Burp Suite Professional Latest Release and Update, please read in reverse order, if you interest from the old to latest manner. As the latest release note and build always increment update on the top for this product update.
The rational to keep for this post is combine all the related latest release and update for easy reading in single post for the user.
This release enables you to add tabs to the message editor that provide the same features as the Inspector panel. It also adds a new domain name for the public Burp Collaborator server, as well as some enhancements to Burp Scanner.
We have upgraded Burp’s built-in browser to 118.0.5993.88 for Mac / Linux and 118.0.5993.88/.89 for Windows. This update contains a security fix. For more information, see the Chromium release notes.
We have upgraded Burp’s built-in browser to 118.0.5993.88 for Mac / Linux and 118.0.5993.88/.89 for Windows. This update contains a security fix. For more information, see the Chromium release notes.
This release introduces Bambdas into the HTTP history filter, the ability to export BChecks, the rollout of notes in other areas of Burp, TLS passthrough for out-of-scope items, and the ability to include subdomains in your target scope.
In Burp Scanner, we have made improvements to the Task details dialog to make it easier to find information about scan results and live tasks.
Bambdas are a new way to customize Burp Suite directly from the UI, using small snippets of Java code. This release introduces Bambdas into the Proxy > HTTP history tab, enabling you to write custom filters for your HTTP history. These highly customizable filters can help you cut out white noise in your HTTP history, helping you to focus on only the exact items you’re interested in seeing.
To try Bambdas for yourself, go to the Proxy > HTTP history tab filter, switch to Bambda mode, and write a custom filter using your own code.
Keep an eye out for Bambdas appearing in more Burp tools over the next few months.
You can now export BChecks, making it easier to share them between different instances of Burp. Just select the BChecks you want, then click Export.
Check out our BChecks GitHub repository for BChecks from PortSwigger and from the Burp Suite community.
We’re rolling out the notes feature into more areas of Burp. This feature enables you to record key information on tabs, making it easier to return to at a later time. Notes are copied when items are sent between different tabs. Use the Notes panel in the tab sidebar to add a note.
This update also introduces functionality that copies your notes when you send items between different tools in Burp.
This release introduces notes into:
You can now apply TLS passthrough for out-of-scope items automatically when you set the target scope, which can greatly improve performance. This behavior is automatically enabled when you accept the option to Stop logging out-of-scope items.
You can now include subdomains of hosts you’ve included or excluded from your target scope. Enable this feature by selecting the Include subdomains checkbox in Target > Scope settings.
We’ve made some improvements to the Task details dialog to make it easier to find information about scan results and live tasks:
We have added some new features to the BChecks grammar, including:
removing query_string action that removes an entire query string from a request.User-Agent header.insertion_point_base_value that contains the base value of the current insertion point.As a result of these changes, we have updated the grammar version to v2-beta. Please use this value in the metadata.language property when writing a check that uses these new features.
We have upgraded Burp’s built-in browser to 118.0.5993.70 for Mac and Linux and 118.0.5993.70/.71 for Windows. This update contains security fixes.
We have upgraded Burp’s built-in browser to 117.0.5938.132 for Mac, Linux, and Windows. This update contains security fixes. For more information, see the Chromium release notes.
We have upgraded Burp’s built-in browser to 117.0.5938.132 for Mac, Linux, and Windows. This update contains security fixes. For more information, see the Chromium release notes.
This release introduces new functionality for BChecks, including the ability to test your checks from within the editor and create definitions from a blank template. We have also added a notes feature to Repeater tabs.
For Burp Scanner, we have added new issue filters to the Issue Activity Dashboard panel and improved the quality of the text displayed on the Crawl paths tab.
You can now test your BChecks from within the editor, enabling you to quickly confirm whether a check is working as expected without having to run a scan manually.
BCheck tests use pre-selected requests and responses as test cases. When you run a test, Burp Scanner runs the BCheck on the selected HTTP messages and reports the results.
For more information about the new BCheck test features, see Testing BChecks.
You can now add notes to Repeater tabs. This feature enables you to record key information about a tab, making it easier to return to at a later time. If you subsequently send the item to Organizer, the new Organizer entry contains the existing note content.
To record a Repeater note, select the Notes panel in the tab sidebar and enter the required text.
You can now start from a blank template when creating BChecks, rather than copying and modifying one of the default checks. We have added the new template to the BCheck templates list, which is displayed when creating a new BCheck.
We have made the following improvements to the Scanner:
The Montoya API’s decode method now supports Brotli and Deflate encodings.
When you pass a base64 string without padding to Decoder, it now decodes the string as if it were padded. This brings Decoder’s behavior in line with that of the Inspector. Previously, Decoder required the appropriate padding to be added before the string was passed.
We have fixed the following bugs:
define block were not causing the check to fail validation.We have upgraded Burp’s built-in browser to Chromium 117.0.5938.62 for Mac / Linux and 117.0.5938.63 for Windows. This update contains several security fixes, including one for a critical vulnerability.
This release introduces the ability to unpack Brotli-compressed messages in the Proxy and Repeater tools, and adds Organizer functionality to the Montoya API.
In Burp Scanner, we have introduced some new features to help keep you better informed of the progress of your scans, and reduced the overall load time of pages.
We’ve also made some minor improvements and fixed a few bugs.
We’ve added Brotli to our list of supported compression types. This means you can now unpack Brotli-compressed messages in the Proxy and Repeater tools.
We have made the following changes to the Montoya API:
You can now send requests and responses to Burp Organizer via the Montoya API.
We’ve made a number of improvements to Burp Scanner, including:
On the Crawl paths tab, we’ve added a hover-over that shows a breakdown of the overall load time of a page to show initial load time, time waiting for background requests, and time waiting for page to stabilize.
We’ve added some new features to help keep you better informed of the progress of your scans:
We’ve made a number of additional improvements to the Scanner, including:
We’ve fixed some minor bugs, including:
We have upgraded Burp’s built-in browser to Chromium 117.0.5938.62 for Mac / Linux and 117.0.5938.63 for Windows. This update contains several security fixes, including one for a critical vulnerability.
We have upgraded Burp’s built-in browser to 116.0.5845.140 for Mac and Linux and 116.0.5845.140/.141 for Windows. This update contains security fixes.
We have upgraded Burp’s built-in browser to 116.0.5845.140 for Mac and Linux and 116.0.5845.140/.141 for Windows. This update contains security fixes.
This release introduces the ability to unpack Brotli-compressed messages in the Proxy and Repeater tools, and adds Organizer functionality to the Montoya API.
In Burp Scanner, we have introduced some new features to help keep you better informed of the progress of your scans, and reduced the overall load time of pages.
We’ve also made some minor improvements and fixed a few bugs.
We’ve added Brotli to our list of supported compression types. This means you can now unpack Brotli-compressed messages in the Proxy and Repeater tools.
You can now send requests and responses to Burp Organizer via the Montoya API.
We’ve made a number of improvements to Burp Scanner, including:
On the Crawl paths tab, we’ve added a hover-over that shows a breakdown of the overall load time of a page to show initial load time, time waiting for background requests, and time waiting for page to stabilize.
We’ve added some new features to help keep you better informed of the progress of your scans:
We’ve made a number of additional improvements to the Scanner, including:
We’ve fixed some minor bugs, including:
This release upgrades Burp’s built-in browser and fixes a bug when scanning GraphQL APIs.
We have upgraded Burp’s built-in browser to 116.0.5845.110 for Mac and Linux and 116.0.5845.110/.111 for Windows. For more information, see the Chromium release notes.
We’ve fixed a bug in Burp Scanner that interfered with scanning of GraphQL introspection requests.
This release upgrades Burp’s built-in browser and fixes a bug when scanning GraphQL APIs.
We have upgraded Burp’s built-in browser to 116.0.5845.96 for Mac and Linux and 116.0.5845.96/.97 for Windows. For more information, see the Chromium release notes.
We’ve fixed a bug in Burp Scanner whereby the crawler would stop enumerating potential GraphQL endpoints for some responses.
This release introduces new Repeater functionality based on the techniques discussed in James Kettle’s talk “Smashing the State Machine: The True Potential of Web Race Conditions”, first presented at Black Hat USA 2023. Repeater’s new single-packet attack feature nullifies network jitter, enabling you to send multiple requests in parallel. These requests are synchronized to arrive within a very small time window, making it much simpler to test for race conditions.
We have also introduced various other improvements for Burp Suite Professional and Burp Scanner, including the ability to reuse HTTP/1 connections in Intruder, a new project-level Crawl paths tab in the Target tool, and support for GraphQL introspection during scans.
We have added a Send group (parallel) option to Repeater’s Group send options menu. When you select this option for a tab group, Repeater sends the requests from all of the group’s tabs at once.
Repeater synchronizes parallel requests to ensure that they all arrive in full at the same time. It uses different synchronization techniques depending on the HTTP version used:
Sending synchronized requests in parallel makes it much easier to test for race conditions. For more information about how to do this, as well as some deliberately vulnerable labs for you to practice on, check out the Race conditions topic on the Web Security Academy.
For more information on sending Repeater groups in parallel, see Sending grouped HTTP requests.
As part of these new Repeater features, we have added two sendRequests methods to the Http interface. These methods enable you to build extensions that can send HTTP requests in parallel and retrieve their responses. You can also explicitly specify the HTTP mode that the requests should use, if required.
You can now control whether Intruder reuses connections to issue multiple HTTP/1 requests. This can greatly increase the speed of your attacks when using HTTP/1, as Burp does not need to open a new connection for each request and close it after receiving a response. Find this in Intruder > Settings > HTTP/1 connection reuse. For more information, see HTTP/1 connection reuse.
We’ve introduced a new startup setting that enables you to trust or untrust projects. If you deselect Trust this project, Burp can now remove potentially harmful settings that could be configured within project files.
This is especially useful if you are opening project files that came from unknown or untrusted sources. Find this setting on the startup wizard, or in Settings > Suite > Startup behavior > Unrecognized project files. For more information, see Startup behavior.
You can now set intermediate certificates when you add a new PKCS#11 certificate for hardware token and smart cards. This enables you to test target applications that don’t directly trust your intermediate CA. For more information, see Client TLS certificates.
You can now set custom SNI values in Repeater. This enables you to reproduce external service interaction issues detected by Scanner using Collaborator payloads within the SNI. For more information, see HTTP Repeater tab.
All scans in a project can now share crawl path information. This improves scan efficiency, enabling Burp Scanner to build on the paths it has already discovered as new scans are run.
As a result of this, we have added a new Crawl paths tab to the Target tool. This tab displays path information in the same way as the existing scan results Crawl path tab, but is populated by all scans rather than one individual scan. Any new scans that you run can draw on and add to the information displayed in this tab.
As part of the global crawl path work, we have added a Run isolated scan option to the scan launcher. Results from isolated scans do not appear in the Target > Site map or Target > Crawl paths tabs. This feature is useful if you want to test settings without impacting “live” scan results, for example.
You can view site map and crawl path information for isolated scans from the Tasks > View details > Target tab. The information displayed on this tab applies to the selected scan task only.
Burp Scanner can now run introspection queries on GraphQL endpoints to gain information on available queries and mutations. If the introspection query is successful, Burp Scanner sends further requests to each query and mutation discovered in an attempt to discover as much attack surface as possible. To enable GraphQL introspection, select the new Perform GraphQL introspection setting in the Miscellaneous section of the scan configuration.
If it does not find any GraphQL endpoints in the crawl, Burp Scanner can also now attempt to guess GraphQL endpoints using a list of common endpoint suffixes. To enable GraphQL endpoint guessing, select the new Test common GraphQL endpoints setting in the Miscellaneous section of the scan configuration.
We have added a new Automatic throttling setting to the Resource pool section of the scan launcher. You can now configure which HTTP response codes should cause Burp Scanner to introduce a short delay between requests. Previously, Burp Scanner could only throttle requests when the server responded with a HTTP 429 code.
We have improved crawl optimization to reduce the chance of interesting content being missed. Specifically, Burp Scanner now treats clickables that are using the same event listener with different visible text as separate entities, and visits them all.
We’ve fixed a number of minor bugs, including:
We have upgraded Burp’s built-in browser to 115.0.5790.170 for Mac and Linux and 115.0.5790.170/.171 for Windows. This update contains multiple high-severity security fixes.
We have upgraded Burp’s built-in browser to 115.0.5790.170 for Mac and Linux and 115.0.5790.170/.171 for Windows. This update contains multiple high-severity security fixes.
This release introduces the ability to reuse HTTP/1 connections in Intruder, specify intermediate CA certificates when authenticating using hardware tokens and smart cards, safely open third-party project files, and set custom SNI values in Repeater.
In Burp Scanner, we have introduced a new project-level Crawl paths tab in the Target tool, and support for GraphQL introspection during scans. We have also made several minor improvements and fixed a few bugs.
You can now control whether Intruder reuses connections to issue multiple HTTP/1 requests. This can greatly increase the speed of your attacks when using HTTP/1, as Burp does not need to open a new connection for each request and close it after receiving a response. Find this in Intruder > Settings > HTTP/1 connection reuse. For more information, see HTTP/1 connection reuse.
We’ve introduced a new startup setting that enables you to trust or untrust projects. If you deselect Trust this project, Burp can now remove potentially harmful settings that could be configured within project files.
This is especially useful if you are opening project files that came from unknown or untrusted sources. Find this setting on the startup wizard, or in Settings > Suite > Startup behavior > Unrecognized project files. For more information, see Startup behavior.
You can now set intermediate certificates when you add a new PKCS#11 certificate for hardware token and smart cards. This enables you to test target applications that don’t directly trust your intermediate CA. For more information, see Client TLS certificates.
You can now set custom SNI values in Repeater. This enables you to reproduce external service interaction issues detected by Scanner using Collaborator payloads within the SNI. For more information, see HTTP Repeater tab.
All scans in a project can now share crawl path information. This improves scan efficiency, enabling Burp Scanner to build on the paths it has already discovered as new scans are run.
As a result of this, we have added a new Crawl paths tab to the Target tool. This tab displays path information in the same way as the existing scan results Crawl path tab, but is populated by all scans rather than one individual scan. Any new scans that you run can draw on and add to the information displayed in this tab.
As part of the global crawl path work, we have added a Run isolated scan option to the scan launcher. Results from isolated scans do not appear in the Target > Site map or Target > Crawl paths tabs, or on the Dashboard’s issue activity log. This feature is useful if you want to test settings without impacting “live” scan results, for example.
You can view site map and crawl path information for isolated scans from the Tasks > View details > Target tab. The information displayed on this tab applies to the selected scan task only.
Burp Scanner can now run introspection queries on GraphQL endpoints to gain information on available queries and mutations. If the introspection query is successful, Burp Scanner sends further requests to each query and mutation discovered in an attempt to discover as much attack surface as possible. To enable GraphQL introspection, select the new Perform GraphQL introspection setting in the Miscellaneous section of the scan configuration.
If it does not find any GraphQL endpoints in the crawl, Burp Scanner can also now attempt to guess GraphQL endpoints using a list of common endpoint suffixes. To enable GraphQL endpoint guessing, select the new Test common GraphQL endpoints setting in the Miscellaneous section of the scan configuration.
We have added a new Automatic throttling setting to the Resource pool section of the scan launcher. You can now configure which HTTP response codes should cause Burp Scanner to introduce a short delay between requests. Previously, Burp Scanner could only throttle requests when the server responded with a HTTP 429 code.
We have improved crawl optimization to reduce the chance of interesting content being missed. Specifically, Burp Scanner now treats clickables that are using the same event listener with different visible text as separate entities, and visits them all.
We’ve fixed a number of minor bugs, including:
We have upgraded Burp’s built-in browser to 115.0.5790.110 for Windows and Linux, and 115.0.5790.114 for Mac.
We have upgraded Burp’s built-in browser to 115.0.5790.110 for Windows and Linux and 115.0.5790.114 for Mac.
This release introduces the ability to easily customize the layout of Burp Suite’s top-level tabs. We’ve also made some other improvements and fixed a few bugs.
You can now customize the layout of Burp’s top-level tabs. This enables you to tweak Burp’s user interface to better suit your preferences. For example, you can now:
Burp remembers these preferences, so you won’t need to reorder your tabs every time you start Burp.
For more information on how you can customize Burp’s layout, see our reference documentation.
We’ve made some improvements to Burp Scanner, including:
We have some additional improvements, including:
Numbers payload type.We have fixed a number of minor bugs, including:
Content Type Incorrectly Stated issue when scanning font files, or content types that Burp does not recognize.We have upgraded Burp’s built-in browser to Chromium 115.0.5790.102 for Windows, Linux and Mac.
This release introduces the ability to easily customize the layout of Burp Suite’s top-level tabs. We’ve also made some other improvements and fixed a few bugs.
You can now customize the layout of Burp’s top-level tabs. This enables you to tweak Burp’s user interface to better suit your preferences. For example, you can now:
Burp remembers these preferences, so you won’t need to reorder your tabs every time you start Burp.
For more information on how you can customize Burp’s layout, see our reference documentation.
We’ve made some improvements to Burp Scanner, including:
We have made some additional improvements, including:
Numbers payload type.We fixed a number of minor bugs, including:
Content Type Incorrectly Stated issue when scanning font files, or content types that Burp does not recognize.This release introduces BChecks, which are custom scan checks. It also provides improvements to Burp Scanner‘s live crawl path views, GraphQL scan checks, and a number of additional improvements and bug fixes.
This release introduces BChecks, which are scan checks that you can create and import. Burp Scanner runs these checks in addition to its built-in scanning routine. This enables you to fine-tune your scans and make your testing workflow as efficient as possible.
You can use our custom definition language to easily create BChecks. Burp includes a range of templates to get you started. To test your BChecks, you can use the built-in scan configuration Audit checks – BChecks only. If you use this configuration, Burp Scanner only uses BChecks when scanning.
We have also created a BChecks GitHub repository. This includes example BChecks from PortSwigger, as well as BChecks developed by the Burp Suite community. We look forward to accepting pull requests and celebrating your awesome work!
In the future, we’re planning to improve the BCheck language and testing experience. We’d love your feedback. Contact our support team at [email protected].
For more information on how to create and manage your BChecks, see Adding custom scan checks and BCheck definitions.
We have made a number of improvements to Burp Scanner’s live crawl paths view:
We have introduced a number of GraphQL scan checks. The new scan checks enable you to:
We have updated the Montoya API, to enable you to create extensions with additional functionality. You can now:
ByteArray data to different integer bases. This means you no longer need to use additional libraries to complete this task.We have made a number of additional improvements, including:
We fixed a number of minor bugs:
We have upgraded Burp’s built-in browser to 114.0.5735.198 for Mac and Linux and 114.0.5735.198/199 for Windows. This update contains multiple security fixes.
We have upgraded Burp’s built-in browser to 114.0.5735.133 for Mac and Linux and 114.0.5735.133/134 for Windows. This update contains multiple security fixes.
We have fixed an issue whereby Burp’s browser was unable to start on some Linux distributions.
We have upgraded Burp’s built-in browser to 114.0.5735.133 for Mac and Linux and 114.0.5735.133/134 for Windows. This update contains multiple security fixes.
This release introduces BChecks, which are custom scan checks. It also provides improvements to Burp Scanner‘s live crawl path views, GraphQL scan checks, and a number of additional improvements and bug fixes.
This release introduces BChecks, which are scan checks that you can create and import. Burp Scanner runs these checks in addition to its built-in scanning routine. This enables you to fine-tune your scans and make your testing workflow as efficient as possible.
You can use our custom definition language to easily create BChecks. Burp includes a range of templates to get you started.
We have also created a BChecks GitHub repository. This includes example BChecks from PortSwigger, as well as BChecks developed by the Burp Suite community. We look forward to accepting pull requests and celebrating your awesome work.
In the future, we’re planning to improve the BCheck language and testing experience. We’d love your feedback. Contact our support team at [email protected].
We have made a number of improvements to Burp Scanner’s live crawl paths view:
We have introduced a number of GraphQL scan checks. The new scan checks enable you to:
We have updated the Montoya API, to enable you to create extensions with additional functionality. You can now:
ByteArray data to different integer bases. This means you no longer need to use additional libraries to complete this task.We have made a number of additional improvements, including:
We fixed a number of minor bugs:
We have upgraded Burp’s built-in browser to 114.0.5735.110 for Windows and 114.0.5735.106 for Mac and Linux. This update contains multiple security fixes.
This release introduces the new Burp Organizer tool, a live crawl paths view, upgrades for the Montoya API, and a number of minor improvements.
We have added a new Crawl paths tab to the Task details dialog. This tab gives you real-time updates on crawls, displaying all the locations found in the target site and the actions taken by Burp Scanner to reach each of those locations.
For audit scans, the Crawl paths tab also shows details of any issues discovered in each location.
Please note that the Crawl paths tab is still under active development, and the contents of the tab are not currently saved to Burp Suite project files. As such, if you close and re-open the project the tab does not display any information for previously-run scans.
To learn more about the crawl paths view, see our documentation.
This release introduces Burp Organizer, which enables you to store copies of HTTP messages that you want to come back to later. Use Organizer to better manage your penetration testing workflow. For example, you can:
Organizer is designed to provide an alternative to storing messages in Burp Repeater. Organizer’s table structure makes it easier to work with large numbers of stored messages. It also enables you to add notes to your messages, so you can capture your thoughts to review later. These are displayed in the collapsible Notes panel.
To learn more about Burp Organizer, see our documentation.
In the future, we may add the notes function to other Burp tools. If you think this would be useful, please let us know how you would use notes in your penetration testing workflow. Contact our support team at [email protected].
We have made the following minor changes to the Burp Suite Navigation Recorder browser extension:
We have updated the Montoya API, to enable you to create extensions with additional functionality. You can now:
We have fixed a bug so that extension settings from earlier versions of Burp now carry over to the Montoya API versions of Burp.
We have added a number of minor improvements, including:
<form> tag.We have upgraded Burp’s built-in browser to 114.0.5735.91 for Windows and 114.0.5735.90 for Mac and Linux.
In this release, we have fixed a bug that sometimes prevented Burp Scanner from crawling floating input fields.
This release introduces improvements to Burp Intruder and Burp Scanner, ARM64 support for Linux, and a number of minor improvements and bug fixes.
We have made a number of improvements to Burp Scanner:
We have made a number of improvements to Burp Intruder:
We have introduced support for ARM64 on Linux. Note that Burp’s browser will only work with the installer build, not the plain JAR file.
We have continued to update the Montoya API, which enables you to create extensions with additional functionality:
We have added a Scaling setting to the Settings dialog. This enables you to view Burp correctly when you use a high resolution display with custom scaling.
We have fixed a number of minor bugs:
<form> tag.We have upgraded Burp’s built-in browser to 113.0.5672.92/.93 for Windows and 113.0.5672.92 for Mac and Linux.
We have also updated Burp so that all feedback is now attributable to a Burp license. We will use this information to continue to improve your Burp experience and provide you with more targeted support. No sensitive information is transmitted in your feedback, and you can still choose to opt out of feedback at any time.
This release fixes a bug whereby users of Linux ARM64 weren’t able to launch Burp using the JAR file.
This release introduces support for Collaborator payloads in Intruder attacks, some SPA scanning improvements, and more upgrades for the the Montoya API, and upgrades to the browser and JRE.
We have updated Burp Intruder to enable the use of Collaborator payloads in attacks. This update includes:
Collaborator interactions that result from an Intruder attack are shown in the Intruder results window, instead of the Collaborator tab.
We have continued to update the Montoya API:
We have also continued to update our Montoya API support for WebSockets. You can now right-click a WebSocket message and use the context menu to send the message to your extension.
This release includes changes that enable Burp Scanner to better handle single-page applications (SPAs).
We have upgraded DOM Invader to fix a bug whereby if a user disabled CSP with prototype pollution functionality enabled, then the system would continue to ignore CSP security headers when the user disabled prototype pollution.
This release upgrades Burp’s browser to Chromium 112.0.5615.49 for Linux and Mac and 112.0.5615.49/50 for Windows.
This release upgrades Burp installer JRE to 19.0.2. This upgrade gives several security and performance benefits.
This release provides improved support for WebSocket functionality in the Montoya API, as well as a number of minor improvements and bug fixes.
We have improved Montoya API support for WebSockets. This enables you to create extensions that interact more effectively with WebSockets. You can now:
We have made a number of minor improvements, including:
We have fixed a number of minor bugs:
This release upgrades Burp’s browser to Chromium 111.0.5563.64/65. This upgrade contains a critical security fix, as well as several high-severity fixes.
Due to a recent Chrome upgrade, Burp Scanner is no longer compatible with the Windows Server 2012 and Windows 7/8/8.1 operating systems. For more information, see the related Chrome announcement.
This release upgrades Burp’s browser to Chromium 110.0.5481.177 / 178. This upgrade contains a critical security fix, as well as several high-severity fixes.
Due to a recent Chrome upgrade, Burp Scanner is no longer compatible with the Windows Server 2012 and Windows 7/8/8.1 operating systems. For more information, see the related Chrome announcement.
In this release, we have moved more of Burp Suite’s settings into the Settings dialog, making them easier to find and use. We have also upgraded the Montoya API, made improvements to macro functionality, and made various minor improvements.
We have moved more settings into Burp’s Settings dialog. In particular, we have added:
As part of this restructuring, we have also:
We have upgraded the Montoya API to version 2023.1, which enables Burp extensions to store and manage data in project files. Any BApps that you develop with version 2023.1 will be compatible with future versions of Burp, as all future changes to the API will be backwards compatible.
You can now use the Montoya API to:
The Montoya API offers support for the following data types:
You can now define a prefix and suffix for a custom macro parameter. This can be useful, for example, to support Authorization headers, which require a static prefix followed by a dynamic value.
In addition, you can now set headers using macro parameters. When a parameter matches a request header, then Burp replaces the header value with the macro parameter value. This enables you to test APIs without configuring a Burp Extension.
This release includes several minor improvements to authenticated crawling with popup-based login mechanisms:
We have fixed a bug whereby Burp Repeater tabs were not functioning correctly when there was an absolute URL in the request line.
We have also released a couple of bug fixes related to the Montoya API:
passiveAudit() method of the ScanCheck interface returns null if no issues are identified. The method in fact returns an empty AuditResult object if no issues are identified. We have updated the Javadoc.copyToTempFile() was causing null pointer exceptions.This release upgrades Burp’s browser to Chromium 110.0.5481.77/.78.
Due to a recent Chrome upgrade, Burp Scanner is no longer compatible with the Windows Server 2012 and Windows 7/8/8.1 operating systems. For more information, see the related Chrome announcement.
This release contains a bug fix for Burp’s diagnostics.
Previously, Burp was not returning details of the installed extensions in its diagnostics reports. We have fixed this issue, and all installed extensions are now listed.
This release upgrades Burp’s browser to a later version of Chromium and fixes a minor bug.
This release upgrades Burp’s browser to Chromium 109.0.5414.74/.75/.87.
We have enabled both the Auto backoff and Enable concurrent request limiting settings in Burp Scanner by default, and set Enable concurrent request limiting to 10. These settings were disabled by default in the Professional / Community 2022.12.5 release.
This release introduces support for popup windows when recording logins and a new live crawl view for Burp Scanner. We have also added several new features to DOM Invader, including the ability to detect DOM clobbering vulnerabilities, and various minor improvements and bug fixes for Burp Suite. It also upgrades Burp’s browser to a later version of Chromium.
Burp Scanner can now replay recorded login sequences that open new windows or tabs. This enables you to run authenticated scans on websites with login mechanisms that require you to interact with popups, such as Microsoft and Amazon’s SSO services.
We have added a new Live crawl view tab to the Scan details dialog. This tab enables you to watch Burp Scanner render web pages in real time, helping you to diagnose unusual crawl activity or simply get a better understanding of Burp Scanner’s behaviors when scanning a particular target.
This release significantly improves Burp Scanner’s resilience and provides increased support for a wider range of applications, especially SPAs.
Most importantly, we’ve fundamentally changed the way Burp Scanner navigates using its built-in browser. As a result, you may now be able to successfully scan a number of sites that were previously incompatible with automated vulnerability scans. In particular, you should see much better results on sites that rely heavily on navigation initiated by client-side JavaScript.
We’ve also dramatically improved our browser process management, resulting in much lower memory usage during scans.
This release adds a number of new features to DOM Invader, as well as some usability improvements.
We have also divided the main settings menu into collapsible categories to make it easier to use.
We have added support for rolling licenses in Burp Suite. If your Burp license key has expired but you have a new, valid license associated with your account, then Burp Suite automatically applies your new license key the next time it starts up.
Burp Suite now requires Java 17 or later to run. This change should not impact you unless you launch Burp Suite from the command line, as the installer includes a bundled private Java Runtime Environment so that you don’t need to worry about installing or updating Java.
This release includes several minor improvements, including:
We have fixed the following bugs:
This release upgrades Burp’s browser to Chromium 108.0.5359.124/.125.
In this release, we have significantly improved the usability of Burp’s user and project options. We have also added new functionality to DOM Invader and the Montoya API.
We have moved all of the options in the User options and Project options tabs to a new Settings dialog, accessible from a button on the main toolbar or by a configurable hotkey.
This new dialog improves the layout and navigation of Burp’s options in several ways:
Each setting in the dialog has a marker indicating whether it is a user-level or project-level setting. For settings that can apply at either level, there is an Override options for this project only toggle that enables you to select the level at which the setting should apply.
DOM Invader can now detect when the current page sends a web message containing data from the URL to a different target origin. In this case, an attacker can potentially steal sensitive data, such as OAuth tokens, by embedding the affected page in an iframe, along with an event listener that extracts the data.
Testing for these vulnerabilities manually is a laborious task, but DOM Invader can automate most of this process for you. Just enable the Detect cross-domain leaks option from DOM Invader’s web message settings:
You can now configure DOM Invader to strip the Permissions-Policy header from responses.
Some websites set directives via the Permissions-Policy header that block features that are essential to DOM Invader’s functionality, such as synchronous XHR. In this case, DOM Invader informs you via the console and prompts you to enable the Remove permissions policy header option from the settings menu.
You can now use the Montoya API to intercept and modify proxied WebSocket messages.
This release includes several minor improvements to Burp Suite’s tools, including:
We have upgraded Burp’s browser to Chromium 107.0.5304.110, which fixes a number of high-severity security issues.
We have fixed a bug whereby requests were sometimes not rendering correctly in the message editor.
This release introduces the Montoya API, an all-new replacement for the Extender API. It also includes improvements to the Burp Collaborator client and adaptive request throttling for Burp Scanner.
We have released the Montoya API, an all-new API that enables you to develop extensions for Burp Suite. The new API offers a more modern design than the existing Extender API, making it easier to use and enabling us to add future features that we could not have supported with the old API.
This change will not affect any current BApps, and the existing Extender API will continue to work as normal for the immediate future. However, we strongly recommend that you write any new extensions using the new Montoya API, as we will eventually end support for the Extender API.
The Montoya API offers all of the same features as the existing version. It also includes several new features, such as:
This release introduces various usability improvements for the Burp Collaborator client, including:
Renewed license keys now update automatically. If your existing license is expiring or has expired altogether, Burp Suite automatically checks your account for a renewed license key. If you have a renewed key associated with your account, then the system retrieves and activates that key.
Please note that you will need to allow network access to https://portswigger.net for this process to work.
When Burp Scanner receives a 429 response due to sending too many requests in quick succession, it now incrementally adds a short delay between requests until it complies with the server’s rate limit. This enables the scan to continue as normal, albeit with an increased duration.
If you prefer, you can disable this behavior using a custom scan configuration – just go to Request throttling configuration and deselect Adaptive request throttling.
We have fixed an HTML injection vulnerability that could be triggered by attackers with direct access to the proxy listener. Note that the proxy listener only accepts connections from localhost by default. This issue was privately reported via our bug bounty program.
We have upgraded Burp’s browser to Chromium 107.0.5304.62, which fixes a number of high-severity security issues.
We have also fixed some minor bugs, including:
This release implements a back-end change to the way we check the validity of licenses.
This release provides some minor bug fixes and upgrades Burp’s browser.
We have upgraded Burp’s browser to Chromium 106.0.5249.119, which fixes a number of high-severity security issues.
This release also patches a low-severity security issue that was reported via our bug bounty program. We will provide further details once the patch is available on our Stable release channel.
This release also includes a couple of bug fixes, including:
This release provides various new features for the Montoya API. It also includes some bug fixes for Burp Scanner and an update for Burp’s browser.
We have added several new features to the Montoya API. These include:
This release updates Burp’s browser to Chromium 106.0.5249.61, which fixes a number of high-severity security issues.
This release also includes a couple of bug fixes for Burp Scanner, including:
This release provides new scan checks based on James Kettle’s Browser-Powered Desync Attacks, first presented at Black Hat USA 2022. It also introduces the new capabilities for Burp Repeater that enable you test for these vulnerabilities manually.
Burp Scanner now reports client-side desync vulnerabilities. We’ve also upgraded our existing HTTP request smuggling checks to detect CL.0 vulnerabilities.
For more details on both of these issues, check out James’s whitepaper and the new Web Security Academy content.
You can now send the requests from a group of Repeater tabs as an automated sequence. When viewing a tab that belongs to a group, there is now a drop-down menu next to the Send button that lets you choose how your request sequence is sent. You can either send all of the requests over a single connection or use a separate connection for each request.
This release upgrades Burp’s browser to Chromium 106.0.5249.61, which fixes a number of high-severity security issues.
Sending requests over a single connection enables you to test for client-side desync vulnerabilities. For more information about how to do this, as well as some deliberately vulnerable labs for you to practice on, check out the new content on the Web Security Academy.
Sending over a single connection is also useful for timing-based attacks that rely on being able to compare responses with very small differences in timings as it reduces the “jitter” that can occur when establishing TCP connections.
Sending requests over separate connections is primarily useful when testing for vulnerabilities that require a multi-step process.
Burp Scanner uses OAST techniques to identify critical vulnerabilities via DNS pingbacks to Burp Collaborator. Both the DNS interaction itself and the identified vulnerability are reported as separate issues. In some cases, such as when testing for SSRF, we may induce the application to perform a DNS lookup without this leading to the discovery of any further vulnerability. To better reflect this latter scenario, we have adjusted the severity of the External service interaction (DNS) issue.
We previously classed this as a high-severity issue on the assumption that a corresponding HTTP request was probably sent by the server, but subsequently blocked by a firewall’s egress filters. Although we can’t detect this externally, it could still provide a vector for pivoting attacks against the internal network.
However, we’ve increasingly encountered cases where systems perform a DNS lookup with no intention of ever connecting to the remote host, meaning that no HTTP request ever existed. For example, this could be triggered simply by adding a URL as the key of a Java Map.
This behavior can still indicate a serious vulnerability, and is worthy of further investigation, but we have reduced the reported severity to reflect the typical impact.
Previously, Burp Scanner automatically terminated audits if it encountered Unknown Host errors, even if the scan scope also included separate, valid domains. Unknown host errors are now treated in the same way as other scanner errors, and the audit does not automatically terminate if one is encountered.
We have upgraded Burp’s browser to Chromium 104.0.5112.79.
This release also provides some minor bug fixes, including:
Content-Type headers.This release introduces tab-specific options in Repeater and client-side prototype pollution reporting in Burp Scanner. It also provides a change to the way Burp’s browser handles the User-Agent header and a minor bug fix.
You can now set tab-specific Repeater options, giving you finer control over how Repeater behaves when sending requests and receiving responses. To configure tab-specific options, click the new settings icon next to the Send button.
If you select specific options for a tab then Repeater ignores the global settings for that tab altogether. You can return a tab to global settings by clicking the new Restore global defaults button. This button is highlighted when a tab has specific settings configured.
Burp Scanner can now detect client-side prototype pollution. For more information on this vulnerability, see the new “Client side prototype pollution” issue definition that has been added to the Target > Issue definitions page.
We have amended Burp’s browser so that it respects the configured User-Agent header when scanning rather than generating a random User-Agent string. The original approach was used as a means of tracking requests, but is no longer needed.
We have upgraded Burp’s browser to Chromium 103.0.5060.134.
This release introduces several improvements to the Intruder and Repeater tab bars which include the ability to select between a scrolling or wrapped tab view as well as, the ability to organize tabs into groups for Repeater. This release also introduces HTTP/1 keep-alive, where Burp Suite is now able to reuse a single TCP connection to send multiple HTTP/1 requests, and adds a selection of preset scan modes to the Scan Configuration menu. Lastly, several key improvements for DOM Invader, including the ability to test for client-side prototype pollution.
Now, users can organise Repeater tabs into color-coded groups. Grouping tabs makes simplifies work with large numbers of open tabs and keep track of related requests.
Search function to the tab bar allows users to search for individual tabs or groups.
Two views for tabs from Intruder and Repeater. As well as the standard wrapped view, users are able to display tabs as a single, scrollable row. This feature helps to free up on-screen real estate, especially on smaller displays.
This release includes the following key improvements to DOM Invader:
Users can send multiple HTTP/1 requests using the same TCP connection. In the previous time, Burp always closed the connection after each request / response pair, even if the server supported connection reuse.
This way, reusing connections is highly beneficial in terms of request speed and timing accuracy.
To enable HTTP/1 keep-alive, go to Project options > HTTP > HTTP/1 and select the Use keep-alive for HTTP/1 if the server supports it option. Users can override this setting in Repeater using the Enable HTTP/1 keep-alive reuse menu option.
Users can now select from four preset scan modes during configuring a scan. These preset scan modes provides a quick way to adjust how the scan balances speed and coverage, without the need to set up a custom scan configuration.
These new scan modes can be applied by selecting Use a preset scan mode from the Scan Configuration menu and choosing one of the available options.
Numerous improvements to Burp Scanner to enhance stability, performance, and progress estimation.
The security improvements included in this release are:
This release also gives a number of bug fixes. Most importantly:
Burp’s browser upgraded to Chromium 103.0.5060.53, which patches a critical security issue.
This release introduces several improvements to the Intruder and Repeater tab bars which include the ability to select between a scrolling or wrapped tab view as well as, the ability to organize tabs into groups for Repeater. This release also introduces HTTP/1 keep-alive, where Burp Suite is now able to reuse a single TCP connection to send multiple HTTP/1 requests, and adds a selection of preset scan modes to the Scan Configuration menu. Lastly, several key improvements for DOM Invader, including the ability to test for client-side prototype pollution.
Now, users can organise Repeater tabs into color-coded groups. Grouping tabs makes simplifies work with large numbers of open tabs and keep track of related requests.
Search function to the tab bar allows users to search for individual tabs or groups.
Two views for tabs from Intruder and Repeater. As well as the standard wrapped view, users are able to display tabs as a single, scrollable row. This feature helps to free up on-screen real estate, especially on smaller displays.
This release includes the following key improvements to DOM Invader:
Users can send multiple HTTP/1 requests using the same TCP connection. In the previous time, Burp always closed the connection after each request / response pair, even if the server supported connection reuse.
This way, reusing connections is highly beneficial in terms of request speed and timing accuracy.
To enable HTTP/1 keep-alive, go to Project options > HTTP > HTTP/1 and select the Use keep-alive for HTTP/1 if the server supports it option. Users can override this setting in Repeater using the Enable HTTP/1 keep-alive reuse menu option.
Users can now select from four preset scan modes during configuring a scan. These preset scan modes provides a quick way to adjust how the scan balances speed and coverage, without the need to set up a custom scan configuration.
These new scan modes can be applied by selecting Use a preset scan mode from the Scan Configuration menu and choosing one of the available options.
This release includes a number of enhancements to Burp Scanner, such as several new JWT-based scan checks and an option to skip unauthenticated crawling when users have been provided application logins. The BApp Store as well provides in-app feedback on how much load BApps are placing on your system.
Burp Scanner is now able to detect 8 common JWT-based vulnerabilities, enabling users to save time, and easier to secure sites that use JWTs.
More details can be found from the individual issue definitions in Burp on the Target > Issue definitions tab.
On the Extender > BApp store tab, we now display an indication of how much load we estimate that each BApp places on your system.
The estimated system impact can be divided into the:
When Burp is performing slower than it should be, it is recommended to check these estimates for any BApps that have been loaded and removing those that are not actively using. This will help extend Burp’s capabilities without impairing performance.
Performance may be effected due to the use of multiple extensions at the same time. The bar at the top of the screen displays the cumulative impact of all of the BApps that are currently loaded.
Users are has option to skip unauthenticated crawling in certain cases where you have provided application logins for Burp Scanner to use. This helps to reduce the crawl time.
How to enable enable this option? Users need to go to the Crawl Optimization settings in the scan configuration and select Crawl using my provided logins only. Note that if you do not provide any application logins, the crawler automatically reverts to performing an unauthenticated crawl instead.
Several minor tweaks to the appearance and behavior of tabs in Burp Repeater are included. These will pave the way for some additional features in the future.
Use Burp Suite’s session is now available to handleoptions to add headers and values to requests. When you create a session handling rule using the new Set a specific header value action, the header and value pair provided are added to any requests that are within the rule’s scope.
Burp Suite has always used fully verified TLS to connect to known services, such as portswigger.net and the public Burp Collaborator server. Nevertheless, when communicating with arbitrary websites, it does not verify upstream TLS certificates and supports weak ciphers by default. This optimises compatibility at the expense of protection against active man-in-the-middle (MITM) attacks.
For concern on the possibility of an active MITM attack on the communication with the site being tested, you can now configure Burp to verify upstream TLS certificates. To do this, go to Project settings > TLS and select the Verify upstream TLS checkbox.
In this scenario, we recommend also selecting the Use default protocols and ciphers of your Java installation option to prevent Burp from using weak ciphers.
Please note that additional hardening is planned for this feature in the future.
We have made several minor tweaks to the appearance and behavior of tabs in Burp Repeater. These will pave the way for some additional features in the future.
Burp’s browser upgraded to Chromium 102.0.5005.61
For running, Burp Suite requires Java 11 ++ . This change will have no impact unless for installed Burp Suite as a .jar file, as the installer includes a bundled private Java Runtime Environment so that you don’t need to worry about installing or updating Java. Note that, any extensions written in a version of Java earlier than 11 may not run correctly from this release onward.
Resolved certain performance issues that some users faced when using Intruder with large resource pools.
Burp’s browser upgraded to Chromium 102.0.5005.61, which resolves a number of security issues.
This release includes a number of enhancements to Burp Scanner, such as several new JWT-based scan checks and an option to skip unauthenticated crawling when users have been provided application logins. The BApp Store as well provides in-app feedback on how much load BApps are placing on your system.
Burp Scanner is now able to detect 8 common JWT-based vulnerabilities, enabling users to save time, and easier to secure sites that use JWTs.
More details can be found from the individual issue definitions in Burp on the Target > Issue definitions tab.
On the Extender > BApp store tab, we now display an indication of how much load we estimate that each BApp places on your system.
The estimated system impact can be divided into the:
When Burp is performing slower than it should be, it is recommended to check these estimates for any BApps that have been loaded and removing those that are not actively using. This will help extend Burp’s capabilities without impairing performance.
Performance may be effected due to the use of multiple extensions at the same time. The bar at the top of the screen displays the cumulative impact of all of the BApps that are currently loaded.
Users are has option to skip unauthenticated crawling in certain cases where you have provided application logins for Burp Scanner to use. This helps to reduce the crawl time.
How to enable enable this option? Users need to go to the Crawl Optimization settings in the scan configuration and select Crawl using my provided logins only. Note that if you do not provide any application logins, the crawler automatically reverts to performing an unauthenticated crawl instead.
Several minor tweaks to the appearance and behavior of tabs in Burp Repeater are included. These will pave the way for some additional features in the future.
Use Burp Suite’s session is now available to handleoptions to add headers and values to requests. When you create a session handling rule using the new Set a specific header value action, the header and value pair provided are added to any requests that are within the rule’s scope.
Burp’s browser upgraded to Chromium 102.0.5005.61
For running, Burp Suite requires Java 11 ++ . This change will have no impact unless for installed Burp Suite as a .jar file, as the installer includes a bundled private Java Runtime Environment so that you don’t need to worry about installing or updating Java. Note that, any extensions written in a version of Java earlier than 11 may not run correctly from this release onward.
Resolved certain performance issues that some users faced when using Intruder with large resource pools.
Issue fixed with Burp Scanner that was causing Kubernetes deployments of Burp Suite Enterprise Edition to crash because of insufficient shared memory.
Issue fixed in which users were unable to save more than one copy of a temporary project. Save multiple copies of temporary projects is now available through this release.
Burp’s browser upgraded to Chromium 101.0.4951.64.
This release includes Burp’s browser upgrade and a couple of bug fixes.
Burp’s browser upgraded to Chromium 101.0.4951.54
In addition to the existing Pretty, Raw, Hex, and Render tabs, adding the following tabs to the message editor are now possible:
While some of the tabs were available in older versions of Burp Suite, they are now reintroduced and enhanced with the same powerful features for working with HTTP messages as the Inspector. This is a great alternative for users that do not have room on their screen for the side panel but want to take advantage of the Inspector’s functionalit
n order to control which tabs are displayed, and in which order, users can click the settings icon in the upper-right corner of the message editor (above the Inspector panel), then select Message editor.
This release comes with a new domain name for the public Burp Collaborator server. , Burp Scanner and the Burp Collaborator client will now use oastify.com for their Collaborator payloads instead of burpcollaborator.net. unless Burp has been configured to use a private Collaborator server). This features help reduce false negatives, thus users can identify out-of-band vulnerabilities that were previously hidden due to widespread blocking of the old domain name.
This new domain name is in addition to the old one. Users are still able to view interactions with any of your existing burpcollaborator.net payloads.
Take note that if you’re running Burp within a closed network and previously had to allow connections to burpcollaborator.net on port 443 in order to poll for interactions, it is essential to carry out the same for step for oastify.com.
Ability to fetch data from out-of-scope API endpoints if required to load the page correctly using Burp Scanner’s dynamic JavaScript analysis. plus able to detect DOM-based vulnerabilities where malicious input is only passed to a sink if an API call is made.
Importantly, although Burp Scanner fetches external resources and data when required, it will not perform any additional crawl or audit of out-of-scope URLs.
This change dismisses inconvenient in Burp Repeater where users experience difficulty in keeping track of the order of tab the faced in the previous versions of Burp.
This behavior has been disabled, therefore, tabs no longer move when selected.
Burp’s browser upgraded to Chromium 101.0.4951.41.
onload event handlers in the HTML <body> tag.This release includes Burp’s browser to Chromium 100.0.4896.127. Also, several minor bug fixes. Most importantly, issue that was preventing some extensions from loading correctly and one other that involves errors when starting Burp in headless mode.
This release gives Java 17 support for some extensions which previously failed to load.
This release involves Burp’s browser upgrade to Chromium 100.0.4896.75 as well as the installer Java version to 17.0.2.
This release includes a number of bug fixes and an upgrade for Burp’s browser.
Upgraded Burp’s browser to Chromium 100.0.4896.60
This release offers the following bug fixes for Burp Repeater:
Burp’s browser upgraded to Chromium 99.0.4844.84
This release lets user to insert tabs to the message editor that give the same features as the Inspector panel. Furthermore, it adds a new domain name for the public Burp Collaborator server and includes some enhancements to Burp Scanner. Lastly, rows of tabs will no longer switch places when selected.
In addition to the existing Pretty, Raw, Hex, and Render tabs, user can now add these tabs to the message editor:
While some of the tabs were available in older versions of Burp Suite, they are now reintroduced and enhanced with the same powerful features for working with HTTP messages as the Inspector. This is a great alternative for users that do not have room on their screen for the side panel but want to take advantage of the Inspector’s functionality.
In order to control which tabs are displayed, and in which order, users can click the settings icon in the upper-right corner of the message editor (above the Inspector panel), then select Message editor.
This release comes with a new domain name for the public Burp Collaborator server. , Burp Scanner and the Burp Collaborator client will now use oastify.com for their Collaborator payloads instead of burpcollaborator.net. unless Burp has been configured to use a private Collaborator server). This features help reduce false negatives, thus users can identify out-of-band vulnerabilities that were previously hidden due to widespread blocking of the old domain name.
This new domain name is in addition to the old one. Users are still able to view interactions with any of your existing burpcollaborator.net payloads.
Take note that if you’re running Burp within a closed network and previously had to allow connections to burpcollaborator.net on port 443 in order to poll for interactions, it is essential to carry out the same for step for oastify.com.
In this version, Burp Scanner’s dynamic JavaScript analysis can fetch data from out-of-scope API endpoints if required to load the page correctly. This allows it to detect DOM-based vulnerabilities where malicious input is only passed to a sink if an API call is made.
Note that Burp Scanner will not perform any additional crawl or audit of out-of-scope URLs fetches external eventhough resources and data when needed
This change dismisses inconvenient in Burp Repeater where users experience difficulty in keeping track of the order of tab the faced in the previous versions of Burp.
This behavior has been disabled, therefore, tabs no longer move when selected.
We have upgraded Burp’s browser to Chromium 99.0.4844.74, which fixes one critical bug and a number of high / medium severity bugs.
This release provides a number of bug fixes. Importantly:
onload event handlers in the HTML <body> tag.Burp’s browser upgraded to Chromium 99.0.4844.74, that fixes one critical bug and a number of high or medium severity bugs.
This release gives ultra-fast crawling of static content, advanced scanning of single-page applications and several minor bug fixes.
The Fastest crawl strategy of Burp Scanner is now optimized for crawling static sites as fast as possible. This is achieved through disabling irrelevant features for static content like automated session handling and state recovery.
How exactly it works? The changes decrease the time taken to crawl our static documentation site (from around 45 minutes to below 10 minutes.
Long-time Burp users can benefits this strategy as it effectively an improved version of the Spider tool from Burp Suite 1.7, emulated by the new crawling engine.
This release greatly improves the ability of Burp Scanner in handling single-page applications (SPAs) built on frameworks such as React.
A few months ago, Portswigger has resolved HTML injection vulnerability that may cause Burp Suite to sending requests that did not respect its upstream proxy configuration. This issue is due to Swing GUI components that were insecurely configured to render HTML that can result in leak NetNTLM hashes on Windows systems that unable to block outbound SMB.
This release provides additional mitigation that prevents BApps from introducing this vulnerability even though they contain Swing components that enables HTML rendering.
This issue was reported through the bug bounty program.
Burp’s browser is upgraded to Chromium 99.0.4844.51.
Several minor bugs fixes such as
This release gives several minor bug fixes. Most importantly, an issue that meant recorded login sequences were sometimes cut short when testing them.
This release gives ultra-fast crawling of static content, advanced scanning of single-page applications and several minor bug fixes.
The Fastest crawl strategy of Burp Scanner is now optimized for crawling static sites as fast as possible. This is achieved through disabling irrelevant features for static content like automated session handling and state recovery.
How exactly it works? The changes decrease the time taken to crawl our static documentation site (from around 45 minutes to below 10 minutes.
Long-time Burp users can benefits this strategy as it effectively an improved version of the Spider tool from Burp Suite 1.7, emulated by the new crawling engine.
This release greatly improves the ability of Burp Scanner in handling single-page applications (SPAs) built on frameworks such as React.
Burp’s browser has been upgraded to Chromium 98.0.4758.102.
This release has fixed several minor bugs. Most importantly to issue that caused some Windows users to see a No JVM found on your system error when restarting Burp after an update.
This release includes new options for customizing the appearance and behavior of the Inspector panel. Now, you can keep it collapsed by default depending on preference.
The presence of settings icon in the upper-right corner of the panel allows you to:
Burp’s browser upgraded to Chromium 98.0.4758.80.
This release let you configure Intruder attacks against multiple hosts and adds several new options for customising the Inspector. These include:
You can now add payload positions to the target host field in Burp Intruder. This feature is useful in situations where you want to test for issues across many web applications simultaneously as you are able to target multiple hosts from a single attack with this feature.
Due to this adjustment, the settings which was previously included in Intruder’s Target tab is now incorporated into its Positions tab.
New toolbar at the top of the Inspector panel contains buttons that let you:
You are also able to toggle line wrapping by clicking the icon in the upper-right corner of each table.
This recent supports the latest Apple Mac models equipped with M1 (Arm64) processors with a dedicated installer.
Please refer to the documentation for details to identify the installer you need.
For new installation of Burp Suite, the Burp Proxy’s Intercept feature is now off by default to remove the common problem of users forgetting to disable it before attempting to use the browser.
Burp’s browser upgraded to Chromium 96.0.4664.45.
This release involves several minor bug fixes. The most notable changes bug fixes that prevented Burp from completing the TLS handshake with servers whose certificate chain was longer than 10 but less than 30.
This release gives a security patch and several minor bug fixes.
In this release, fixed a medium-severity security issue in the way Burp Suite processed HTTP/2 responses that may introduced XSS in certain circumstances has been fixed. The issue has been reported by Ademar Nowasky Junior | @nowaskyjr, through our bug bounty program.
Burp’s browser to Chromium 96.0.4664.45 has been upgraded in this release.
In order to prevent accidental loss of Burp project files, this release include several adjustments such as
This release offers a few updates to DOM Invader, line wrapping in Burp’s message editor and several bug fixes.
There are minor improvements done to DOM Invader. Those include:
Added support for line wrapping in Burp’s message editor is now made available to ease work with messages that contain lengthy strings like authorisation tokens.
Line wrapping can be enabled by default in the Pretty and Raw views. The feature however allows you to toggle it on and off via the button above each message.
Burp’s browser is updated to Chromium version 95.0.4638.69 that is capable in fixing various high severity bugs.
The inspector in the latest release now supports Base64url encoding.
This release solves the occasional visual issue that occurs when line wrapping is enabled in message editors wtih large font sizes.
This release enables manual testing of hidden HTTP/2 attack surface and adds a number of improvements to Burp Intruder and Burp Scanner.
You can now send HTTP/2 requests from Burp Repeater even if the server doesn’t explicitly advertise HTTP/2 support via ALPN. This allows you to manually explore additional “hidden” HTTP/2 attack surface.
To enable this behavior, first select the Allow HTTP/2 ALPN override option from the Repeater menu, then switch the protocol to HTTP/2 from the Inspector panel.
We have made the following improvements to Burp Intruder:
We have added payloads to the server-side template injection (SSTI) scan check to detect vulnerabilities in the following Java-based template engines:
We have also integrated additional out-of-band detection methods using Burp Collaborator.
API calls that are triggered by the crawler interacting with elements on the page will now be sent for audit.
We have also improved the way the crawler interacts with forms on a page to better support modern single-page applications.
We have made the following changes to improve the handling of XML and JSON insertion points during scans:
xml:lang and xmlns:* are now ignored by default. If you prefer, you can override this setting in your scan configuration under Audit options > Ignored insertion points.Burp Scanner can now handle iframes, multi-selects, scrolling elements, and SVG elements in recorded login sequences. We have also improved reliability of recorded logins by changing the way we locate and interact with elements on the page. For more details, please see our blog post on authenticated scanning improvements.
We have updated Burp’s embedded browser to Chromium version 95.0.4638.54, which fixes a number of high-severity bugs.
This release also provides a number of bug fixes, most notably for a bug when highlighting or selecting text in Burp Repeater.
This release upgrades the embedded browser and fixes an issue that was reported to our bug bounty program.
Burp’s embedded Chromium browser has been updated to version 92.0.4515.159.
We have fixed a vulnerability that could result in Burp Suite issuing requests that do not respect its upstream proxy configuration and could leak NetNTLM hashes on Windows systems that fail to block outbound SMB.
This issue was reported to our bug bounty program.
This release provides several bug fixes, most notably a fix for a memory leak issue that affects some extensions.
This release provides a range of powerful new enhancements to Burp’s HTTP/2 support. This enables you to identify and exploit a number of HTTP/2-exclusive vulnerabilities, including those presented by James Kettle at Black Hat USA 2021. It also implements a security fix for the embedded browser and some minor bug fixes for recorded login sequences.
In Burp Repeater and Proxy Intercept, you can now choose whether to send each request using HTTP/1 or HTTP/2. When you switch protocols, Burp will automatically perform the necessary transformations behind the scenes to generate an equivalent request suitable for the new protocol. For example, the HTTP/1 request line is mapped to HTTP/2’s :method and :path pseudo-headers.
This enables you to easily upgrade and downgrade requests to experiment with protocol-specific vulnerabilities.
We are excited to announce that Burp Suite Professional now provide native support for viewing and manipulating HTTP/2 requests.
In addition to the HTTP/1-style representation of the request that you can see in the message editor, the Inspector now lets you work with HTTP/2 headers and pseudo-headers in a way that more closely resembles what will be sent to the server. As this view doesn’t rely on HTTP/1 syntax, you’re able to construct attacks using a number of HTTP/2-exclusive vectors that are impossible to reproduce in HTTP/1. This gives you the opportunity to explore a whole new attack surface that has barely been audited due to the complete lack of any suitable tooling until now.
For some real-world examples of what’s possible, check out the whitepaper for James Kettle’s latest research, HTTP/2: The Sequel Is Always Worse, which he recently presented at Black Hat USA 2021.
Burp’s message editor still lets you work with an HTTP/1-style representation of the request and converts this to an equivalent HTTP/2 request under the hood. This is great for performing general testing where the protocol you’re using isn’t important.
For more information about these features, the configuration options, and a breakdown of some HTTP/2 fundamentals, please refer to the accompanying documentation
In addition to the new manual HTTP/2 tooling, this release adds some HTTP/2-specific improvements to Burp Scanner:
We’ve also improved the issue details for HTTP request smuggling to flag when server-side countermeasures have limited the impact to request tunnelling.
These enhancements are also based on James’s research.
We have updated Burp Suite’s embedded browser to fix a clickjacking-based remote code execution bug in Burp Suite, as reported to our bug bounty program. We have updated to Chromium 92.0.4515.131, which fixes several bugs that Google has classified as high.
This release fixes several bugs that should improve the reliability of recorded login playback.
This release includes the return of the hex view, enabling HTTP/2 for extensions, task pausing improvements, an embedded browser upgrade, and several bug fixes.
You wanted it back so it has returned, and it’s better than ever! The hex view in the message editor returns to Burp Suite, allowing you to display and edit messages in hexadecimal notation. This is especially useful when dealing with binary formats. You can also choose to copy text or hex codes when using the context menu to copy single or multiple cells in the message editor’s hex view.
HTTP/2 is now enabled for requests issued by extensions. Additionally, we have added two new methods to IBurpExtenderCallbacks, which can be used to force HTTP/1 usage when issuing requests. These methods are:
IHttpRequestResponse makeHttpRequest(IHttpService httpService,
byte[] request,
boolean forceHttp1);
and
byte[] makeHttpRequest(String host,
int port,
boolean useHttps,
byte[] request,
boolean forceHttp1);
These new methods are analogous to the existing makeHttpRequest() methods with the addition of the forceHttp1 flag, which when set will ensure that HTTP/1 is used.
Burp Suite now remembers your preference for pausing tasks on starting.
We have updated Burp Suite’s embedded browser to Chromium version 91.0.4472.114, which fixes several security issues that Google has classified as high.
This release fixes several minor bugs.
We have updated Burp Suite’s embedded browser to Chromium version 91.0.4472.101, which fixes several security issues, one of which Google has classified as critical.
This release fixes a bug with selecting individual scan checks in an audit configuration.
Professional 2021.6 Released 2021-May-26
This release includes the return of the hex view to the message editor, HTTP/2 requests for extensions, and several bug fixes.
You wanted it back so it has returned, and it’s better than ever! The hex view in the message editor returns to Burp Suite, allowing you to display and edit messages in hexadecimal notation. This is especially useful when dealing with binary formats.
HTTP/2 is now enabled for requests issued by extensions. Additionally, we have added two new methods to IBurpExtenderCallbacks, which can be used to force HTTP/1 usage when issuing requests. These methods are:
IHttpRequestResponse makeHttpRequest(IHttpService httpService,
byte[] request,
boolean forceHttp1);
and
byte[] makeHttpRequest(String host,
int port,
boolean useHttps,
byte[] request,
boolean forceHttp1);
These new methods are analogous to the existing makeHttpRequest() methods with the addition of the forceHttp1 flag, which when set will ensure that HTTP/1 is used.
This release includes the following bug fixes.
No application protocols errors with some servers.This release includes several improvements to Intruder, one of which allows you to save Intruder attacks to project files. The release also includes other minor Burp Suite improvements.
You can now save Intruder attacks to project files, so you can close Burp Suite and come back later to continue your attacks, or view the results of completed attacks. This is done on an opt-in basis: attacks are not saved by default, to avoid bloating project files. An attack can be saved before, during, or after it has been performed. The title bar of an attack window shows whether it has been saved or not.
We have made several other improvements to Intruder. These include:
You can now optionally supply a specific TTL value when configuring custom DNS records in Burp Collaborator.
This release updates Burp Suite’s embedded browser to Chromium version 90.0.4430.93, which fixes several security issues that Google have classified as high.
This release provides a native logging tool to Burp Suite. It also allows saving settings for Burp’s embedded browser and message editor’s search bar, and the ability to turn off Repeater’s line ending normalization. The release also provides several bug fixes.
Burp Suite now has a native logging tool called Logger, which is available from the main row of tool tabs. Some highlights of Logger are:
Here is a short video showing Logger in action:
When using Burp’s embedded Chromium browser, your history and any changes you make to the browser settings are now saved even after you close Chromium. This means you no longer need to reconfigure your preferences each time you use the browser and can even keep any extensions that you install.
By default, your settings and history will be persisted. If you’d prefer to disable this behavior, go to User options > Misc and deselect the corresponding checkbox in the “Embedded browser” section.
You can now configure the default settings of the message editor’s search bar. Change the defaults by going to User options > Misc and selecting the check boxes under “Message search”.
Repeater usually normalizes the line endings of requests. However, this behaviour may not always be useful, especially when you are testing request smuggling. You can now turn off normalizing line endings by going to the Repeater menu and unchecking “Normalize line endings”.
This release provides several minor improvements and bug fixes, including:
NOERROR rather than a SERVFAIL response code.This release strengthens support for HTTP/2 and turns it on by default. It also fixes several bugs.
We have strengthened support for HTTP/2 within Burp Suite. HTTP/2 support is now turned on by default and is no longer considered experimental. Burp will interact with targets via HTTP/2 when a target supports it.
HTTP/2 support brings a significant performance improvement to the network layer, benefiting Scanner and Intruder speed. It also provides future compatibility with any site that no longer supports HTTP/1.1.
If you prefer not to use HTTP/2, you can disable its use under Project Options / HTTP.
This release provides several minor improvements and bug fixes, including:
This release provides a security fix for the embedded Chromium browser, and several bug fixes.
This release includes an update of Burp’s embedded browser to Chromium 89.0.4389.90 which fixes a security issue that Google have classified as high.
This release provides several bug fixes, including:
This release provides several bug fixes. Most notably:
This release provides multiple Burp Suite update channels, including an Early Adopter channel. It also provides improved Intruder payload lists and several bug fixes.
We now deliver automatic updates to Burp Suite via two channels: Stable and Early Adopter. The default channel for all users is Stable. New versions of Burp Suite will appear on the Early Adopter channel first, and then go to the Stable channel when any initial problems have been resolved. The update channel setting is per installation, so multiple installations set to different update channels are possible.
Choose the Early Adopter channel to get the latest features fast. Choose the Stable channel for the most robust and reliable version of Burp Suite.
To change your update channel, go to “User options” and select the “Misc” tab. Then scroll down to “Update” and select the channel you prefer.
We have improved and expanded Intruder’s default payload lists. There are also new lists, such as SSRF payloads and common files and directories.
This release also provides several bug fixes, such as:
This release provides improvements to the message inspector, non-printing character display, platform authentication controls and the embedded browser. It also provides a new vulnerability definition and several bug fixes.
Burp Scanner will now detect when a target application imports a JavaScript dependency that has a known vulnerability, such as when a library is dangerously out of date or has other issues.
When viewing non-printing characters in the text editor, characters with a hexadecimal code point below 20 are displayed as “lozenges” with their hex code. Now, characters with a code point from 7F to FF are also displayed in the same way.
Platform authentication (under “User options” and the “Connections” tab) can now be turned on or off on a per-host basis.
There have been significant performance improvements in the message inspector. Also, users can now resize the message inspector horizontally and select multiple entries at once.
HTTP requests initiated by the embedded Chromium browser itself, rather than the user, are no longer sent. Also, Burp’s embedded browser has been upgraded to Chromium 88.0.4324.150.
This release also provides the following bug fixes and minor improvements:
<meta http-equiv="content-type"> tag, Burp chooses the Content-Type headers. This change affects MIME-type filters in the Proxy and Target tabs, and the Render tab in the response viewer.This release provides performance and user interface improvements, a JavaScript analysis improvement, and several bug fixes.
We have made significant improvements in both speed and memory usage in the message editor when handling large messages.
We have improved several aspects of the user interface. There are new colors for various buttons, icons, check boxes, and radio buttons, to be in line with the new branding of Burp Suite. There are now tooltips for scan phases and issue counts in the scan task Audit Items view.
Burp Scanner‘s dynamic JavaScript analysis will now load dynamically created scripts, such as document.write('<script src="…">') or document.createElement('script’).
This release also provides the following bug fixes:
This release provides the following improvements and bug fixes:
When switching between the new light and dark themes in the display settings, you no longer have to restart Burp before this change is applied.
You can now include fragments (#) in the seed URLs you specify for a scan. Note that this is only supported by browser-powered scans. If the “Use embedded browser for Crawl and Audit” option is disabled in your scan configuration, you will not be able to start a scan with seed URLs containing fragments.
Burp’s embedded browser has been upgraded to Chromium 87.0.4280.88.
The icons and icon colors for issue severity levels have changed. We’ve also adjusted the background color for the Suite tab bar, in both the light and dark themes.
We have fixed a vulnerability that could result in Burp Suite issuing requests that do not respect its upstream proxy configuration and could leak NetNTLM hashes on Windows systems that fail to block outbound SMB.
This issue was reported through our bug bounty program.
This release also provides the following bug fixes:
Cookie headers.This release provides several bug fixes. Most notably:
This release updates the look of Burp’s UI and adds an option for watching crawls in a headed browser.
This release gives Burp’s UI a make-over, with a cleaner, more modern look.
You can choose between light or dark theme at User options / Display / User interface.
You can now choose to start scans using a headed browser. In this case, when the crawl starts, a new browser window will open in which you can watch the crawler navigating around the target website in real time. This is useful for troubleshooting any issues.
You can enable this option from the miscellaneous crawl settings of your scan configuration.
If you enable this option, please note that Burp Scanner will occasionally open additional browser windows during the crawl and stop using the previous window. This is perfectly normal. Any redundant windows will automatically be closed after a period of time.
This release also provides the following improvements:
user.vmoptions file in the same folder as the BurpSuitePro.vmoptions file, Burp will load these settings instead. This file will not be changed by Burp, which means you no longer have to manually back up your custom vmoptions when updating Burp.All keyboard shortcuts now work as expected on the Intercept tab.
This release adds the Burp Suite Navigation Recorder extension to Burp’s embedded browser and fixes a minor bug in the startup process.
The Burp Suite Navigation Recorder extension is now preinstalled and ready to use in Burp’s embedded browser. This means you can immediately start recording login sequences for Burp Scanner without having to perform any manual setup.
Burp’s embedded browser has been upgraded to Chromium version 86.0.4240.198
This release also provides the following bug fixes:
This release provides several new features for both manual and automated testing, as well as some major upgrades to the message editor UI.
The new message inspector is a collapsible panel displayed on the right-hand side of the message editor throughout Burp Suite. It provides a quick way to analyze and work with interesting features of HTTP and WebSocket messages without having to switch between different tabs.
The Hex, Params, Headers, and Cookies tabs that used to appear in the message editor have been removed. You can now access the same functionality, and some additional new features, directly in the inspector panel.
You perform some of these actions by drilling down into items that were automatically identified by the inspector. Alternatively, you can manually select one or more characters in a message to work with them in the inspector panel.
For more information about using the inspector, please refer to the documentation.
Burp Scanner is now able to scan both JSON and YAML-based APIs for vulnerabilities. By default, the crawler attempts to parse any API definitions that it encounters to identify potential endpoints, along with their supported methods and parameters. You can also explicitly provide the URL of an API definition when launching a scan. Based on the endpoints that it discovers, Burp Scanner is then able to derive new locations to crawl and audit.
If you prefer, you can disable API scanning by deselecting the “Parse API definitions” crawl option in your scan configuration. You can find this option under “Miscellaneous”.
Please note that this initial release only supports scanning of a fairly limited range of REST APIs. For a full list of the prerequisites and limitations, please refer to the documentation. We plan to further develop this feature and gradually add support for a wider range of APIs in future releases.
In the previous release, we added new functionality for recording and uploading full login sequences to help Burp Scanner handle more complex authentication mechanisms. This release adds a new feature that allows you to replay your recorded login sequences in an embedded browser.
This makes it much easier to check whether the recording accurately captured your browser interactions. It may also help you to diagnose any problems if the login sequence is failing during scans.
For more information, please refer to the documentation.
By default, Burp now automatically downloads any available updates. When a new update has been downloaded, a notification will prompt you to restart Burp in order to install it. Note that you will still need to download the 2020.11 release manually.
If you prefer, you can disable automatic updates in the user options.
To support automatic updates, Burp can no longer be installed in a directory that requires admin privileges. As a result, installing 2020.11 on Windows will likely create a new instance of Burp rather than upgrading your existing installation. Unfortunately, this means you will have to manually uninstall your old version of Burp.
This is a one-off inconvenience. Upgrading to any subsequent releases will not require you to repeat this process.
To help reduce clutter, the custom views that some Burp extensions add to the message editor are no longer accessed via individual tabs. Instead, you can now alternate between your extension-specific views using a new drop-down menu.
This release enables support for recorded login sequences in Burp Scanner and provides several other minor improvements. It also includes a security fix for Burp Collaborator.
Instead of entering basic sets of login credentials for Burp Scanner to use, you can now provide the full sequence of actions required to log in. This enables Burp Scanner to handle more complex login processes, including:
Our dedicated Chrome extension captures your actions while you perform the login sequence and generates a JSON-based “script”. You can then import this script in the Application Logins section of the scan launcher. When the crawler begins an authenticated crawl, it will open a new browser session and use the script to replicate your actions, performing the full login sequence from scratch.
For more details on how to use recorded login sequences, please refer to the scan launcher documentation.
You can now clear the interaction history in Burp Collaborator client.
This release also implements several minor bug fixes, most notably:
This release resolves a security issue in the Collaborator server. Previously, an attacker in a position to perform an active, server-side MITM attack could obtain the contents of emails delivered using STARTTLS. If you are running your own Collaborator server, we recommend updating it.
This vulnerability was reported to us privately via our bug bounty program.
This release fixes a bug that was preventing WebSocket messages from being displayed correctly in the message editor.
This release provides some improvements to the HTTP message editor UI.
On the “Raw” tab, the various options you have for analyzing the HTTP message are now contained in a toolbar at the top of each request or response. From the toolbar, you can now:
In the upper-right corner of the message editor, you can now choose from three different layouts that determine how the request and response are arranged in the panel.
You can choose from the following options:
These new layout options are available in various locations throughout Burp Suite, including the Target site map and Proxy history.
The embedded browser has been upgraded to Chromium 85.0.4183.83.
After several months of live testing, we are pleased to announce that this release enables browser-powered scanning by default.
By default, Burp Scanner will now perform all navigation using an embedded Chromium browser, during both crawl and audit. This approach enables the scanner to accurately handle JavaScript and other navigational structures that modern browsers can. This has the potential to dramatically improve the coverage of the scan during both the crawl and audit phases.
To run browser-powered scanning efficiently, we recommend a machine with at least 2 CPU cores and 8 GB RAM. Burp Scanner automatically checks whether your machine appears to meet these requirements and will use the embedded browser if possible. Otherwise, scans will revert to the previous crawling engine.
If you prefer, you can also manually enable/disable browser-powered scanning in your scan configuration. You can find this option under “Crawl options” > “Miscellaneous” > “Embedded browser options”.
Note: Browser-powered scanning currently remains off by default for Burp Suite Enterprise Edition.
image/svg+xml.This release provides an upgrade to the web cache poisoning scan checks as well as several other minor improvements and bug fixes.
Burp Scanner can now identify a variety of recently discovered cache poisoning issues. These checks are based on the techniques documented by James Kettle in his presentation “Web Cache Entanglement: Novel Pathways to Poisoning” at BlackHat USA 2020.
In this release, we’ve greatly improved the usability of Burp Suite by removing the need to perform many of the initial configuration steps for Burp Proxy.
You can now use Burp’s embedded Chromium browser for manual testing. This browser is preconfigured to work with the full functionality of Burp Suite right out of the box. You no longer need to manually configure your browser’s proxy settings or install Burp’s CA certificate. The first time you launch Burp you can immediately start testing, even with HTTPS URLs.
To launch the embedded browser, go to the “Proxy” > “Intercept” tab and click “Open Browser”.
Note that if you want to use an external browser for testing. you can still configure any browser to work with Burp in the same way as you could before.
Cookie headers are now displayed correctly in the “Params” tab.This release adds an option for using HTTP/2 and provides several minor improvements and bug fixes.
This release provides experimental support for HTTP/2. From the “Project settings” > “HTTP” tab, you can now choose to use HTTP/2 for inbound and outbound communication over TLS.
As this is still an experimental feature, please use it at your own discretion.
You can now control the TLS protocols that Burp Proxy will use when performing TLS negotiation with the browser. You can configure Burp Proxy to use the default protocols of your Java installation, or override these defaults and enable custom protocols as required.
In the HTTP history, you can now hover the mouse over URL encoded data to show the decoded data in a tooltip. Previously, this worked in Burp Repeater but not the “Proxy” > “HTTP history” tab.
This release provides several bug fixes, including the following improvements to the HTTP message editor:
We have also fixed a security bug that was reported via our bug bounty program. With a significant amount of user interaction, an attacker could potentially read local files. The attacker would have to induce a user to visit a malicious website, copy the request as a curl command, and then execute it via the command line. This was classed as a medium severity issue due to the level of user interaction required.
This release provides a useful new feature for the HTTP message editor, as well as several general improvements.
You can now choose to display non-printing characters as “lozenges” in the HTTP message editor. This is supported for any bytes with a hexadecimal value lower than 20, which includes tabs, line feeds, carriage returns, and null bytes.
This feature will be greatly beneficial for many use cases, including:
Non-printing characters are hidden by default, but you can toggle the lozenges on and off by clicking the “\n” button at the bottom of the editor.
These non-printing characters can currently only be displayed in the message editor. For now, you have to edit bytes using Burp’s hex view. However, we plan to enable you to do this directly in the message editor in the near future.
This release also provides the following minor improvements to various areas of Burp:
We have also implemented several minor bug fixes, most notably:
This release provides the following minor improvements:
In addition to general bug fixes, we have also resolved an issue that sometimes caused overlapping text in the message editor.
This release mainly provides usability improvements to the HTTP message editor. It also upgrades both Java support and Burp Scanner’s embedded browser version.
The HTTP message editor now supports pretty printing of JSON, XML, HTML, CSS, and JavaScript. Take a look at the following video to see this feature in action:
Unformatted JSON data, for example, would previously be displayed as follows:
But as of version 2020.4, all of the supported formats mentioned above are prettified by default, meaning the JSON data in our example would now be displayed as follows:
You can toggle pretty printing on and off by clicking the “Pretty” button at the bottom of the editor. Alternatively, if you would prefer not to use pretty printing by default, you can disable this setting under “User options” > “Display” > “HTTP Message Display”.
As of this release, we now support Java 13. Unfortunately, we will no longer be able to support Java 8. The vast majority of users will be unaffected by this change. However, if you normally launch Burp directly from the JAR file instead of using the provided installer, you need to make sure that you have one of Java versions 9 to 13 before attempting to launch the new JAR file.
We have updated Burp Scanner’s experimental embedded browser to Chromium 81.0.4044.122 in order to implement the latest security fixes.
This release also provides the following minor improvements:
We have also implemented several minor bug fixes, including:
This release contains minor updates to the 2020.2 release.
There are further enhancements to the custom Collaborator content options that were introduced in version 2020.2. You can now host custom robots.txt and crossdomain.xml files at arbitrary URLs on your Collaborator server.
We have also improved the handling of XML reports by stripping any null values.
The general improvements to the HTTP message editor continue, with this release providing the following bug fixes:
The issue definition links now also work correctly on the latest version of Kali Linux.
As always, we’ve also implemented several minor bug fixes across the product.
This release builds on the general improvements we have been making to the HTTP message editor and incorporates some feedback from the community:
The “Render” tab now enables you to view rendered HTML pages and images directly within the various tools instead of in a separate popup.
You can now add custom content to the Burp Collaborator service. For example, you could add a readme on the index page identifying the organization and the purpose of the service, or prove ownership of your domain to validate TLS certificate requests. To do this, you simply add new entries in the configuration file containing a path, contentType, and base64Content as follows:
"customHttpContent":
[
{ "path": "/", "contentType": "text/plain", "base64Content": "VGhpcyBpcyBhIHJhbmRvbSBsaW5lIG9mIHRleHQ="},
{ "path": "/foo", "contentType": "text/html", "base64Content": "dGhpcyBpcyBhbm90aGVyIG9uZSBmb3IgZ29vZCBtZWFzdXJlLiBOaWNlLg==" }
]
You can now initiate instant active or passive scans in Burp. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.
The following bugs fixes have also been implemented:
This release updates the HTTP message editor with various new capabilities:
We will soon continue improving the editor, with better prettifying of some formats and other helpful features.
Various improvements have been made to the efficiency and stability of Burp Scanner. We are working towards enabling the new experimental browser-driven scanning by default, which will pave the way for significant enhancements to the scanner’s capabilities over the coming year.
A number of bug fixes and other enhancements have been made, including:
This release considerably improves Burp’s SSL/TLS coverage. Historically, quirks in different server-side implementations together with bugs in the client-side Java stack led to problems connecting to some web sites. These have now been virtually eliminated.
The Venn diagram below shows how Burp’s coverage now compares with Google Chrome for the Alexa top 100,000 sites. Burp achieves substantial overlap with Chrome. Burp can connect to 1,696 sites that Chrome does not, and only fails to connect to 125 sites that Chrome can connect to.
(Note that Burp’s additional coverage is largely because Burp tolerates some older and weaker protocols and ciphers, in the interests of maximizing connectivity.)
Various improvements have been made to the crawling phase of scans:
This release includes various bugfixes and performance enhancements to the new experimental browser-driven scanning feature.
This release adds experimental support for using Burp’s embedded Chromium browser to perform all navigation while scanning.
This new approach will provide a robust basis for future capabilities in Burp Scanner, enabling it to eventually deal with any client-side technologies and navigational structures that a modern browser is able to deal with. It has the potential to dramatically improve coverage of the scan, during both the crawling and auditing phases.
In this initial release, Burp Scanner now correctly deals with:
There are numerous caveats at this stage:
The new feature is currently experimental, and is being released to gather feedback from users who want to play with the new capability and assess its effectiveness. The new feature is not currently a suitable replacement for the existing default scanning mode: you are likely to gain some coverage of JavaScript-heavy applications, but also lose some coverage and experience poor performance. Rest assured that over the coming months the new feature will be considerably enhanced until it becomes a robust and superior replacement to the existing scanning mode.
To enable experimental support for browser-based scan navigation, create a new scan, add a crawl configuration, and under “Miscellaneous” select “Use embedded browser for navigation”. You can also configure whether to allow the browser to fetch page resources that are out-of-scope.
The release also includes various other bugfixes. The embedded JRE that is included in Burp’s installer has been updated to Java 12.
This release includes a number of minor enhancements and bugfixes.
In Burp Repeater, there are new options to close a tab, close all other tabs, and reopen a closed tab. You can access these actions via the context menu on the tab header, or by assigning hotkeys.
There is a new (default-on) scan option to ignore the protocols of URLs to scan. This is to avoid a common user error where the scan is configured for http://example.com only, while it needs also to include https://example.com.
When a Burp update is available, there are options to mute the update notification for one week, for the currently offered update, or for all beta updates.
A bug affecting use of PKCS#11 smart cards affecting Burp 2.x has been fixed.
This release adds a brand new scan check, for HTTP request smuggling vulnerabilities:
This is a long-overlooked vulnerability class that is prevalent in modern cloud architectures, and which often has a critical impact.
The support for WebSockets in Burp Repeater has been enhanced with a new WebSocket connection wizard that lets you:
The new capability gives you full manual control over the WebSocket negotiation request.
Some other minor enhancements have also been made:
This release adds support for WebSockets in Burp Repeater.
You can select a WebSocket message in the Proxy history or intercept tab, and choose “Send to Repeater” from the context menu:
Each message you send to Repeater opens in a new tab. Here, you can manually edit and send the message, view the full message history, pick a message from the history and manually edit and resend it, and manage the WebSocket connection:
As always, feedback about this new feature is welcome.
Have fun!
Burp Suite 2.x is now officially out of beta!
This is a huge upgrade over 1.7 with a wealth of new capabilities. We encourage anyone still using 1.7 to switch to 2.x.
Community Edition users can now enjoy Burp’s new dark theme. To enable the dark theme, go to User options / Display / User Interface / Look and feel, and select Darcula.
Coming out of beta means we regard Burp Suite 2.x as essentially stable and suitable for general usage. It doesn’t mean there are no bugs. All software has bugs, and feedback is always welcome about any problems that users observe.
We will, of course, be continuing to enhance Burp Suite 2.x with various new features over the coming months.
This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.
For full details of this awesome new research, see our blog post on practical web cache poisoning.
Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”:
Note: On 10 October 2018, the .DMG package was regenerated to be compatible with MacOS Mojave.
This release fixes a number of issues including:
Note: On 10 October 2018, the .DMG package for Community Edition was regenerated to be compatible with MacOS Mojave.
This release includes a number of fixes and minor enhancements:
A number of bugs have been fixed:
The following enhancements have been made:
Note that some of the security issues were reported through our bug bounty program, which pays generously for bugs large and small. Thanks are due to Bruno Morisson and Juho Nurminen.
This release significantly improves the effectiveness of project repair when project file corruption occurs. Some users still experience corrupted project files when using virtualized file systems (for example, using Burp within a guest VM can lead to project file corruption if the host OS terminates abnormally). Previously, if some key metadata near the start of the project file was lost, then Burp’s project repair feature would not recover any data. In the new release, uncorrupted data within the file can still be recovered even if this key metadata is lost. Further feedback is welcomed regarding the effectiveness of project repair.
To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.
Some bugs have been fixed:
This release adds a new automatic project file backup function. If you are using a disk-based project, this function automatically saves a backup copy of your project file periodically in the background. The options for the new function can be found at User options / Misc / Automatic Project Backup:
The new function is superior to the older function that saved a state file backup in several respects:
Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.
Other enhancements include:
This release adds two new capabilities relating to Burp project files:
Additionally, the “Number of threads” setting in Scanner options has been changed to “Concurrent request limit”. This paves the way for some major enhancements to the Scanner engine that are in the pipeline.
The new function is superior to the older function that saved a state file backup in several respects:
To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.Some bugs have been fixed:
A number of bugs have been fixed:
The following enhancements have been made:
This release includes a number of fixes and minor enhancements:
This release fixes a number of issues including:
This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.
For full details of this awesome new research, see read on web cache poisoning.
Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”:
