suite. It also allows saving settings for Burp’s embedded browser and message editor’s search bar, and the ability to turn off Repeater’s line ending normalization. The release also provides several bug fixes.
Logger
Burp Suite now has a native logging tool called Logger, which is available from the main row of tool tabs. Some highlights of Logger are:
- You can view traffic made by all Burp tools, analyze messages, and send them to other Burp tools.
- You can configure separate capture and view filters to focus on the messages that you are interested in.
- Logger is optimised for performance and limits the amount of memory that is used. The default limit is 50MB (or 100MB if you give Burp Suite at least 1GB of memory), but you can change this. Once the memory limit has been reached, Logger will keep a rolling log of entries.
- You can turn off Logger if you prefer.
Here is a short video showing Logger in action:
Embedded browser settings
When using Burp’s embedded Chromium browser, your history and any changes you make to the browser settings are now saved even after you close Chromium. This means you no longer need to reconfigure your preferences each time you use the browser and can even keep any extensions that you install.
By default, your settings and history will be persisted. If you’d prefer to disable this behavior, go to User options > Misc and deselect the corresponding checkbox in the “Embedded browser” section.
Message editor search settings
You can now configure the default settings of the message editor’s search bar. Change the defaults by going to User options > Misc and selecting the check boxes under “Message search”.
Normalized line endings in Repeater
Repeater usually normalizes the line endings of requests. However, this behaviour may not always be useful, especially when you are testing request smuggling. You can now turn off normalizing line endings by going to the Repeater menu and unchecking “Normalize line endings”.
Bug fixes
This release provides several minor improvements and bug fixes, including:
- Message inspector buttons now work correctly when you paste content into a “Decoded from” panel.
- Burp Collaborator server now responds to CAA queries with a
NOERROR
rather than aSERVFAIL
response code. - Burp Collaborator server now supports custom CNAME and TXT records.
- Burp Suite is not entirely compatible with Java 16. It will now warn you if you try to launch it with Java 16, and provide a workaround to enable you to use both together.
Professional 2021.3.2 Released 2021-Mar-17
This release strengthens support for HTTP/2 and turns it on by default. It also fixes several bugs.
HTTP/2 support
We have strengthened support for HTTP/2 within Burp Suite. HTTP/2 support is now turned on by default and is no longer considered experimental. Burp will interact with targets via HTTP/2 when a target supports it.
HTTP/2 support brings a significant performance improvement to the network layer, benefiting Scanner and Intruder speed. It also provides future compatibility with any site that no longer supports HTTP/1.1.
If you prefer not to use HTTP/2, you can disable its use under Project Options / HTTP.
Bug fixes
This release provides several minor improvements and bug fixes, including:
- The crawler no longer produces an error when it encounters request bodies that contain JSON literals when it is crawling OpenAPI definitions.
- Burp Suite now shuts down correctly on macOS.
- The number of characters selected now shows in the message inspector when selecting non-editable messages.
- Custom menu items added by extensions are now shown in a sub-menu of the context menu, to avoid cluttering.
- The hash algorithm list within Burp Decoder is now sorted alphanumerically.
- The resource pool button is now disabled when configuring a live passive crawl, as this crawl does not make requests.
- The automatic backup progress dialog box no longer appears if Burp Suite is minimized.
Professional 2021.3.1 Released 2021-Mar-16
This release provides a security fix for the embedded Chromium browser, and several bug fixes.
Chromium security fix
This release includes an update of Burp’s embedded browser to Chromium 89.0.4389.90 which fixes a security issue that Google have classified as high.
Bug fixes
This release provides several bug fixes, including:
- Copy and cut hotkeys now work in inspector tables, and the copied data is formatted appropriately for the types of items in the table.
- Burp Suite now correctly deletes update files after they have been used.
- The title bar now displays the name of the update channel you have has chosen if it is not the Stable channel.
- We have improved the layout of the Intruder “Grep – Payloads” panel.
- Unwanted update behaviour no longer happens when you have more than one installation of Burp Suite on macOS.
- We have fixed an issue where the crawler encounters an error if it finds links with URL fragments during the “discovering hidden content” section of the crawl.
- We have converted filter pop-up windows to dialog boxes throughout Burp Suite, to improve consistency.
Professional 2021.3 Released 2021-Mar-3
This release provides several bug fixes. Most notably:
- Copy and cut hotkeys now work in inspector tables, and the copied data is formatted appropriately for the types of items in the table.
- Burp Suite now correctly deletes update files after they have been used.
- The title bar now displays the name of the update channel you have has chosen if it is not the Stable channel.
- We have improved the layout of the Intruder “Grep – Payloads” panel.
- Unwanted update behaviour no longer happens when you have more than one installation of Burp Suite on macOS.
- We have fixed an issue where the crawler encounters an error if it finds links with URL fragments during the “discovering hidden content” section of the crawl.
- We have converted filter pop-up windows to dialog boxes throughout Burp Suite, to improve consistency.
Professional 2021.2.1 Released 2021-Feb-16
This release provides multiple Burp Suite update channels, including an Early Adopter channel. It also provides improved Intruder payload lists and several bug fixes.
Multiple update channels
We now deliver automatic updates to Burp Suite via two channels: Stable and Early Adopter. The default channel for all users is Stable. New versions of Burp Suite will appear on the Early Adopter channel first, and then go to the Stable channel when any initial problems have been resolved. The update channel setting is per installation, so multiple installations set to different update channels are possible.
Choose the Early Adopter channel to get the latest features fast. Choose the Stable channel for the most robust and reliable version of Burp Suite.
To change your update channel, go to “User options” and select the “Misc” tab. Then scroll down to “Update” and select the channel you prefer.
Improved Intruder default payload lists
We have improved and expanded Intruder’s default payload lists. There are also new lists, such as SSRF payloads and common files and directories.
Bug fixes
This release also provides several bug fixes, such as:
- Custom User-Agent values will now save correctly if they contain a colon character.
- Using the rule to disable browser XSS protection in Proxy options no longer results in an error.
- Windows created by generating a CSRF PoC now open correctly, rather than opening behind the main Burp window.
Professional 2021.2 Released 2021-Feb-8
This release provides improvements to the message inspector, non-printing character display, platform authentication controls and the embedded browser. It also provides a new vulnerability definition and several bug fixes.
New vulnerability definition: vulnerable JavaScript dependencies
Burp Scanner will now detect when a target application imports a JavaScript dependency that has a known vulnerability, such as when a library is dangerously out of date or has other issues.
Non-printing characters improvement
When viewing non-printing characters in the text editor, characters with a hexadecimal code point below 20 are displayed as “lozenges” with their hex code. Now, characters with a code point from 7F to FF are also displayed in the same way.
Per-host controls for platform authentication
Platform authentication (under “User options” and the “Connections” tab) can now be turned on or off on a per-host basis.
Message inspector improvements
There have been significant performance improvements in the message inspector. Also, users can now resize the message inspector horizontally and select multiple entries at once.
Embedded browser improvements
HTTP requests initiated by the embedded Chromium browser itself, rather than the user, are no longer sent. Also, Burp’s embedded browser has been upgraded to Chromium 88.0.4324.150.
Bug fixes and minor improvements
This release also provides the following bug fixes and minor improvements:
- The HTTP history message filter no longer incorrectly opens a new window when in fullscreen mode on macOS.
- Streaming responses now show correctly in Burp Repeater.
- Regex-based session validation no longer fails after opening an existing project file.
- Activating a .burp file now opens Burp and loads the file rather than starting the Burp start-up wizard.
- The “Delete bytes” context menu option has been restored to Burp Decoder.
- The message editor now correctly highlights text in double quotation marks.
- The colour of the “Intercept is off” button now matches nearby buttons.
- Marks in check boxes are now displaying correctly in Burp extensions.
- Deselecting “URL-encode these characters” is now respected for Payload Processing rules and multiple payload sets when using Cluster bomb attacks in Burp Intruder.
- Burp Suite now makes use of the maximum size of messages that can be sent to Chromium DevTools, which is 100MB. This means that larger page resources can be loaded.
- Burp Suite’s MIME-type analysis now matches Chromium’s behavior. Where multiple Content-Type headers are present in a response, Burp chooses the last one. Where there are Content-Type headers and a
<meta http-equiv="content-type">
tag, Burp chooses the Content-Type headers. This change affects MIME-type filters in the Proxy and Target tabs, and the Render tab in the response viewer. - The icon for vulnerabilities with a severity of False Positive has changed from blue to green.
Professional 2020.12.1 Released 2020-Dec-17
This release provides performance and user interface improvements, a JavaScript analysis improvement, and several bug fixes.
Performance improvements
We have made significant improvements in both speed and memory usage in the message editor when handling large messages.
User interface improvements
We have improved several aspects of the user interface. There are new colors for various buttons, icons, check boxes, and radio buttons, to be in line with the new branding of Burp Suite. There are now tooltips for scan phases and issue counts in the scan task Audit Items view.
Processing dynamically created scripts
Burp Scanner‘s dynamic JavaScript analysis will now load dynamically created scripts, such as document.write('<script src="…">')
or document.createElement('script’)
.
Bug fixes
This release also provides the following bug fixes:
- In Burp Proxy, the message editor now consistently displays the correct view when switching between items in the HTTP history.
- When using the context menu in the “Issue activity” section of Burp’s dashboard, options provided by extensions are now displayed correctly.
- Long payload lists in Burp Intruder now correctly include all entries from the corresponding short list, as well as extra items.
Professional 2020.12 Released 2020-Dec-11
This release provides the following improvements and bug fixes:
Dynamic switching between UI themes
When switching between the new light and dark themes in the display settings, you no longer have to restart Burp before this change is applied.
Scan URLs with fragments
You can now include fragments (#) in the seed URLs you specify for a scan. Note that this is only supported by browser-powered scans. If the “Use embedded browser for Crawl and Audit” option is disabled in your scan configuration, you will not be able to start a scan with seed URLs containing fragments.
Embedded browser upgrade
Burp’s embedded browser has been upgraded to Chromium 87.0.4280.88.
User interface improvements
The icons and icon colors for issue severity levels have changed. We’ve also adjusted the background color for the Suite tab bar, in both the light and dark themes.
Security fix
We have fixed a vulnerability that could result in Burp Suite issuing requests that do not respect its upstream proxy configuration and could leak NetNTLM hashes on Windows systems that fail to block outbound SMB.
This issue was reported through our bug bounty program.
Bug fixes
This release also provides the following bug fixes:
- Copying an intercepted request as a curl command no longer introduces duplicate
Cookie
headers. - As long as your user has permission to use the selected port, you are no longer prevented from binding the proxy listener to ports < 1024. Previously, a bug meant that only root / super users could bind the listener to these ports.
- During scans, the crawler no longer uses cookies from Burp’s cookie jar when sending requests.
- Users can once again paste content into the message editor of the Extensions tab.
Professional 2020.11.3 Released 2020-Dec-1
This release provides several bug fixes. Most notably:
- We have fixed a bug that occasionally caused issues with the new UI, such as Burp appearing to lock up.
- When you forward an intercepted request without making any changes, it is no longer erroneously marked as “Edited” in the proxy history.
- The “Getting Started” links on the Proxy Intercept tab are now only displayed until you intercept your first request.
Professional 2020.11.2 Released 2020-Nov-27
This release updates the look of Burp’s UI and adds an option for watching crawls in a headed browser.
UI refresh
This release gives Burp’s UI a make-over, with a cleaner, more modern look.
You can choose between light or dark theme at User options / Display / User interface.
Crawling with a headed browser
You can now choose to start scans using a headed browser. In this case, when the crawl starts, a new browser window will open in which you can watch the crawler navigating around the target website in real time. This is useful for troubleshooting any issues.
You can enable this option from the miscellaneous crawl settings of your scan configuration.
If you enable this option, please note that Burp Scanner will occasionally open additional browser windows during the crawl and stop using the previous window. This is perfectly normal. Any redundant windows will automatically be closed after a period of time.
Other improvements
This release also provides the following improvements:
- A new search function has been added to the BApp Store tab.
- If you add a
user.vmoptions
file in the same folder as theBurpSuitePro.vmoptions
file, Burp will load these settings instead. This file will not be changed by Burp, which means you no longer have to manually back up your custom vmoptions when updating Burp. - Burp’s embedded browser has been upgraded to Chromium version 87.0.4280.66.
Bug fixes
All keyboard shortcuts now work as expected on the Intercept tab.
Professional 2020.11.1 Release 2020-Nov-19
This release adds the Burp Suite Navigation Recorder extension to Burp’s embedded browser and fixes a minor bug in the startup process.
Burp Suite Navigation Recorder preinstalled in the embedded browser
The Burp Suite Navigation Recorder extension is now preinstalled and ready to use in Burp’s embedded browser. This means you can immediately start recording login sequences for Burp Scanner without having to perform any manual setup.
Embedded browser upgrade
Burp’s embedded browser has been upgraded to Chromium version 86.0.4240.198
Bug fixes
This release also provides the following bug fixes:
- Highlighting a null character no longer causes extra characters to be included in the selection by mistake.
- After a failed startup, relaunching Burp and selecting an existing project no longer causes the startup to fail again.
- When the mouseover decoding popup is visible in Repeater, pressing the Ctrl + Space shortcut to send the request no longer causes Burp to crash.
- When entering a number range for payloads in Intruder, accidentally leaving a trailing space no longer causes the request and payload count to be set to zero.
Professional 2020.11 Release 2020-Nov-9
This release provides several new features for both manual and automated testing, as well as some major upgrades to the message editor UI.
Message inspector
The new message inspector is a collapsible panel displayed on the right-hand side of the message editor throughout Burp Suite. It provides a quick way to analyze and work with interesting features of HTTP and WebSocket messages without having to switch between different tabs.
The Hex, Params, Headers, and Cookies tabs that used to appear in the message editor have been removed. You can now access the same functionality, and some additional new features, directly in the inspector panel.
- Perform basic operations such as viewing and manipulating any headers, parameters, and cookies found in HTTP messages. You can also add new ones to the request.
- Instantly decode HTML, URL, and Base64-encoded values. The inspector automatically applies the appropriate sequence of transformations to decode headers, parameters, cookies, and any encoded text that you manually select in a message.
- Work with encoded data more easily by editing it in its decoded form. The inspector automatically reapplies the necessary encodings as you type so that you can inject your modified value into the request with a single click or key press.
- Inject non-printing characters by modifying the code point of a character.
You perform some of these actions by drilling down into items that were automatically identified by the inspector. Alternatively, you can manually select one or more characters in a message to work with them in the inspector panel.
For more information about using the inspector, please refer to the documentation.
API scanning
Burp Scanner is now able to scan both JSON and YAML-based APIs for vulnerabilities. By default, the crawler attempts to parse any API definitions that it encounters to identify potential endpoints, along with their supported methods and parameters. You can also explicitly provide the URL of an API definition when launching a scan. Based on the endpoints that it discovers, Burp Scanner is then able to derive new locations to crawl and audit.
If you prefer, you can disable API scanning by deselecting the “Parse API definitions” crawl option in your scan configuration. You can find this option under “Miscellaneous”.
Please note that this initial release only supports scanning of a fairly limited range of REST APIs. For a full list of the prerequisites and limitations, please refer to the documentation. We plan to further develop this feature and gradually add support for a wider range of APIs in future releases.
Test recorded login sequences
In the previous release, we added new functionality for recording and uploading full login sequences to help Burp Scanner handle more complex authentication mechanisms. This release adds a new feature that allows you to replay your recorded login sequences in an embedded browser.
This makes it much easier to check whether the recording accurately captured your browser interactions. It may also help you to diagnose any problems if the login sequence is failing during scans.
For more information, please refer to the documentation.
Automatic updates
By default, Burp now automatically downloads any available updates. When a new update has been downloaded, a notification will prompt you to restart Burp in order to install it. Note that you will still need to download the 2020.11 release manually.
If you prefer, you can disable automatic updates in the user options.
Note for Windows users
To support automatic updates, Burp can no longer be installed in a directory that requires admin privileges. As a result, installing 2020.11 on Windows will likely create a new instance of Burp rather than upgrading your existing installation. Unfortunately, this means you will have to manually uninstall your old version of Burp.
This is a one-off inconvenience. Upgrading to any subsequent releases will not require you to repeat this process.
Other improvements
To help reduce clutter, the custom views that some Burp extensions add to the message editor are no longer accessed via individual tabs. Instead, you can now alternate between your extension-specific views using a new drop-down menu.
Bug fixes
- We have fixed a bug that was causing the Burp UI to freeze in specific circumstances when the .NET Beautifier extension was enabled.
- When hovering the mouse over a long, encoded token in an HTTP message, the decoded text no longer overflows the tooltip. We have also extended the tooltip so that it can display up to 2000 characters.
- Launching an installed version of Burp now provides the same range of character sets as when launching Burp from a JAR file.
Professional 2020.9.2 Release 2020-Oct-2
This release enables support for recorded login sequences in Burp Scanner and provides several other minor improvements. It also includes a security fix for Burp Collaborator.
Recorded login sequences
Instead of entering basic sets of login credentials for Burp Scanner to use, you can now provide the full sequence of actions required to log in. This enables Burp Scanner to handle more complex login processes, including:
- Single sign-on
- Multi-step login where the username and password are not entered in the same form
- Login forms that contain extra fields, checkboxes, and so on
Our dedicated Chrome extension captures your actions while you perform the login sequence and generates a JSON-based “script”. You can then import this script in the Application Logins section of the scan launcher. When the crawler begins an authenticated crawl, it will open a new browser session and use the script to replicate your actions, performing the full login sequence from scratch.
For more details on how to use recorded login sequences, please refer to the scan launcher documentation.
Other improvements
You can now clear the interaction history in Burp Collaborator client.
Bug fixes
This release also implements several minor bug fixes, most notably:
- The TLS handshake no longer fails when the target site’s hostname contains an underscore.
- All bytes are now preserved correctly when pasting data from a file into an HTTP message
- Auto-modified responses resulting from match-and-replace rules are now paired with the correct request in the proxy history.
Security fix
This release resolves a security issue in the Collaborator server. Previously, an attacker in a position to perform an active, server-side MITM attack could obtain the contents of emails delivered using STARTTLS. If you are running your own Collaborator server, we recommend updating it.
This vulnerability was reported to us privately via our bug bounty program.
Professional 2020.9.1 Release 2020-Sep-4
This release fixes a bug that was preventing WebSocket messages from being displayed correctly in the message editor.
Professional 2020.9 Release 2020-Sep-3
This release provides some improvements to the HTTP message editor UI.
HTTP message editor toolbar
On the “Raw” tab, the various options you have for analyzing the HTTP message are now contained in a toolbar at the top of each request or response. From the toolbar, you can now:
- Alternate between the prettified, raw, or rendered HTML views where available
- Toggle whether non-printing characters are displayed as “lozenges” within the message
- Access a range of context-specific actions for the message from the new “Actions” menu
HTTP message editor layout options
In the upper-right corner of the message editor, you can now choose from three different layouts that determine how the request and response are arranged in the panel.
You can choose from the following options:
- Horizontal layout: The request and response are arranged side-by-side.
- Vertical layout: The request and response are stacked one on top of the other.
- Combined view: Either the request or response will fill the message editor panel. You can alternate between the two using the corresponding tabs.
These new layout options are available in various locations throughout Burp Suite, including the Target site map and Proxy history.
Other improvements
The embedded browser has been upgraded to Chromium 85.0.4183.83.
Professional 2020.8.1 Release 2020-Aug-20
After several months of live testing, we are pleased to announce that this release enables browser-powered scanning by default.
Browser-powered scanning
By default, Burp Scanner will now perform all navigation using an embedded Chromium browser, during both crawl and audit. This approach enables the scanner to accurately handle JavaScript and other navigational structures that modern browsers can. This has the potential to dramatically improve the coverage of the scan during both the crawl and audit phases.
To run browser-powered scanning efficiently, we recommend a machine with at least 2 CPU cores and 8 GB RAM. Burp Scanner automatically checks whether your machine appears to meet these requirements and will use the embedded browser if possible. Otherwise, scans will revert to the previous crawling engine.
If you prefer, you can also manually enable/disable browser-powered scanning in your scan configuration. You can find this option under “Crawl options” > “Miscellaneous” > “Embedded browser options”.
Note: Browser-powered scanning currently remains off by default for Burp Suite Enterprise Edition.
Other improvements
- Scan performance has been improved by reducing the number of duplicate locations that are scanned. Even when you choose to scan a URL using both HTTP and HTTPS, if Burp identifies that the content is the same, it will now only crawl and audit the location once.
- SVG images are now displayed correctly on the “Render” tab.
- The HTTP message editor now supports pretty printing of the content type
image/svg+xml
. - The embedded browser has been upgraded to Chromium 84.0.4147.125.
Professional 2020.8 Release 2020-Aug-6
This release provides an upgrade to the web cache poisoning scan checks as well as several other minor improvements and bug fixes.
New web cache poisoning scan checks
Burp Scanner can now identify a variety of recently discovered cache poisoning issues. These checks are based on the techniques documented by James Kettle in his presentation “Web Cache Entanglement: Novel Pathways to Poisoning” at BlackHat USA 2020.
Other improvements
- We have improved the performance of Burp Intruder when using HTTP/2.
- We have reduced the amount of noise from the embedded browser by disabling Chromium’s random DNS checks during startup.
Bug fixes
- Closing the first tab in the embedded browser no longer causes the whole browser window to close.
- You can now launch the embedded browser on Kali Linux even as a non-root user
Professional 2020.7 Release 2020-Jul-17
In this release, we’ve greatly improved the usability of Burp Suite by removing the need to perform many of the initial configuration steps for Burp Proxy.
Use Burp’s preconfigured browser for testing
You can now use Burp’s embedded Chromium browser for manual testing. This browser is preconfigured to work with the full functionality of Burp Suite right out of the box. You no longer need to manually configure your browser’s proxy settings or install Burp’s CA certificate. The first time you launch Burp you can immediately start testing, even with HTTPS URLs.
To launch the embedded browser, go to the “Proxy” > “Intercept” tab and click “Open Browser”.
Note that if you want to use an external browser for testing. you can still configure any browser to work with Burp in the same way as you could before.
Other improvements
- Burp now provides feedback in the request and response when it successfully communicates using HTTP/2. The first request you send to a server will display HTTP/1. However, once Burp has established that the website supports HTTP/2, all subsequent messages will indicate this in the request line and status line respectively. For more information about Burp’s experimental HTTP/2 support, please refer to the documentation.
- Performance of the experimental browser-powered scanning feature has been improved.
- The embedded browser has been upgraded to Chromium 84.
Bug fixes
- Multiple
Cookie
headers are now displayed correctly in the “Params” tab. - We have also fixed a security bug that was reported via our bug bounty program. With a significant amount of user interaction, an attacker could potentially steal comma-delimited files from the local filesystem. The attacker would have to induce a user to visit a malicious website, copy the request as a curl command, and then execute it via the command line.
Professional 2020.6 Release 2020-Jul-3
This release adds an option for using HTTP/2 and provides several minor improvements and bug fixes.
Experimental HTTP/2 support
This release provides experimental support for HTTP/2. From the “Project settings” > “HTTP” tab, you can now choose to use HTTP/2 for inbound and outbound communication over TLS.
As this is still an experimental feature, please use it at your own discretion.
Other improvements
You can now control the TLS protocols that Burp Proxy will use when performing TLS negotiation with the browser. You can configure Burp Proxy to use the default protocols of your Java installation, or override these defaults and enable custom protocols as required.
Bug fixes
In the HTTP history, you can now hover the mouse over URL encoded data to show the decoded data in a tooltip. Previously, this worked in Burp Repeater but not the “Proxy” > “HTTP history” tab.
Professional 2020.5.1 Release 2020-Jun-19
This release provides several bug fixes, including the following improvements to the HTTP message editor:
- Highlighting text no longer causes it to disappear and reappear after resizing the panel.
- Clicking on an empty line now positions the cursor where you click instead of at the end of the previous line.
We have also fixed a security bug that was reported via our bug bounty program. With a significant amount of user interaction, an attacker could potentially read local files. The attacker would have to induce a user to visit a malicious website, copy the request as a curl command, and then execute it via the command line. This was classed as a medium severity issue due to the level of user interaction required.
Professional 2020.5 Release 2020-Jun-5
This release provides a useful new feature for the HTTP message editor, as well as several general improvements.
You can now choose to display non-printing characters as “lozenges” in the HTTP message editor. This is supported for any bytes with a hexadecimal value lower than 20, which includes tabs, line feeds, carriage returns, and null bytes.
This feature will be greatly beneficial for many use cases, including:
- Spotting subtle differences between byte values in responses
- Experimenting with HTTP request smuggling vulnerabilities
- Studying line endings to identify potential HTTP header injection vulnerabilities
- Observing how null-byte injections are handled by the server
Non-printing characters are hidden by default, but you can toggle the lozenges on and off by clicking the “\n” button at the bottom of the editor.
These non-printing characters can currently only be displayed in the message editor. For now, you have to edit bytes using Burp’s hex view. However, we plan to enable you to do this directly in the message editor in the near future.
General improvements
This release also provides the following minor improvements to various areas of Burp:
- The embedded Chromium browser for the experimental browser-driven scanning mode has been upgraded to version 83.
- Java 14 is now supported for both Professional and Community Edition.
- Burp Proxy no longer intercepts requests for SVG or font files by default.
- Crawling of static content is now faster.
Bug fixes
We have also implemented several minor bug fixes, most notably:
- The response received/completed times are now displayed for 401 responses.
- The response time is now displayed even when the time taken was < 1ms.
- “Check session is valid” session handling rules are now applied properly when session tracing is running
- The content discovery tool no longer erroneously displays the “Session is not running” message.
Professional 2020.4.1 Release 2020-May-18
This release provides the following minor improvements:
- Soft wrapping has been added to the HTTP message editor for any lines longer than 2000 characters.
- Resource management has been improved for the experimental browser-driven scanning option. This ensures that scans can be processed as efficiently as possible.
Bug fixes
In addition to general bug fixes, we have also resolved an issue that sometimes caused overlapping text in the message editor.
Professional 2020.4 Release 2020-Apr-27
This release mainly provides usability improvements to the HTTP message editor. It also upgrades both Java support and Burp Scanner’s embedded browser version.
HTTP message editor
The HTTP message editor now supports pretty printing of JSON, XML, HTML, CSS, and JavaScript. Take a look at the following video to see this feature in action:
Unformatted JSON data, for example, would previously be displayed as follows:
But as of version 2020.4, all of the supported formats mentioned above are prettified by default, meaning the JSON data in our example would now be displayed as follows:
You can toggle pretty printing on and off by clicking the “Pretty” button at the bottom of the editor. Alternatively, if you would prefer not to use pretty printing by default, you can disable this setting under “User options” > “Display” > “HTTP Message Display”.
Java support
As of this release, we now support Java 13. Unfortunately, we will no longer be able to support Java 8. The vast majority of users will be unaffected by this change. However, if you normally launch Burp directly from the JAR file instead of using the provided installer, you need to make sure that you have one of Java versions 9 to 13 before attempting to launch the new JAR file.
Chromium update
We have updated Burp Scanner’s experimental embedded browser to Chromium 81.0.4044.122 in order to implement the latest security fixes.
Other improvements
This release also provides the following minor improvements:
- Provided you have Java 13, Burp Proxy now supports TLS 1.3.
- Burp now notifies you if the proxy listener is disabled for any reason, and provides guidance on how to reactivate it.
- When running Burp in headless mode, you can now execute multiple commands at once by using pipes, heredocs, and so on.
- The search bar in the editor is now displayed correctly on smaller screens.
Bug fixes
We have also implemented several minor bug fixes, including:
- The response time is now displayed correctly for each request you send in Burp Repeater.
- Configured extensions are no longer lost when Burp Suite closes unexpectedly.
- The text editor no longer scrolls infinitely when embedded inside another scrolling component.
Professional 2020.2.1 Released 2020-Mar-16
This release contains minor updates to the 2020.2 release.
There are further enhancements to the custom Collaborator content options that were introduced in version 2020.2. You can now host custom robots.txt
and crossdomain.xml
files at arbitrary URLs on your Collaborator server.
We have also improved the handling of XML reports by stripping any null values.
The general improvements to the HTTP message editor continue, with this release providing the following bug fixes:
- The message editor no longer freezes when editing some requests containing JSON data.
- Binary data is now preserved in its original state even if you make changes to the request.
- Arrow keys no longer stop working if your request becomes longer than the viewport.
- Arrow keys now work with extensions, provided that they use the same key mappings.
- When clicking on a wrapped line, the cursor is now placed exactly where you click.
The issue definition links now also work correctly on the latest version of Kali Linux.
As always, we’ve also implemented several minor bug fixes across the product.
Professional 2020.2 Released 2020-Mar-02
This release builds on the general improvements we have been making to the HTTP message editor and incorporates some feedback from the community:
- Triple-clicking a word now selects the entire token, for example, the header value or a string literal of a JSON value.
- In editable messages, such as requests and responses in Burp Repeater, hovering over URL-encoded text now shows the decoded version in a tooltip.
- The “Convert selection” popup now works in responses as well as requests.
- In the user options for displaying HTTP messages, you can now choose to use any monospaced font that is installed on your system.
- Performance when analyzing responses with multiple code blocks has been improved.
The “Render” tab now enables you to view rendered HTML pages and images directly within the various tools instead of in a separate popup.
You can now add custom content to the Burp Collaborator service. For example, you could add a readme on the index page identifying the organization and the purpose of the service, or prove ownership of your domain to validate TLS certificate requests. To do this, you simply add new entries in the configuration file containing a path, contentType, and base64Content as follows:
"customHttpContent":
[
{ "path": "/", "contentType": "text/plain", "base64Content": "VGhpcyBpcyBhIHJhbmRvbSBsaW5lIG9mIHRleHQ="},
{ "path": "/foo", "contentType": "text/html", "base64Content": "dGhpcyBpcyBhbm90aGVyIG9uZSBmb3IgZ29vZCBtZWFzdXJlLiBOaWNlLg==" }
]
You can now initiate instant active or passive scans in Burp. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.
The following bugs fixes have also been implemented:
- A bug causing load/save filter dialogs to be hidden has been fixed.
- The “Scan defined insertion points” feature now works for all environments.
- Redirections are now shown in the site map when crawling.
Professional 2020.1 Released 2020-Jan-31
This release updates the HTTP message editor with various new capabilities:
- Syntax colorising for JavaScript, JSON, and CSS.
- Syntax colorising is now dynamically updated as you type.
- Line numbers.
- Code folding.
- Performance improvements.
We will soon continue improving the editor, with better prettifying of some formats and other helpful features.
Various improvements have been made to the efficiency and stability of Burp Scanner. We are working towards enabling the new experimental browser-driven scanning by default, which will pave the way for significant enhancements to the scanner’s capabilities over the coming year.
A number of bug fixes and other enhancements have been made, including:
- Issues negotiating TLS through some LAN firewalls have been resolved.
- Feedback messages during crawls have been improved.
- File dialogs now remember the last selected folder on a per-function basis.
- Improvements have been made to some UI elements in the dark theme.
- The expiration of auto-generated TLS certificates has been shortened to comply with modern browser requirements.
- You can now save performance feedback data to a local file, to be submitted via email rather than automatically.
- Some causes of project file corruption have been resolved.
Professional / Community 2.1.07 Released 2019-Dec-17
This release considerably improves Burp’s SSL/TLS coverage. Historically, quirks in different server-side implementations together with bugs in the client-side Java stack led to problems connecting to some web sites. These have now been virtually eliminated.
The Venn diagram below shows how Burp’s coverage now compares with Google Chrome for the Alexa top 100,000 sites. Burp achieves substantial overlap with Chrome. Burp can connect to 1,696 sites that Chrome does not, and only fails to connect to 125 sites that Chrome can connect to.
(Note that Burp’s additional coverage is largely because Burp tolerates some older and weaker protocols and ciphers, in the interests of maximizing connectivity.)
Various improvements have been made to the crawling phase of scans:
- The event log contains improved feedback regarding account self-registration and login.
- Crawling is more efficient, with substantially fewer requests needed to discover the same range of locations.
- Various minor bugs have been fixed.
Professional 2.1.06 Released 2019-Nov-22
This release includes various bugfixes and performance enhancements to the new experimental browser-driven scanning feature.
Professional 2.1.05 Released 2019-Nov-05
This release adds experimental support for using Burp’s embedded Chromium browser to perform all navigation while scanning.
This new approach will provide a robust basis for future capabilities in Burp Scanner, enabling it to eventually deal with any client-side technologies and navigational structures that a modern browser is able to deal with. It has the potential to dramatically improve coverage of the scan, during both the crawling and auditing phases.
In this initial release, Burp Scanner now correctly deals with:
- Applications that dynamically construct the navigational UI (links and forms) using JavaScript.
- Applications that dynamically mutate the request when a link is clicked or a form is submitted, using JavaScript event handlers.
There are numerous caveats at this stage:
- Performance is poor and will be improved considerably over the next few releases.
- Navigational elements other than links and forms are not yet supported (such as DIV elements with an onclick handler that makes a request).
- Asynchronous requests such as XHR are honored during navigation but are not audited.
- Navigational actions that mutate the existing DOM without causing a request to the server are not properly handled.
- Frames and iframes are not properly supported.
- File uploads are not supported.
The new feature is currently experimental, and is being released to gather feedback from users who want to play with the new capability and assess its effectiveness. The new feature is not currently a suitable replacement for the existing default scanning mode: you are likely to gain some coverage of JavaScript-heavy applications, but also lose some coverage and experience poor performance. Rest assured that over the coming months the new feature will be considerably enhanced until it becomes a robust and superior replacement to the existing scanning mode.
To enable experimental support for browser-based scan navigation, create a new scan, add a crawl configuration, and under “Miscellaneous” select “Use embedded browser for navigation”. You can also configure whether to allow the browser to fetch page resources that are out-of-scope.
The release also includes various other bugfixes. The embedded JRE that is included in Burp’s installer has been updated to Java 12.
Professional 2.1.04 Released 2019-Sep-27
This release includes a number of minor enhancements and bugfixes.
In Burp Repeater, there are new options to close a tab, close all other tabs, and reopen a closed tab. You can access these actions via the context menu on the tab header, or by assigning hotkeys.
There is a new (default-on) scan option to ignore the protocols of URLs to scan. This is to avoid a common user error where the scan is configured for http://example.com only, while it needs also to include https://example.com.
When a Burp update is available, there are options to mute the update notification for one week, for the currently offered update, or for all beta updates.
A bug affecting use of PKCS#11 smart cards affecting Burp 2.x has been fixed.
Professional 2.1.03 Released 2019-Aug-07
This release adds a brand new scan check, for HTTP request smuggling vulnerabilities:
This is a long-overlooked vulnerability class that is prevalent in modern cloud architectures, and which often has a critical impact.
- Read the full PortSwigger research post on HTTP desync attacks
- Play with real HTTP request smuggling vulnerabilities on the Web Security Academy
Professional 2.1.02 Released 2019-Jul-26
The support for WebSockets in Burp Repeater has been enhanced with a new WebSocket connection wizard that lets you:
- Attach to an existing WebSocket that is currently open.
- Reconnect to a WebSocket that has closed.
- Clone a WebSocket.
- Manually configure a new WebSocket connection.
The new capability gives you full manual control over the WebSocket negotiation request.
Some other minor enhancements have also been made:
- When creating a new project on disk, Burp will now automatically suggest a project filename, based on the project name and a timestamp.
- When loading a configuration file for project or user options, Burp now warns if the file doesn’t contain any options of the relevant type.
- Various minor bugs have been fixed.
Professional 2.1.01 Released 2019-Jul-16
This release adds support for WebSockets in Burp Repeater.
You can select a WebSocket message in the Proxy history or intercept tab, and choose “Send to Repeater” from the context menu:
Each message you send to Repeater opens in a new tab. Here, you can manually edit and send the message, view the full message history, pick a message from the history and manually edit and resend it, and manage the WebSocket connection:
As always, feedback about this new feature is welcome.
Have fun!
Professional 2.1 Released 2019-Jun-28
Burp Suite 2.x is now officially out of beta!
This is a huge upgrade over 1.7 with a wealth of new capabilities. We encourage anyone still using 1.7 to switch to 2.x.
Community Edition users can now enjoy Burp’s new dark theme. To enable the dark theme, go to User options / Display / User Interface / Look and feel, and select Darcula.
Coming out of beta means we regard Burp Suite 2.x as essentially stable and suitable for general usage. It doesn’t mean there are no bugs. All software has bugs, and feedback is always welcome about any problems that users observe.
We will, of course, be continuing to enhance Burp Suite 2.x with various new features over the coming months.
Professional 1.7.37 Released 2018-Aug-10
This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.
For full details of this awesome new research, see our blog post on practical web cache poisoning.
Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”:
Note: On 10 October 2018, the .DMG package was regenerated to be compatible with MacOS Mojave.
Professional 1.7.36 Released 2018-Jul-30
This release fixes a number of issues including:
- A bug that prevented the macro editor from correctly showing the Proxy history.
- A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
- A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.
Note: On 10 October 2018, the .DMG package for Community Edition was regenerated to be compatible with MacOS Mojave.
Professional 1.7.35 Released 2018-Jun-29
This release includes a number of fixes and minor enhancements:
- Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
- A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
- The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.
Professional 1.7.34 Released 2018-Jun-13
A number of bugs have been fixed:
- A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
- A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
- A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
- Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
- A bug that prevented autocomplete popups from closing on some Linux window managers.
- A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
- A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
- A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.
The following enhancements have been made:
- Burp ClickBandit has been updated to support sandboxed iframes.
- A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.
Note that some of the security issues were reported through our bug bounty program, which pays generously for bugs large and small. Thanks are due to Bruno Morisson and Juho Nurminen.
Professional 1.7.33 Released 2018-Mar-28
This release significantly improves the effectiveness of project repair when project file corruption occurs. Some users still experience corrupted project files when using virtualized file systems (for example, using Burp within a guest VM can lead to project file corruption if the host OS terminates abnormally). Previously, if some key metadata near the start of the project file was lost, then Burp’s project repair feature would not recover any data. In the new release, uncorrupted data within the file can still be recovered even if this key metadata is lost. Further feedback is welcomed regarding the effectiveness of project repair.
To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.
Some bugs have been fixed:
- A bug in macro configuration where some settings for cookie handling might not be saved correctly across executions of Burp.
- Some minor bugs in the automatic project backup feature that was recently released.
- A bug where extensions could still gain API access to the Burp Collaborator client even when the user had disabled use of Collaborator.
Professional 1.7.32 Released 2018-Feb-02
This release adds a new automatic project file backup function. If you are using a disk-based project, this function automatically saves a backup copy of your project file periodically in the background. The options for the new function can be found at User options / Misc / Automatic Project Backup:
The new function is superior to the older function that saved a state file backup in several respects:
Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.
- You can optionally include in-scope items only, to reduce the size of the backup file.
Available disk space is checked before performing a backup. If insufficient space is available, the backup is skipped and an alert is shown. - A single backup file is saved alongside the main project file. On successful completion of a new backup, the previous backup file is deleted.
- On attempting to open a corrupted project file, Burp checks if a backup is available, and if so offers to open that as an alternative to repairing the original.
- By default, the backup file is deleted on clean shutdown of Burp. Since the main project file is saved incrementally in real time, and project file corruption is typically caused by abnormal termination of the OS, it is not normally necessary to retain backup files following a clean shutdown. You can choose to retain the backup file on shutdown in the automatic project backup options.
- You can optionally disable the progress dialog that is shown when a backup is performed, so you can continue working without interruption.
- Backups are enabled by default with no configuration required. If you don’t want to use the feature, you can quickly turn it off using the option that is shown in the progress dialog:
- Installed BApps are now updated automatically on startup. We issue frequent updates to BApps and it is highly recommended to be using the latest versions. You can disable automatic BApp updates in Extender options.
- A bug in the import project function, which omitted to import the Scanner issue activity log, has been fixed.
- Requests made by extensions during custom scan checks are now correctly reflected in the scan queue request counts, and are correctly subjected to configured request throttling.
1.7.31 19-Jan-2018
This release adds two new capabilities relating to Burp project files:
- You can now import project files into another disk-based project. This lets you merge multiple disk-based projects into one, to consolidate work that has been carried out separately. You can access this function via the Burp menu.
- You can now select project files as input to the compare site maps function.
Additionally, the “Number of threads” setting in Scanner options has been changed to “Concurrent request limit”. This paves the way for some major enhancements to the Scanner engine that are in the pipeline.
1.7.32 2-Feb-2018

The new function is superior to the older function that saved a state file backup in several respects:
- Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.
- You can optionally include in-scope items only, to reduce the size of the backup file.
- Available disk space is checked before performing a backup. If insufficient space is available, the backup is skipped and an alert is shown.
- A single backup file is saved alongside the main project file. On successful completion of a new backup, the previous backup file is deleted.
- On attempting to open a corrupted project file, Burp checks if a backup is available, and if so offers to open that as an alternative to repairing the original.
- By default, the backup file is deleted on clean shutdown of Burp. Since the main project file is saved incrementally in real time, and project file corruption is typically caused by abnormal termination of the OS, it is not normally necessary to retain backup files following a clean shutdown. You can choose to retain the backup file on shutdown in the automatic project backup options.
- You can optionally disable the progress dialog that is shown when a backup is performed, so you can continue working without interruption.
- Backups are enabled by default with no configuration required. If you don’t want to use the feature, you can quickly turn it off using the option that is shown in the progress dialog:

- Installed BApps are now updated automatically on startup. We issue frequent updates to BApps and it is highly recommended to be using the latest versions. You can disable automatic BApp updates in Extender options.
- A bug in the import project function, which omitted to import the Scanner issue activity log, has been fixed.
- Requests made by extensions during custom scan checks are now correctly reflected in the scan queue request counts, and are correctly subjected to configured request throttling.
1.7.33 28-Mar-2018
To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.Some bugs have been fixed:
- A bug in macro configuration where some settings for cookie handling might not be saved correctly across executions of Burp.
- Some minor bugs in the automatic project backup feature that was recently released.
- A bug where extensions could still gain API access to the Burp Collaborator client even when the user had disabled use of Collaborator.
1.7.34 13-Jun-2018
A number of bugs have been fixed:
- A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
- A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
- A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
- Some bugs in Burp’s project repair function that caused some actually recoverable data to be lost.
- A bug that prevented autocomplete popups from closing on some Linux window managers.
- A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
- A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
- A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.
The following enhancements have been made:
- Burp ClickBandit has been updated to support sandboxed iframes.
- A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.
1.7.35 29-Jun-2018
This release includes a number of fixes and minor enhancements:
- Further enhancements have been made to Burp’s project repair function based on feedback from the previous release. We welcome further feedback of any situations in which data cannot be recovered from a corrupted Burp project file.
- A fix has been applied to prevent Burp’s filter popups from appearing in the task switcher on some Linux window managers.
- The hardening of SSL validation that was added in 1.7.34 unfortunately didn’t work correctly for some users who access the web via a network proxy. This affected Collaborator polling, Burp updates, and the BApp Store. Users with a configured upstream proxy who have already updated to 1.7.34 and have encountered this problem will not receive the update notification for this release. Those users will need to either (a) remove the upstream proxy configuration temporarily; or (b) run an older version of Burp to obtain the update.
1.7.36 30-Jul-2018
This release fixes a number of issues including:
- A bug that prevented the macro editor from correctly showing the Proxy history.
- A bug in the extensions UI where the button to clear an extension’s output from the display didn’t function correctly.
- A problem with excessive memory consumption during download of updates. Burp distributions will soon be growing in size to support a number of exciting new features, and applying this fix is recommended in advance of that happening.
1.7.37 10-Aug-2018
This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.
For full details of this awesome new research, see read on web cache poisoning.
Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”:
