Burp Suite Professional Latest Release and Update, please read in reverse order, if you interest from the old to latest manner. As the latest release note and build always increment update on the top for this product update.
The rational to keep for this post is combine all the related latest release and update for easy reading in single post for the user.
This release enables you to add tabs to the message editor that provide the same features as the Inspector panel. It also adds a new domain name for the public Burp Collaborator server, as well as some enhancements to Burp Scanner.
This release introduces the Montoya API, an all-new replacement for the Extender API. It also includes improvements to the Burp Collaborator client and adaptive request throttling for Burp Scanner.
We have released the Montoya API, an all-new API that enables you to develop extensions for Burp Suite. The new API offers a more modern design than the existing Extender API, making it easier to use and enabling us to add future features that we could not have supported with the old API.
This change will not affect any current BApps, and the existing Extender API will continue to work as normal for the immediate future. However, we strongly recommend that you write any new extensions using the new Montoya API, as we will eventually end support for the Extender API.
The Montoya API offers all of the same features as the existing version. It also includes several new features, such as:
This release introduces various usability improvements for the Burp Collaborator client, including:
Renewed license keys now update automatically. If your existing license is expiring or has expired altogether, Burp Suite automatically checks your account for a renewed license key. If you have a renewed key associated with your account, then the system retrieves and activates that key.
Please note that you will need to allow network access to https://portswigger.net for this process to work.
When Burp Scanner receives a 429 response due to sending too many requests in quick succession, it now incrementally adds a short delay between requests until it complies with the server’s rate limit. This enables the scan to continue as normal, albeit with an increased duration.
If you prefer, you can disable this behavior using a custom scan configuration – just go to Request throttling configuration and deselect Adaptive request throttling.
We have fixed an HTML injection vulnerability that could be triggered by attackers with direct access to the proxy listener. Note that the proxy listener only accepts connections from localhost by default. This issue was privately reported via our bug bounty program.
We have upgraded Burp’s browser to Chromium 107.0.5304.62, which fixes a number of high-severity security issues.
We have also fixed some minor bugs, including:
This release implements a back-end change to the way we check the validity of licenses.
This release provides some minor bug fixes and upgrades Burp’s browser.
We have upgraded Burp’s browser to Chromium 106.0.5249.119, which fixes a number of high-severity security issues.
This release also patches a low-severity security issue that was reported via our bug bounty program. We will provide further details once the patch is available on our Stable release channel.
This release also includes a couple of bug fixes, including:
This release provides various new features for the Montoya API. It also includes some bug fixes for Burp Scanner and an update for Burp’s browser.
We have added several new features to the Montoya API. These include:
This release updates Burp’s browser to Chromium 106.0.5249.61, which fixes a number of high-severity security issues.
This release also includes a couple of bug fixes for Burp Scanner, including:
This release provides new scan checks based on James Kettle’s Browser-Powered Desync Attacks, first presented at Black Hat USA 2022. It also introduces the new capabilities for Burp Repeater that enable you test for these vulnerabilities manually.
Burp Scanner now reports client-side desync vulnerabilities. We’ve also upgraded our existing HTTP request smuggling checks to detect CL.0 vulnerabilities.
For more details on both of these issues, check out James’s whitepaper and the new Web Security Academy content.
You can now send the requests from a group of Repeater tabs as an automated sequence. When viewing a tab that belongs to a group, there is now a drop-down menu next to the Send button that lets you choose how your request sequence is sent. You can either send all of the requests over a single connection or use a separate connection for each request.
This release upgrades Burp’s browser to Chromium 106.0.5249.61, which fixes a number of high-severity security issues.
Sending requests over a single connection enables you to test for client-side desync vulnerabilities. For more information about how to do this, as well as some deliberately vulnerable labs for you to practice on, check out the new content on the Web Security Academy.
Sending over a single connection is also useful for timing-based attacks that rely on being able to compare responses with very small differences in timings as it reduces the “jitter” that can occur when establishing TCP connections.
Sending requests over separate connections is primarily useful when testing for vulnerabilities that require a multi-step process.
Burp Scanner uses OAST techniques to identify critical vulnerabilities via DNS pingbacks to Burp Collaborator. Both the DNS interaction itself and the identified vulnerability are reported as separate issues. In some cases, such as when testing for SSRF, we may induce the application to perform a DNS lookup without this leading to the discovery of any further vulnerability. To better reflect this latter scenario, we have adjusted the severity of the External service interaction (DNS) issue.
We previously classed this as a high-severity issue on the assumption that a corresponding HTTP request was probably sent by the server, but subsequently blocked by a firewall’s egress filters. Although we can’t detect this externally, it could still provide a vector for pivoting attacks against the internal network.
However, we’ve increasingly encountered cases where systems perform a DNS lookup with no intention of ever connecting to the remote host, meaning that no HTTP request ever existed. For example, this could be triggered simply by adding a URL as the key of a Java Map.
This behavior can still indicate a serious vulnerability, and is worthy of further investigation, but we have reduced the reported severity to reflect the typical impact.
Previously, Burp Scanner automatically terminated audits if it encountered Unknown Host errors, even if the scan scope also included separate, valid domains. Unknown host errors are now treated in the same way as other scanner errors, and the audit does not automatically terminate if one is encountered.
We have upgraded Burp’s browser to Chromium 104.0.5112.79.
This release also provides some minor bug fixes, including:
Content-Type headers.This release introduces tab-specific options in Repeater and client-side prototype pollution reporting in Burp Scanner. It also provides a change to the way Burp’s browser handles the User-Agent header and a minor bug fix.
You can now set tab-specific Repeater options, giving you finer control over how Repeater behaves when sending requests and receiving responses. To configure tab-specific options, click the new settings icon next to the Send button.
If you select specific options for a tab then Repeater ignores the global settings for that tab altogether. You can return a tab to global settings by clicking the new Restore global defaults button. This button is highlighted when a tab has specific settings configured.
Burp Scanner can now detect client-side prototype pollution. For more information on this vulnerability, see the new “Client side prototype pollution” issue definition that has been added to the Target > Issue definitions page.
We have amended Burp’s browser so that it respects the configured User-Agent header when scanning rather than generating a random User-Agent string. The original approach was used as a means of tracking requests, but is no longer needed.
We have upgraded Burp’s browser to Chromium 103.0.5060.134.
This release introduces several improvements to the Intruder and Repeater tab bars which include the ability to select between a scrolling or wrapped tab view as well as, the ability to organize tabs into groups for Repeater. This release also introduces HTTP/1 keep-alive, where Burp Suite is now able to reuse a single TCP connection to send multiple HTTP/1 requests, and adds a selection of preset scan modes to the Scan Configuration menu. Lastly, several key improvements for DOM Invader, including the ability to test for client-side prototype pollution.
Now, users can organise Repeater tabs into color-coded groups. Grouping tabs makes simplifies work with large numbers of open tabs and keep track of related requests.
Search function to the tab bar allows users to search for individual tabs or groups.
Two views for tabs from Intruder and Repeater. As well as the standard wrapped view, users are able to display tabs as a single, scrollable row. This feature helps to free up on-screen real estate, especially on smaller displays.
This release includes the following key improvements to DOM Invader:
Users can send multiple HTTP/1 requests using the same TCP connection. In the previous time, Burp always closed the connection after each request / response pair, even if the server supported connection reuse.
This way, reusing connections is highly beneficial in terms of request speed and timing accuracy.
To enable HTTP/1 keep-alive, go to Project options > HTTP > HTTP/1 and select the Use keep-alive for HTTP/1 if the server supports it option. Users can override this setting in Repeater using the Enable HTTP/1 keep-alive reuse menu option.
Users can now select from four preset scan modes during configuring a scan. These preset scan modes provides a quick way to adjust how the scan balances speed and coverage, without the need to set up a custom scan configuration.
These new scan modes can be applied by selecting Use a preset scan mode from the Scan Configuration menu and choosing one of the available options.
Numerous improvements to Burp Scanner to enhance stability, performance, and progress estimation.
The security improvements included in this release are:
This release also gives a number of bug fixes. Most importantly:
Burp’s browser upgraded to Chromium 103.0.5060.53, which patches a critical security issue.
This release introduces several improvements to the Intruder and Repeater tab bars which include the ability to select between a scrolling or wrapped tab view as well as, the ability to organize tabs into groups for Repeater. This release also introduces HTTP/1 keep-alive, where Burp Suite is now able to reuse a single TCP connection to send multiple HTTP/1 requests, and adds a selection of preset scan modes to the Scan Configuration menu. Lastly, several key improvements for DOM Invader, including the ability to test for client-side prototype pollution.
Now, users can organise Repeater tabs into color-coded groups. Grouping tabs makes simplifies work with large numbers of open tabs and keep track of related requests.
Search function to the tab bar allows users to search for individual tabs or groups.
Two views for tabs from Intruder and Repeater. As well as the standard wrapped view, users are able to display tabs as a single, scrollable row. This feature helps to free up on-screen real estate, especially on smaller displays.
This release includes the following key improvements to DOM Invader:
Users can send multiple HTTP/1 requests using the same TCP connection. In the previous time, Burp always closed the connection after each request / response pair, even if the server supported connection reuse.
This way, reusing connections is highly beneficial in terms of request speed and timing accuracy.
To enable HTTP/1 keep-alive, go to Project options > HTTP > HTTP/1 and select the Use keep-alive for HTTP/1 if the server supports it option. Users can override this setting in Repeater using the Enable HTTP/1 keep-alive reuse menu option.
Users can now select from four preset scan modes during configuring a scan. These preset scan modes provides a quick way to adjust how the scan balances speed and coverage, without the need to set up a custom scan configuration.
These new scan modes can be applied by selecting Use a preset scan mode from the Scan Configuration menu and choosing one of the available options.
This release includes a number of enhancements to Burp Scanner, such as several new JWT-based scan checks and an option to skip unauthenticated crawling when users have been provided application logins. The BApp Store as well provides in-app feedback on how much load BApps are placing on your system.
Burp Scanner is now able to detect 8 common JWT-based vulnerabilities, enabling users to save time, and easier to secure sites that use JWTs.
More details can be found from the individual issue definitions in Burp on the Target > Issue definitions tab.
On the Extender > BApp store tab, we now display an indication of how much load we estimate that each BApp places on your system.
The estimated system impact can be divided into the:
When Burp is performing slower than it should be, it is recommended to check these estimates for any BApps that have been loaded and removing those that are not actively using. This will help extend Burp’s capabilities without impairing performance.
Performance may be effected due to the use of multiple extensions at the same time. The bar at the top of the screen displays the cumulative impact of all of the BApps that are currently loaded.
Users are has option to skip unauthenticated crawling in certain cases where you have provided application logins for Burp Scanner to use. This helps to reduce the crawl time.
How to enable enable this option? Users need to go to the Crawl Optimization settings in the scan configuration and select Crawl using my provided logins only. Note that if you do not provide any application logins, the crawler automatically reverts to performing an unauthenticated crawl instead.
Several minor tweaks to the appearance and behavior of tabs in Burp Repeater are included. These will pave the way for some additional features in the future.
Use Burp Suite’s session is now available to handleoptions to add headers and values to requests. When you create a session handling rule using the new Set a specific header value action, the header and value pair provided are added to any requests that are within the rule’s scope.
Burp Suite has always used fully verified TLS to connect to known services, such as portswigger.net and the public Burp Collaborator server. Nevertheless, when communicating with arbitrary websites, it does not verify upstream TLS certificates and supports weak ciphers by default. This optimises compatibility at the expense of protection against active man-in-the-middle (MITM) attacks.
For concern on the possibility of an active MITM attack on the communication with the site being tested, you can now configure Burp to verify upstream TLS certificates. To do this, go to Project settings > TLS and select the Verify upstream TLS checkbox.
In this scenario, we recommend also selecting the Use default protocols and ciphers of your Java installation option to prevent Burp from using weak ciphers.
Please note that additional hardening is planned for this feature in the future.
We have made several minor tweaks to the appearance and behavior of tabs in Burp Repeater. These will pave the way for some additional features in the future.
Burp’s browser upgraded to Chromium 102.0.5005.61
For running, Burp Suite requires Java 11 ++ . This change will have no impact unless for installed Burp Suite as a .jar file, as the installer includes a bundled private Java Runtime Environment so that you don’t need to worry about installing or updating Java. Note that, any extensions written in a version of Java earlier than 11 may not run correctly from this release onward.
Resolved certain performance issues that some users faced when using Intruder with large resource pools.
Burp’s browser upgraded to Chromium 102.0.5005.61, which resolves a number of security issues.
This release includes a number of enhancements to Burp Scanner, such as several new JWT-based scan checks and an option to skip unauthenticated crawling when users have been provided application logins. The BApp Store as well provides in-app feedback on how much load BApps are placing on your system.
Burp Scanner is now able to detect 8 common JWT-based vulnerabilities, enabling users to save time, and easier to secure sites that use JWTs.
More details can be found from the individual issue definitions in Burp on the Target > Issue definitions tab.
On the Extender > BApp store tab, we now display an indication of how much load we estimate that each BApp places on your system.
The estimated system impact can be divided into the:
When Burp is performing slower than it should be, it is recommended to check these estimates for any BApps that have been loaded and removing those that are not actively using. This will help extend Burp’s capabilities without impairing performance.
Performance may be effected due to the use of multiple extensions at the same time. The bar at the top of the screen displays the cumulative impact of all of the BApps that are currently loaded.
Users are has option to skip unauthenticated crawling in certain cases where you have provided application logins for Burp Scanner to use. This helps to reduce the crawl time.
How to enable enable this option? Users need to go to the Crawl Optimization settings in the scan configuration and select Crawl using my provided logins only. Note that if you do not provide any application logins, the crawler automatically reverts to performing an unauthenticated crawl instead.
Several minor tweaks to the appearance and behavior of tabs in Burp Repeater are included. These will pave the way for some additional features in the future.
Use Burp Suite’s session is now available to handleoptions to add headers and values to requests. When you create a session handling rule using the new Set a specific header value action, the header and value pair provided are added to any requests that are within the rule’s scope.
Burp’s browser upgraded to Chromium 102.0.5005.61
For running, Burp Suite requires Java 11 ++ . This change will have no impact unless for installed Burp Suite as a .jar file, as the installer includes a bundled private Java Runtime Environment so that you don’t need to worry about installing or updating Java. Note that, any extensions written in a version of Java earlier than 11 may not run correctly from this release onward.
Resolved certain performance issues that some users faced when using Intruder with large resource pools.
Issue fixed with Burp Scanner that was causing Kubernetes deployments of Burp Suite Enterprise Edition to crash because of insufficient shared memory.
Issue fixed in which users were unable to save more than one copy of a temporary project. Save multiple copies of temporary projects is now available through this release.
Burp’s browser upgraded to Chromium 101.0.4951.64.
This release includes Burp’s browser upgrade and a couple of bug fixes.
Burp’s browser upgraded to Chromium 101.0.4951.54
In addition to the existing Pretty, Raw, Hex, and Render tabs, adding the following tabs to the message editor are now possible:
While some of the tabs were available in older versions of Burp Suite, they are now reintroduced and enhanced with the same powerful features for working with HTTP messages as the Inspector. This is a great alternative for users that do not have room on their screen for the side panel but want to take advantage of the Inspector’s functionalit
n order to control which tabs are displayed, and in which order, users can click the settings icon in the upper-right corner of the message editor (above the Inspector panel), then select Message editor.
This release comes with a new domain name for the public Burp Collaborator server. , Burp Scanner and the Burp Collaborator client will now use oastify.com for their Collaborator payloads instead of burpcollaborator.net. unless Burp has been configured to use a private Collaborator server). This features help reduce false negatives, thus users can identify out-of-band vulnerabilities that were previously hidden due to widespread blocking of the old domain name.
This new domain name is in addition to the old one. Users are still able to view interactions with any of your existing burpcollaborator.net payloads.
Take note that if you’re running Burp within a closed network and previously had to allow connections to burpcollaborator.net on port 443 in order to poll for interactions, it is essential to carry out the same for step for oastify.com.
Ability to fetch data from out-of-scope API endpoints if required to load the page correctly using Burp Scanner’s dynamic JavaScript analysis. plus able to detect DOM-based vulnerabilities where malicious input is only passed to a sink if an API call is made.
Importantly, although Burp Scanner fetches external resources and data when required, it will not perform any additional crawl or audit of out-of-scope URLs.
This change dismisses inconvenient in Burp Repeater where users experience difficulty in keeping track of the order of tab the faced in the previous versions of Burp.
This behavior has been disabled, therefore, tabs no longer move when selected.
Burp’s browser upgraded to Chromium 101.0.4951.41.
onload event handlers in the HTML <body> tag.This release includes Burp’s browser to Chromium 100.0.4896.127. Also, several minor bug fixes. Most importantly, issue that was preventing some extensions from loading correctly and one other that involves errors when starting Burp in headless mode.
This release gives Java 17 support for some extensions which previously failed to load.
This release involves Burp’s browser upgrade to Chromium 100.0.4896.75 as well as the installer Java version to 17.0.2.
This release includes a number of bug fixes and an upgrade for Burp’s browser.
Upgraded Burp’s browser to Chromium 100.0.4896.60
This release offers the following bug fixes for Burp Repeater:
Burp’s browser upgraded to Chromium 99.0.4844.84
This release lets user to insert tabs to the message editor that give the same features as the Inspector panel. Furthermore, it adds a new domain name for the public Burp Collaborator server and includes some enhancements to Burp Scanner. Lastly, rows of tabs will no longer switch places when selected.
In addition to the existing Pretty, Raw, Hex, and Render tabs, user can now add these tabs to the message editor:
While some of the tabs were available in older versions of Burp Suite, they are now reintroduced and enhanced with the same powerful features for working with HTTP messages as the Inspector. This is a great alternative for users that do not have room on their screen for the side panel but want to take advantage of the Inspector’s functionality.
In order to control which tabs are displayed, and in which order, users can click the settings icon in the upper-right corner of the message editor (above the Inspector panel), then select Message editor.
This release comes with a new domain name for the public Burp Collaborator server. , Burp Scanner and the Burp Collaborator client will now use oastify.com for their Collaborator payloads instead of burpcollaborator.net. unless Burp has been configured to use a private Collaborator server). This features help reduce false negatives, thus users can identify out-of-band vulnerabilities that were previously hidden due to widespread blocking of the old domain name.
This new domain name is in addition to the old one. Users are still able to view interactions with any of your existing burpcollaborator.net payloads.
Take note that if you’re running Burp within a closed network and previously had to allow connections to burpcollaborator.net on port 443 in order to poll for interactions, it is essential to carry out the same for step for oastify.com.
In this version, Burp Scanner’s dynamic JavaScript analysis can fetch data from out-of-scope API endpoints if required to load the page correctly. This allows it to detect DOM-based vulnerabilities where malicious input is only passed to a sink if an API call is made.
Note that Burp Scanner will not perform any additional crawl or audit of out-of-scope URLs fetches external eventhough resources and data when needed
This change dismisses inconvenient in Burp Repeater where users experience difficulty in keeping track of the order of tab the faced in the previous versions of Burp.
This behavior has been disabled, therefore, tabs no longer move when selected.
We have upgraded Burp’s browser to Chromium 99.0.4844.74, which fixes one critical bug and a number of high / medium severity bugs.
This release provides a number of bug fixes. Importantly:
onload event handlers in the HTML <body> tag.Burp’s browser upgraded to Chromium 99.0.4844.74, that fixes one critical bug and a number of high or medium severity bugs.
This release gives ultra-fast crawling of static content, advanced scanning of single-page applications and several minor bug fixes.
The Fastest crawl strategy of Burp Scanner is now optimized for crawling static sites as fast as possible. This is achieved through disabling irrelevant features for static content like automated session handling and state recovery.
How exactly it works? The changes decrease the time taken to crawl our static documentation site (from around 45 minutes to below 10 minutes.
Long-time Burp users can benefits this strategy as it effectively an improved version of the Spider tool from Burp Suite 1.7, emulated by the new crawling engine.
This release greatly improves the ability of Burp Scanner in handling single-page applications (SPAs) built on frameworks such as React.
A few months ago, Portswigger has resolved HTML injection vulnerability that may cause Burp Suite to sending requests that did not respect its upstream proxy configuration. This issue is due to Swing GUI components that were insecurely configured to render HTML that can result in leak NetNTLM hashes on Windows systems that unable to block outbound SMB.
This release provides additional mitigation that prevents BApps from introducing this vulnerability even though they contain Swing components that enables HTML rendering.
This issue was reported through the bug bounty program.
Burp’s browser is upgraded to Chromium 99.0.4844.51.
Several minor bugs fixes such as
This release gives several minor bug fixes. Most importantly, an issue that meant recorded login sequences were sometimes cut short when testing them.
This release gives ultra-fast crawling of static content, advanced scanning of single-page applications and several minor bug fixes.
The Fastest crawl strategy of Burp Scanner is now optimized for crawling static sites as fast as possible. This is achieved through disabling irrelevant features for static content like automated session handling and state recovery.
How exactly it works? The changes decrease the time taken to crawl our static documentation site (from around 45 minutes to below 10 minutes.
Long-time Burp users can benefits this strategy as it effectively an improved version of the Spider tool from Burp Suite 1.7, emulated by the new crawling engine.
This release greatly improves the ability of Burp Scanner in handling single-page applications (SPAs) built on frameworks such as React.
Burp’s browser has been upgraded to Chromium 98.0.4758.102.
This release has fixed several minor bugs. Most importantly to issue that caused some Windows users to see a No JVM found on your system error when restarting Burp after an update.
This release includes new options for customizing the appearance and behavior of the Inspector panel. Now, you can keep it collapsed by default depending on preference.
The presence of settings icon in the upper-right corner of the panel allows you to:
Burp’s browser upgraded to Chromium 98.0.4758.80.
This release let you configure Intruder attacks against multiple hosts and adds several new options for customising the Inspector. These include:
You can now add payload positions to the target host field in Burp Intruder. This feature is useful in situations where you want to test for issues across many web applications simultaneously as you are able to target multiple hosts from a single attack with this feature.
Due to this adjustment, the settings which was previously included in Intruder’s Target tab is now incorporated into its Positions tab.
New toolbar at the top of the Inspector panel contains buttons that let you:
You are also able to toggle line wrapping by clicking the icon in the upper-right corner of each table.
This recent supports the latest Apple Mac models equipped with M1 (Arm64) processors with a dedicated installer.
Please refer to the documentation for details to identify the installer you need.
For new installation of Burp Suite, the Burp Proxy’s Intercept feature is now off by default to remove the common problem of users forgetting to disable it before attempting to use the browser.
Burp’s browser upgraded to Chromium 96.0.4664.45.
This release involves several minor bug fixes. The most notable changes bug fixes that prevented Burp from completing the TLS handshake with servers whose certificate chain was longer than 10 but less than 30.
This release gives a security patch and several minor bug fixes.
In this release, fixed a medium-severity security issue in the way Burp Suite processed HTTP/2 responses that may introduced XSS in certain circumstances has been fixed. The issue has been reported by Ademar Nowasky Junior | @nowaskyjr, through our bug bounty program.
Burp’s browser to Chromium 96.0.4664.45 has been upgraded in this release.
In order to prevent accidental loss of Burp project files, this release include several adjustments such as
This release offers a few updates to DOM Invader, line wrapping in Burp’s message editor and several bug fixes.
There are minor improvements done to DOM Invader. Those include:
Added support for line wrapping in Burp’s message editor is now made available to ease work with messages that contain lengthy strings like authorisation tokens.
Line wrapping can be enabled by default in the Pretty and Raw views. The feature however allows you to toggle it on and off via the button above each message.
Burp’s browser is updated to Chromium version 95.0.4638.69 that is capable in fixing various high severity bugs.
The inspector in the latest release now supports Base64url encoding.
This release solves the occasional visual issue that occurs when line wrapping is enabled in message editors wtih large font sizes.
This release enables manual testing of hidden HTTP/2 attack surface and adds a number of improvements to Burp Intruder and Burp Scanner.
You can now send HTTP/2 requests from Burp Repeater even if the server doesn’t explicitly advertise HTTP/2 support via ALPN. This allows you to manually explore additional “hidden” HTTP/2 attack surface.
To enable this behavior, first select the Allow HTTP/2 ALPN override option from the Repeater menu, then switch the protocol to HTTP/2 from the Inspector panel.
We have made the following improvements to Burp Intruder:
We have added payloads to the server-side template injection (SSTI) scan check to detect vulnerabilities in the following Java-based template engines:
We have also integrated additional out-of-band detection methods using Burp Collaborator.
API calls that are triggered by the crawler interacting with elements on the page will now be sent for audit.
We have also improved the way the crawler interacts with forms on a page to better support modern single-page applications.
We have made the following changes to improve the handling of XML and JSON insertion points during scans:
xml:lang and xmlns:* are now ignored by default. If you prefer, you can override this setting in your scan configuration under Audit options > Ignored insertion points.Burp Scanner can now handle iframes, multi-selects, scrolling elements, and SVG elements in recorded login sequences. We have also improved reliability of recorded logins by changing the way we locate and interact with elements on the page. For more details, please see our blog post on authenticated scanning improvements.
We have updated Burp’s embedded browser to Chromium version 95.0.4638.54, which fixes a number of high-severity bugs.
This release also provides a number of bug fixes, most notably for a bug when highlighting or selecting text in Burp Repeater.
This release upgrades the embedded browser and fixes an issue that was reported to our bug bounty program.
Burp’s embedded Chromium browser has been updated to version 92.0.4515.159.
We have fixed a vulnerability that could result in Burp Suite issuing requests that do not respect its upstream proxy configuration and could leak NetNTLM hashes on Windows systems that fail to block outbound SMB.
This issue was reported to our bug bounty program.
This release provides several bug fixes, most notably a fix for a memory leak issue that affects some extensions.
This release provides a range of powerful new enhancements to Burp’s HTTP/2 support. This enables you to identify and exploit a number of HTTP/2-exclusive vulnerabilities, including those presented by James Kettle at Black Hat USA 2021. It also implements a security fix for the embedded browser and some minor bug fixes for recorded login sequences.
In Burp Repeater and Proxy Intercept, you can now choose whether to send each request using HTTP/1 or HTTP/2. When you switch protocols, Burp will automatically perform the necessary transformations behind the scenes to generate an equivalent request suitable for the new protocol. For example, the HTTP/1 request line is mapped to HTTP/2’s :method and :path pseudo-headers.
This enables you to easily upgrade and downgrade requests to experiment with protocol-specific vulnerabilities.
We are excited to announce that Burp Suite Professional now provide native support for viewing and manipulating HTTP/2 requests.
In addition to the HTTP/1-style representation of the request that you can see in the message editor, the Inspector now lets you work with HTTP/2 headers and pseudo-headers in a way that more closely resembles what will be sent to the server. As this view doesn’t rely on HTTP/1 syntax, you’re able to construct attacks using a number of HTTP/2-exclusive vectors that are impossible to reproduce in HTTP/1. This gives you the opportunity to explore a whole new attack surface that has barely been audited due to the complete lack of any suitable tooling until now.
For some real-world examples of what’s possible, check out the whitepaper for James Kettle’s latest research, HTTP/2: The Sequel Is Always Worse, which he recently presented at Black Hat USA 2021.
Burp’s message editor still lets you work with an HTTP/1-style representation of the request and converts this to an equivalent HTTP/2 request under the hood. This is great for performing general testing where the protocol you’re using isn’t important.
For more information about these features, the configuration options, and a breakdown of some HTTP/2 fundamentals, please refer to the accompanying documentation
In addition to the new manual HTTP/2 tooling, this release adds some HTTP/2-specific improvements to Burp Scanner:
We’ve also improved the issue details for HTTP request smuggling to flag when server-side countermeasures have limited the impact to request tunnelling.
These enhancements are also based on James’s research.
We have updated Burp Suite’s embedded browser to fix a clickjacking-based remote code execution bug in Burp Suite, as reported to our bug bounty program. We have updated to Chromium 92.0.4515.131, which fixes several bugs that Google has classified as high.
This release fixes several bugs that should improve the reliability of recorded login playback.
This release includes the return of the hex view, enabling HTTP/2 for extensions, task pausing improvements, an embedded browser upgrade, and several bug fixes.
You wanted it back so it has returned, and it’s better than ever! The hex view in the message editor returns to Burp Suite, allowing you to display and edit messages in hexadecimal notation. This is especially useful when dealing with binary formats. You can also choose to copy text or hex codes when using the context menu to copy single or multiple cells in the message editor’s hex view.
HTTP/2 is now enabled for requests issued by extensions. Additionally, we have added two new methods to IBurpExtenderCallbacks, which can be used to force HTTP/1 usage when issuing requests. These methods are:
IHttpRequestResponse makeHttpRequest(IHttpService httpService,
byte[] request,
boolean forceHttp1);
and
byte[] makeHttpRequest(String host,
int port,
boolean useHttps,
byte[] request,
boolean forceHttp1);
These new methods are analogous to the existing makeHttpRequest() methods with the addition of the forceHttp1 flag, which when set will ensure that HTTP/1 is used.
Burp Suite now remembers your preference for pausing tasks on starting.
We have updated Burp Suite’s embedded browser to Chromium version 91.0.4472.114, which fixes several security issues that Google has classified as high.
This release fixes several minor bugs.
We have updated Burp Suite’s embedded browser to Chromium version 91.0.4472.101, which fixes several security issues, one of which Google has classified as critical.
This release fixes a bug with selecting individual scan checks in an audit configuration.
Professional 2021.6 Released 2021-May-26
This release includes the return of the hex view to the message editor, HTTP/2 requests for extensions, and several bug fixes.
You wanted it back so it has returned, and it’s better than ever! The hex view in the message editor returns to Burp Suite, allowing you to display and edit messages in hexadecimal notation. This is especially useful when dealing with binary formats.
HTTP/2 is now enabled for requests issued by extensions. Additionally, we have added two new methods to IBurpExtenderCallbacks, which can be used to force HTTP/1 usage when issuing requests. These methods are:
IHttpRequestResponse makeHttpRequest(IHttpService httpService,
byte[] request,
boolean forceHttp1);
and
byte[] makeHttpRequest(String host,
int port,
boolean useHttps,
byte[] request,
boolean forceHttp1);
These new methods are analogous to the existing makeHttpRequest() methods with the addition of the forceHttp1 flag, which when set will ensure that HTTP/1 is used.
This release includes the following bug fixes.
No application protocols errors with some servers.This release includes several improvements to Intruder, one of which allows you to save Intruder attacks to project files. The release also includes other minor Burp Suite improvements.
You can now save Intruder attacks to project files, so you can close Burp Suite and come back later to continue your attacks, or view the results of completed attacks. This is done on an opt-in basis: attacks are not saved by default, to avoid bloating project files. An attack can be saved before, during, or after it has been performed. The title bar of an attack window shows whether it has been saved or not.
We have made several other improvements to Intruder. These include:
You can now optionally supply a specific TTL value when configuring custom DNS records in Burp Collaborator.
This release updates Burp Suite’s embedded browser to Chromium version 90.0.4430.93, which fixes several security issues that Google have classified as high.
This release provides a native logging tool to Burp Suite. It also allows saving settings for Burp’s embedded browser and message editor’s search bar, and the ability to turn off Repeater’s line ending normalization. The release also provides several bug fixes.
Burp Suite now has a native logging tool called Logger, which is available from the main row of tool tabs. Some highlights of Logger are:
Here is a short video showing Logger in action:
When using Burp’s embedded Chromium browser, your history and any changes you make to the browser settings are now saved even after you close Chromium. This means you no longer need to reconfigure your preferences each time you use the browser and can even keep any extensions that you install.
By default, your settings and history will be persisted. If you’d prefer to disable this behavior, go to User options > Misc and deselect the corresponding checkbox in the “Embedded browser” section.
You can now configure the default settings of the message editor’s search bar. Change the defaults by going to User options > Misc and selecting the check boxes under “Message search”.
Repeater usually normalizes the line endings of requests. However, this behaviour may not always be useful, especially when you are testing request smuggling. You can now turn off normalizing line endings by going to the Repeater menu and unchecking “Normalize line endings”.
This release provides several minor improvements and bug fixes, including:
NOERROR rather than a SERVFAIL response code.This release strengthens support for HTTP/2 and turns it on by default. It also fixes several bugs.
We have strengthened support for HTTP/2 within Burp Suite. HTTP/2 support is now turned on by default and is no longer considered experimental. Burp will interact with targets via HTTP/2 when a target supports it.
HTTP/2 support brings a significant performance improvement to the network layer, benefiting Scanner and Intruder speed. It also provides future compatibility with any site that no longer supports HTTP/1.1.
If you prefer not to use HTTP/2, you can disable its use under Project Options / HTTP.
This release provides several minor improvements and bug fixes, including:
This release provides a security fix for the embedded Chromium browser, and several bug fixes.
This release includes an update of Burp’s embedded browser to Chromium 89.0.4389.90 which fixes a security issue that Google have classified as high.
This release provides several bug fixes, including:
This release provides several bug fixes. Most notably:
This release provides multiple Burp Suite update channels, including an Early Adopter channel. It also provides improved Intruder payload lists and several bug fixes.
We now deliver automatic updates to Burp Suite via two channels: Stable and Early Adopter. The default channel for all users is Stable. New versions of Burp Suite will appear on the Early Adopter channel first, and then go to the Stable channel when any initial problems have been resolved. The update channel setting is per installation, so multiple installations set to different update channels are possible.
Choose the Early Adopter channel to get the latest features fast. Choose the Stable channel for the most robust and reliable version of Burp Suite.
To change your update channel, go to “User options” and select the “Misc” tab. Then scroll down to “Update” and select the channel you prefer.
We have improved and expanded Intruder’s default payload lists. There are also new lists, such as SSRF payloads and common files and directories.
This release also provides several bug fixes, such as:
This release provides improvements to the message inspector, non-printing character display, platform authentication controls and the embedded browser. It also provides a new vulnerability definition and several bug fixes.
Burp Scanner will now detect when a target application imports a JavaScript dependency that has a known vulnerability, such as when a library is dangerously out of date or has other issues.
When viewing non-printing characters in the text editor, characters with a hexadecimal code point below 20 are displayed as “lozenges” with their hex code. Now, characters with a code point from 7F to FF are also displayed in the same way.
Platform authentication (under “User options” and the “Connections” tab) can now be turned on or off on a per-host basis.
There have been significant performance improvements in the message inspector. Also, users can now resize the message inspector horizontally and select multiple entries at once.
HTTP requests initiated by the embedded Chromium browser itself, rather than the user, are no longer sent. Also, Burp’s embedded browser has been upgraded to Chromium 88.0.4324.150.
This release also provides the following bug fixes and minor improvements:
<meta http-equiv="content-type"> tag, Burp chooses the Content-Type headers. This change affects MIME-type filters in the Proxy and Target tabs, and the Render tab in the response viewer.This release provides performance and user interface improvements, a JavaScript analysis improvement, and several bug fixes.
We have made significant improvements in both speed and memory usage in the message editor when handling large messages.
We have improved several aspects of the user interface. There are new colors for various buttons, icons, check boxes, and radio buttons, to be in line with the new branding of Burp Suite. There are now tooltips for scan phases and issue counts in the scan task Audit Items view.
Burp Scanner‘s dynamic JavaScript analysis will now load dynamically created scripts, such as document.write('<script src="…">') or document.createElement('script’).
This release also provides the following bug fixes:
This release provides the following improvements and bug fixes:
When switching between the new light and dark themes in the display settings, you no longer have to restart Burp before this change is applied.
You can now include fragments (#) in the seed URLs you specify for a scan. Note that this is only supported by browser-powered scans. If the “Use embedded browser for Crawl and Audit” option is disabled in your scan configuration, you will not be able to start a scan with seed URLs containing fragments.
Burp’s embedded browser has been upgraded to Chromium 87.0.4280.88.
The icons and icon colors for issue severity levels have changed. We’ve also adjusted the background color for the Suite tab bar, in both the light and dark themes.
We have fixed a vulnerability that could result in Burp Suite issuing requests that do not respect its upstream proxy configuration and could leak NetNTLM hashes on Windows systems that fail to block outbound SMB.
This issue was reported through our bug bounty program.
This release also provides the following bug fixes:
Cookie headers.This release provides several bug fixes. Most notably:
This release updates the look of Burp’s UI and adds an option for watching crawls in a headed browser.
This release gives Burp’s UI a make-over, with a cleaner, more modern look.
You can choose between light or dark theme at User options / Display / User interface.
You can now choose to start scans using a headed browser. In this case, when the crawl starts, a new browser window will open in which you can watch the crawler navigating around the target website in real time. This is useful for troubleshooting any issues.
You can enable this option from the miscellaneous crawl settings of your scan configuration.
If you enable this option, please note that Burp Scanner will occasionally open additional browser windows during the crawl and stop using the previous window. This is perfectly normal. Any redundant windows will automatically be closed after a period of time.
This release also provides the following improvements:
user.vmoptions file in the same folder as the BurpSuitePro.vmoptions file, Burp will load these settings instead. This file will not be changed by Burp, which means you no longer have to manually back up your custom vmoptions when updating Burp.All keyboard shortcuts now work as expected on the Intercept tab.
This release adds the Burp Suite Navigation Recorder extension to Burp’s embedded browser and fixes a minor bug in the startup process.
The Burp Suite Navigation Recorder extension is now preinstalled and ready to use in Burp’s embedded browser. This means you can immediately start recording login sequences for Burp Scanner without having to perform any manual setup.
Burp’s embedded browser has been upgraded to Chromium version 86.0.4240.198
This release also provides the following bug fixes:
This release provides several new features for both manual and automated testing, as well as some major upgrades to the message editor UI.
The new message inspector is a collapsible panel displayed on the right-hand side of the message editor throughout Burp Suite. It provides a quick way to analyze and work with interesting features of HTTP and WebSocket messages without having to switch between different tabs.
The Hex, Params, Headers, and Cookies tabs that used to appear in the message editor have been removed. You can now access the same functionality, and some additional new features, directly in the inspector panel.
You perform some of these actions by drilling down into items that were automatically identified by the inspector. Alternatively, you can manually select one or more characters in a message to work with them in the inspector panel.
For more information about using the inspector, please refer to the documentation.
Burp Scanner is now able to scan both JSON and YAML-based APIs for vulnerabilities. By default, the crawler attempts to parse any API definitions that it encounters to identify potential endpoints, along with their supported methods and parameters. You can also explicitly provide the URL of an API definition when launching a scan. Based on the endpoints that it discovers, Burp Scanner is then able to derive new locations to crawl and audit.
If you prefer, you can disable API scanning by deselecting the “Parse API definitions” crawl option in your scan configuration. You can find this option under “Miscellaneous”.
Please note that this initial release only supports scanning of a fairly limited range of REST APIs. For a full list of the prerequisites and limitations, please refer to the documentation. We plan to further develop this feature and gradually add support for a wider range of APIs in future releases.
In the previous release, we added new functionality for recording and uploading full login sequences to help Burp Scanner handle more complex authentication mechanisms. This release adds a new feature that allows you to replay your recorded login sequences in an embedded browser.
This makes it much easier to check whether the recording accurately captured your browser interactions. It may also help you to diagnose any problems if the login sequence is failing during scans.
For more information, please refer to the documentation.
By default, Burp now automatically downloads any available updates. When a new update has been downloaded, a notification will prompt you to restart Burp in order to install it. Note that you will still need to download the 2020.11 release manually.
If you prefer, you can disable automatic updates in the user options.
To support automatic updates, Burp can no longer be installed in a directory that requires admin privileges. As a result, installing 2020.11 on Windows will likely create a new instance of Burp rather than upgrading your existing installation. Unfortunately, this means you will have to manually uninstall your old version of Burp.
This is a one-off inconvenience. Upgrading to any subsequent releases will not require you to repeat this process.
To help reduce clutter, the custom views that some Burp extensions add to the message editor are no longer accessed via individual tabs. Instead, you can now alternate between your extension-specific views using a new drop-down menu.
This release enables support for recorded login sequences in Burp Scanner and provides several other minor improvements. It also includes a security fix for Burp Collaborator.
Instead of entering basic sets of login credentials for Burp Scanner to use, you can now provide the full sequence of actions required to log in. This enables Burp Scanner to handle more complex login processes, including:
Our dedicated Chrome extension captures your actions while you perform the login sequence and generates a JSON-based “script”. You can then import this script in the Application Logins section of the scan launcher. When the crawler begins an authenticated crawl, it will open a new browser session and use the script to replicate your actions, performing the full login sequence from scratch.
For more details on how to use recorded login sequences, please refer to the scan launcher documentation.
You can now clear the interaction history in Burp Collaborator client.
This release also implements several minor bug fixes, most notably:
This release resolves a security issue in the Collaborator server. Previously, an attacker in a position to perform an active, server-side MITM attack could obtain the contents of emails delivered using STARTTLS. If you are running your own Collaborator server, we recommend updating it.
This vulnerability was reported to us privately via our bug bounty program.
This release fixes a bug that was preventing WebSocket messages from being displayed correctly in the message editor.
This release provides some improvements to the HTTP message editor UI.
On the “Raw” tab, the various options you have for analyzing the HTTP message are now contained in a toolbar at the top of each request or response. From the toolbar, you can now:
In the upper-right corner of the message editor, you can now choose from three different layouts that determine how the request and response are arranged in the panel.
You can choose from the following options:
These new layout options are available in various locations throughout Burp Suite, including the Target site map and Proxy history.
The embedded browser has been upgraded to Chromium 85.0.4183.83.
After several months of live testing, we are pleased to announce that this release enables browser-powered scanning by default.
By default, Burp Scanner will now perform all navigation using an embedded Chromium browser, during both crawl and audit. This approach enables the scanner to accurately handle JavaScript and other navigational structures that modern browsers can. This has the potential to dramatically improve the coverage of the scan during both the crawl and audit phases.
To run browser-powered scanning efficiently, we recommend a machine with at least 2 CPU cores and 8 GB RAM. Burp Scanner automatically checks whether your machine appears to meet these requirements and will use the embedded browser if possible. Otherwise, scans will revert to the previous crawling engine.
If you prefer, you can also manually enable/disable browser-powered scanning in your scan configuration. You can find this option under “Crawl options” > “Miscellaneous” > “Embedded browser options”.
Note: Browser-powered scanning currently remains off by default for Burp Suite Enterprise Edition.
image/svg+xml.This release provides an upgrade to the web cache poisoning scan checks as well as several other minor improvements and bug fixes.
Burp Scanner can now identify a variety of recently discovered cache poisoning issues. These checks are based on the techniques documented by James Kettle in his presentation “Web Cache Entanglement: Novel Pathways to Poisoning” at BlackHat USA 2020.
In this release, we’ve greatly improved the usability of Burp Suite by removing the need to perform many of the initial configuration steps for Burp Proxy.
You can now use Burp’s embedded Chromium browser for manual testing. This browser is preconfigured to work with the full functionality of Burp Suite right out of the box. You no longer need to manually configure your browser’s proxy settings or install Burp’s CA certificate. The first time you launch Burp you can immediately start testing, even with HTTPS URLs.
To launch the embedded browser, go to the “Proxy” > “Intercept” tab and click “Open Browser”.
Note that if you want to use an external browser for testing. you can still configure any browser to work with Burp in the same way as you could before.
Cookie headers are now displayed correctly in the “Params” tab.This release adds an option for using HTTP/2 and provides several minor improvements and bug fixes.
This release provides experimental support for HTTP/2. From the “Project settings” > “HTTP” tab, you can now choose to use HTTP/2 for inbound and outbound communication over TLS.
As this is still an experimental feature, please use it at your own discretion.
You can now control the TLS protocols that Burp Proxy will use when performing TLS negotiation with the browser. You can configure Burp Proxy to use the default protocols of your Java installation, or override these defaults and enable custom protocols as required.
In the HTTP history, you can now hover the mouse over URL encoded data to show the decoded data in a tooltip. Previously, this worked in Burp Repeater but not the “Proxy” > “HTTP history” tab.
This release provides several bug fixes, including the following improvements to the HTTP message editor:
We have also fixed a security bug that was reported via our bug bounty program. With a significant amount of user interaction, an attacker could potentially read local files. The attacker would have to induce a user to visit a malicious website, copy the request as a curl command, and then execute it via the command line. This was classed as a medium severity issue due to the level of user interaction required.
This release provides a useful new feature for the HTTP message editor, as well as several general improvements.
You can now choose to display non-printing characters as “lozenges” in the HTTP message editor. This is supported for any bytes with a hexadecimal value lower than 20, which includes tabs, line feeds, carriage returns, and null bytes.
This feature will be greatly beneficial for many use cases, including:
Non-printing characters are hidden by default, but you can toggle the lozenges on and off by clicking the “\n” button at the bottom of the editor.
These non-printing characters can currently only be displayed in the message editor. For now, you have to edit bytes using Burp’s hex view. However, we plan to enable you to do this directly in the message editor in the near future.
This release also provides the following minor improvements to various areas of Burp:
We have also implemented several minor bug fixes, most notably:
This release provides the following minor improvements:
In addition to general bug fixes, we have also resolved an issue that sometimes caused overlapping text in the message editor.
This release mainly provides usability improvements to the HTTP message editor. It also upgrades both Java support and Burp Scanner’s embedded browser version.
The HTTP message editor now supports pretty printing of JSON, XML, HTML, CSS, and JavaScript. Take a look at the following video to see this feature in action:
Unformatted JSON data, for example, would previously be displayed as follows:
But as of version 2020.4, all of the supported formats mentioned above are prettified by default, meaning the JSON data in our example would now be displayed as follows:
You can toggle pretty printing on and off by clicking the “Pretty” button at the bottom of the editor. Alternatively, if you would prefer not to use pretty printing by default, you can disable this setting under “User options” > “Display” > “HTTP Message Display”.
As of this release, we now support Java 13. Unfortunately, we will no longer be able to support Java 8. The vast majority of users will be unaffected by this change. However, if you normally launch Burp directly from the JAR file instead of using the provided installer, you need to make sure that you have one of Java versions 9 to 13 before attempting to launch the new JAR file.
We have updated Burp Scanner’s experimental embedded browser to Chromium 81.0.4044.122 in order to implement the latest security fixes.
This release also provides the following minor improvements:
We have also implemented several minor bug fixes, including:
This release contains minor updates to the 2020.2 release.
There are further enhancements to the custom Collaborator content options that were introduced in version 2020.2. You can now host custom robots.txt and crossdomain.xml files at arbitrary URLs on your Collaborator server.
We have also improved the handling of XML reports by stripping any null values.
The general improvements to the HTTP message editor continue, with this release providing the following bug fixes:
The issue definition links now also work correctly on the latest version of Kali Linux.
As always, we’ve also implemented several minor bug fixes across the product.
This release builds on the general improvements we have been making to the HTTP message editor and incorporates some feedback from the community:
The “Render” tab now enables you to view rendered HTML pages and images directly within the various tools instead of in a separate popup.
You can now add custom content to the Burp Collaborator service. For example, you could add a readme on the index page identifying the organization and the purpose of the service, or prove ownership of your domain to validate TLS certificate requests. To do this, you simply add new entries in the configuration file containing a path, contentType, and base64Content as follows:
"customHttpContent":
[
{ "path": "/", "contentType": "text/plain", "base64Content": "VGhpcyBpcyBhIHJhbmRvbSBsaW5lIG9mIHRleHQ="},
{ "path": "/foo", "contentType": "text/html", "base64Content": "dGhpcyBpcyBhbm90aGVyIG9uZSBmb3IgZ29vZCBtZWFzdXJlLiBOaWNlLg==" }
]
You can now initiate instant active or passive scans in Burp. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.
The following bugs fixes have also been implemented:
This release updates the HTTP message editor with various new capabilities:
We will soon continue improving the editor, with better prettifying of some formats and other helpful features.
Various improvements have been made to the efficiency and stability of Burp Scanner. We are working towards enabling the new experimental browser-driven scanning by default, which will pave the way for significant enhancements to the scanner’s capabilities over the coming year.
A number of bug fixes and other enhancements have been made, including:
This release considerably improves Burp’s SSL/TLS coverage. Historically, quirks in different server-side implementations together with bugs in the client-side Java stack led to problems connecting to some web sites. These have now been virtually eliminated.
The Venn diagram below shows how Burp’s coverage now compares with Google Chrome for the Alexa top 100,000 sites. Burp achieves substantial overlap with Chrome. Burp can connect to 1,696 sites that Chrome does not, and only fails to connect to 125 sites that Chrome can connect to.
(Note that Burp’s additional coverage is largely because Burp tolerates some older and weaker protocols and ciphers, in the interests of maximizing connectivity.)
Various improvements have been made to the crawling phase of scans:
This release includes various bugfixes and performance enhancements to the new experimental browser-driven scanning feature.
This release adds experimental support for using Burp’s embedded Chromium browser to perform all navigation while scanning.
This new approach will provide a robust basis for future capabilities in Burp Scanner, enabling it to eventually deal with any client-side technologies and navigational structures that a modern browser is able to deal with. It has the potential to dramatically improve coverage of the scan, during both the crawling and auditing phases.
In this initial release, Burp Scanner now correctly deals with:
There are numerous caveats at this stage:
The new feature is currently experimental, and is being released to gather feedback from users who want to play with the new capability and assess its effectiveness. The new feature is not currently a suitable replacement for the existing default scanning mode: you are likely to gain some coverage of JavaScript-heavy applications, but also lose some coverage and experience poor performance. Rest assured that over the coming months the new feature will be considerably enhanced until it becomes a robust and superior replacement to the existing scanning mode.
To enable experimental support for browser-based scan navigation, create a new scan, add a crawl configuration, and under “Miscellaneous” select “Use embedded browser for navigation”. You can also configure whether to allow the browser to fetch page resources that are out-of-scope.
The release also includes various other bugfixes. The embedded JRE that is included in Burp’s installer has been updated to Java 12.
This release includes a number of minor enhancements and bugfixes.
In Burp Repeater, there are new options to close a tab, close all other tabs, and reopen a closed tab. You can access these actions via the context menu on the tab header, or by assigning hotkeys.
There is a new (default-on) scan option to ignore the protocols of URLs to scan. This is to avoid a common user error where the scan is configured for http://example.com only, while it needs also to include https://example.com.
When a Burp update is available, there are options to mute the update notification for one week, for the currently offered update, or for all beta updates.
A bug affecting use of PKCS#11 smart cards affecting Burp 2.x has been fixed.
This release adds a brand new scan check, for HTTP request smuggling vulnerabilities:
This is a long-overlooked vulnerability class that is prevalent in modern cloud architectures, and which often has a critical impact.
The support for WebSockets in Burp Repeater has been enhanced with a new WebSocket connection wizard that lets you:
The new capability gives you full manual control over the WebSocket negotiation request.
Some other minor enhancements have also been made:
This release adds support for WebSockets in Burp Repeater.
You can select a WebSocket message in the Proxy history or intercept tab, and choose “Send to Repeater” from the context menu:
Each message you send to Repeater opens in a new tab. Here, you can manually edit and send the message, view the full message history, pick a message from the history and manually edit and resend it, and manage the WebSocket connection:
As always, feedback about this new feature is welcome.
Have fun!
Burp Suite 2.x is now officially out of beta!
This is a huge upgrade over 1.7 with a wealth of new capabilities. We encourage anyone still using 1.7 to switch to 2.x.
Community Edition users can now enjoy Burp’s new dark theme. To enable the dark theme, go to User options / Display / User Interface / Look and feel, and select Darcula.
Coming out of beta means we regard Burp Suite 2.x as essentially stable and suitable for general usage. It doesn’t mean there are no bugs. All software has bugs, and feedback is always welcome about any problems that users observe.
We will, of course, be continuing to enhance Burp Suite 2.x with various new features over the coming months.
This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.
For full details of this awesome new research, see our blog post on practical web cache poisoning.
Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”:
Note: On 10 October 2018, the .DMG package was regenerated to be compatible with MacOS Mojave.
This release fixes a number of issues including:
Note: On 10 October 2018, the .DMG package for Community Edition was regenerated to be compatible with MacOS Mojave.
This release includes a number of fixes and minor enhancements:
A number of bugs have been fixed:
The following enhancements have been made:
Note that some of the security issues were reported through our bug bounty program, which pays generously for bugs large and small. Thanks are due to Bruno Morisson and Juho Nurminen.
This release significantly improves the effectiveness of project repair when project file corruption occurs. Some users still experience corrupted project files when using virtualized file systems (for example, using Burp within a guest VM can lead to project file corruption if the host OS terminates abnormally). Previously, if some key metadata near the start of the project file was lost, then Burp’s project repair feature would not recover any data. In the new release, uncorrupted data within the file can still be recovered even if this key metadata is lost. Further feedback is welcomed regarding the effectiveness of project repair.
To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.
Some bugs have been fixed:
This release adds a new automatic project file backup function. If you are using a disk-based project, this function automatically saves a backup copy of your project file periodically in the background. The options for the new function can be found at User options / Misc / Automatic Project Backup:
The new function is superior to the older function that saved a state file backup in several respects:
Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.
Other enhancements include:
This release adds two new capabilities relating to Burp project files:
Additionally, the “Number of threads” setting in Scanner options has been changed to “Concurrent request limit”. This paves the way for some major enhancements to the Scanner engine that are in the pipeline.
The new function is superior to the older function that saved a state file backup in several respects:
To support the new project repair function, changes have been made to the Burp project file format. The new release is backwards compatible with project files from all prior versions, but project files created with the new release cannot be opened with older versions of Burp.Some bugs have been fixed:
A number of bugs have been fixed:
The following enhancements have been made:
This release includes a number of fixes and minor enhancements:
This release fixes a number of issues including:
This release adds some powerful new Scanner checks based on James Kettle’s talk at Black Hat today.
For full details of this awesome new research, see read on web cache poisoning.
Burp Scanner is now able to detect two new vulnerabilities, “Web cache poisoning” and “Request URL override”:
