Burp Suite Changelog

What's new in Burp Suite 2024.3.1.2 Early Adopter

Apr 15, 2024

This release upgrades Burp's built-in browser to Chromium 123.0.6312.122 for Windows and Linux, and 123.0.6312.123 for Mac.

New in Burp Suite 2024.3.1.1 Early Adopter (Apr 11, 2024)

New in Burp Suite 2024.2.1.3 Early Adopter (Apr 2, 2024)

New in Burp Suite 2024.1.1.6 (Mar 12, 2024)

New in Burp Suite 2024.2.1.1 Early Adopter (Mar 7, 2024)

New in Burp Suite 2024.2.1 Early Adopter (Mar 1, 2024)

New in Burp Suite 2024.1.1.4 (Mar 1, 2024)

New in Burp Suite 2024.1.1.3 (Feb 24, 2024)

New in Burp Suite 2023.12.1.5 (Feb 13, 2024)

New in Burp Suite 2023.12.1.4 (Feb 8, 2024)

New in Burp Suite 2023.12.1.3 (Jan 27, 2024)

Advanced filtering in more tools with Bambdas:
We're introducing Bambdas into more areas of Burp Suite. These Java-based code snippets enable you to customize Burp directly from the UI.
This release introduces Bambdas into two new areas of Burp:
Proxy > WebSockets history filter.
Logger > View filter.
We've also created a Bambdas GitHub repository, where you can browse submissions from community members or contribute your own Bambdas.
Keep an eye out for more Bambdas appearing across Burp in future releases!
Improved Dashboard:
We've completely redesigned the Dashboard to make better use of on-screen space. You're now able to see detailed information about your scans and other tasks, without having to open additional popup windows.
To make room for all this information, we've moved the event log and the list of issues to a collapsible panel, which you access from the dock at the bottom of the screen.
Improved usability of tables in Burp:
We've started rolling out major usability improvements to data tables in Burp. For most tables in Burp, in addition to sorting and filtering, you can now:
Change the order of columns.
Hide columns.
Burp remembers the changes you make to the layouts of your tables, and will apply your preferences when you create a new project, or open an existing project, on your machine.
Ability to duplicate Repeater tabs multiple times:
We've added functionality that enables you to create multiple copies of a grouped Repeater tab in one go. This can be helpful if you're testing for race condition vulnerabilities as it makes the process of creating identical requests much more efficient.
Connection ID column added to Logger:
We’ve added a Connection ID column to Logger, which enables you to see which requests used the same connection. This makes it easier to detect if a website’s behavior changes, based on previous requests sent down the same connection.
Other improvements:
We've also made the following improvements:
We've added a Format BChecks action to the right-click menu, which can automatically adjust whitespace and indentation when writing BChecks.
Scanner now manages memory usage much more efficiently during the audit phase of browser-powered scans.
Scanner is now able to submit requests that match the Content-Type of non-standard JSON endpoints, for example, application/json-patch+json or application/*+json.
Scanner can now send arrays as query string parameters when scanning an OpenAPI schema. This enables it to find more endpoints.
Scanner is now better able to identify - and disregard - duplicate items in different areas of your application during scans. This helps to reduce the time it takes for scans to complete.
To reduce notification noise when launching Burp, the log message indicating that the Proxy is running is now recorded as a debug log item.
Bug fixes:
We've fixed a bug that prevented Notes from saving when clicking Save item or Save entire history in Repeater.

New in Burp Suite 2023.11.1.3 (Dec 11, 2023)

New in Burp Suite 2023.10.3.4 Early Adopter (Nov 9, 2023)

This release introduces Bambdas into the HTTP history filter, offering a new way to customize Burp Suite directly from the UI, using small snippets of Java code. We've also enabled a way to export BChecks, the rollout of notes in other areas of Burp, TLS passthrough for out-of-scope items, and the ability to include subdomains in your target scope.
In Burp Scanner, we have made improvements to the Task details dialog to make it easier to find information about scan results and live tasks.
Advanced HTTP history filtering using Bambdas:
Bambdas are a new way to customize Burp Suite directly from the UI, using small snippets of Java code. This release introduces Bambdas into the Proxy > HTTP history tab, enabling you to write custom filters for your HTTP history. These highly customizable filters can help you cut out white noise in your HTTP history, helping you to focus on only the exact items you're interested in seeing.
To try Bambdas for yourself, go to the Proxy > HTTP history tab filter, switch to Bambda mode, and write a custom filter using your own code.
Keep an eye out for Bambdas appearing in more Burp tools over the next few months.
Exporting BChecks:
You can now export BChecks, making it easier to share them between different instances of Burp. Just select the BChecks you want, then click Export.
Check out our BChecks GitHub repository for BChecks from PortSwigger and from the Burp Suite community.
Increased support for notes throughout Burp:
We're rolling out the notes feature into more areas of Burp. This feature enables you to record key information on tabs, making it easier to return to at a later time. Notes are copied when items are sent between different tabs. Use the Notes panel in the tab sidebar to add a note.
This update also introduces functionality that copies your notes when you send items between different tools in Burp.
This release introduces notes into:
Target > Site map
Proxy > Intercept
Proxy > HTTP history
Proxy > WebSockets history
TLS passthrough for out-of-scope items:
You can now apply TLS passthrough for out-of-scope items when you set the target scope, which can greatly improve performance. This behavior is automatically enabled when you accept the option to Stop logging out-of-scope items.
Include subdomains in target scope
You can now include subdomains of hosts you've included or excluded from your target scope. Enable this feature by selecting the Include subdomains checkbox in Target > Scope settings.
Improved Task details dialog:
We've made some improvements to the Task details dialog to make it easier to find information about scan results and live tasks:
We've replaced the Details tab with a new Summary tab. The Summary tab contains all the information that the Details tab did, but also features a list of the most serious vulnerabilities found, more detailed information on task progress, and a task log to give you real-time information on the task's actions.
We've added a new Issues tab listing all of the issues found during a scan. As part of this change, we've renamed the Issue activity tab (which also details changes from previous scans, such as an issue being deleted or more evidence being found) to the Audit log tab.
You can now view further details on an item in the Event log by selecting it. Previously, you had to double-click an item to display the Event detail dialog.
BChecks grammar enhancements:
We have added some new features to the BChecks grammar, including:
A removing query_string action that removes an entire query string from a request.
A new variable that returns Burp's User-Agent header.
A new pre-defined variable called insertion_point_base_value that contains the base value of the current insertion point.
A new per-path BCheck template that you can base your checks on.
BChecks can now return more than one issue. As a result of this, the issues reported by BChecks can now have individual names.
As a result of these changes, we have updated the grammar version to v2-beta. Please use this value in the metadata.language property when writing a check that uses these new features.
Other improvements:
When a scan finishes, Burp Scanner now polls the Collaborator server for new interactions every minute for the first 10 minutes. After this, it reverts to the default interval of once every 10 minutes. This means you no longer have to wait as long for Burp Scanner to report out-of-band interactions that are triggered almost instantly.
Browser upgrade:
We have upgraded Burp's built-in browser to 119.0.6045.123 for Mac and Linux and 119.0.6045.123/.124 for Windows. For more information, see the Chromium release notes.

New in Burp Suite 2023.10.3.3 Early Adopter (Nov 6, 2023)

New in Burp Suite 2023.10.2.3 Early Adopter (Oct 20, 2023)

New in Burp Suite 2023.10.2.2 Early Adopter (Oct 16, 2023)

New in Burp Suite 2023.10.2 Early Adopter (Sep 14, 2023)

Test BChecks in the editor:
You can now test your BChecks from within the editor, enabling you to quickly confirm whether a check is working as expected without having to run a scan manually.
BCheck tests use pre-selected requests and responses as test cases. When you run a test, Burp Scanner runs the BCheck on the selected HTTP messages and reports the results.
For more information about the new BCheck test features, see Testing BChecks.
You can now add notes to Repeater tabs. This feature enables you to record key information about a tab, making it easier to return to at a later time. If you subsequently send the item to Organizer, the new Organizer entry contains the existing note content.
To record a Repeater note, select the Notes panel in the tab sidebar and enter the required text.
Blank BCheck template:
You can now start from a blank template when creating BChecks, rather than copying and modifying one of the default checks. We have added the new template to the BCheck templates list, which is displayed when creating a new BCheck.
Scanner improvements:
We have made the following improvements to the Scanner:
The crawler can now access any available alt text for its target items. This has enabled us to improve the quality of the information displayed on the Crawl paths tab.
We have added three new filter buttons to the Issue Activity Dashboard panel:
BCheck generated filters the list to display only issues that were identified via a BCheck.
Extensions filters the list to display only issues that were identified via an extension-generated scan check.
Scan checks filters the list to display only issues that were found by a regular Burp scan check (i.e. not by a BCheck or extension).
Brotli and Deflate decoding support for the Montoya API:
The Montoya API's decode method now supports Brotli and Deflate encodings.
Decoder improvements:
When you pass a base64 string without padding to Decoder, it now decodes the string as if it were padded. This brings Decoder's behavior in line with that of the Inspector. Previously, Decoder required the appropriate padding to be added before the string was passed.
Bug fixes:
We have fixed the following bugs:
Previously, the Send to Repeater context menu option was not sending WebSocket tabs to Repeater in certain circumstances. This function now works as expected.
We have fixed an issue with the BCheck validator whereby variables incorrectly defined outside of the define block were not causing the check to fail validation.
Browser upgrade:
We have upgraded Burp's built-in browser to Chromium 117.0.5938.62 for Mac / Linux and 117.0.5938.63 for Windows. This update contains several security fixes, including one for a critical vulnerability.

New in Burp Suite 2023.10.1 Early Adopter (Sep 1, 2023)

New in Burp Suite 2023.9.3 (Aug 26, 2023)

New in Burp Suite 2023.9.2 (Aug 17, 2023)

New in Burp Suite 2023.9.1 (Aug 10, 2023)

Repeater send group in parallel:
We have added a Send group (parallel) option to Repeater's Group send options menu. When you select this option for a tab group, Repeater sends the requests from all of the group's tabs at once.
Repeater synchronizes parallel requests to ensure that they all arrive in full at the same time. It uses different synchronization techniques depending on the HTTP version used:
When sending over HTTP/2, Repeater sends the group using a single packet attack. This is where multiple requests are sent via a single TCP packet.
When sending over HTTP/1, Repeater uses last-byte synchronization. This is where multiple requests are sent over concurrent connections, but the last byte of each request in the group is withheld. After a short delay, these last bytes are sent down each connection simultaneously.
Sending synchronized requests in parallel makes it much easier to test for race conditions. For more information about how to do this, as well as some deliberately vulnerable labs for you to practice on, check out the Race conditions topic on the Web Security Academy.
For more information on sending Repeater groups in parallel, see Sending grouped HTTP requests.
Montoya API changes:
As part of these new Repeater features, we have added two sendRequests methods to the Http interface. These methods enable you to build extensions that can send HTTP requests in parallel and retrieve their responses. You can also explicitly specify the HTTP mode that the requests should use, if required.
Reuse HTTP/1 connections in Intruder to speed up attacks
You can now control whether Intruder reuses connections to issue multiple HTTP/1 requests. This can greatly increase the speed of your attacks when using HTTP/1, as Burp does not need to open a new connection for each request and close it after receiving a response. Find this in Intruder > Settings > HTTP/1 connection reuse. For more information, see HTTP/1 connection reuse.
Safely open third-party project files:
We've introduced a new startup setting that enables you to trust or untrust projects. If you deselect Trust this project, Burp can now remove potentially harmful settings that could be configured within project files.
This is especially useful if you are opening project files that came from unknown or untrusted sources. Find this setting on the startup wizard, or in Settings > Suite > Startup behavior > Unrecognized project files. For more information, see Startup behavior.
Specify intermediate CA certificates for hardware tokens and smart cards:
You can now set intermediate certificates when you add a new PKCS#11 certificate for hardware token and smart cards. This enables you to test target applications that don't directly trust your intermediate CA. For more information, see Client TLS certificates.
Set custom SNI values in Repeater:
You can now set custom SNI values in Repeater. This enables you to reproduce external service interaction issues detected by Scanner using Collaborator payloads within the SNI. For more information, see HTTP Repeater tab.
Project-level scan crawl paths:
All scans in a project can now share crawl path information. This improves scan efficiency, enabling Burp Scanner to build on the paths it has already discovered as new scans are run.
As a result of this, we have added a new Crawl paths tab to the Target tool. This tab displays path information in the same way as the existing scan results Crawl path tab, but is populated by all scans rather than one individual scan. Any new scans that you run can draw on and add to the information displayed in this tab.
Isolated scans:
As part of the global crawl path work, we have added a Run isolated scan option to the scan launcher. Results from isolated scans do not appear in the Target > Site map or Target > Crawl paths tabs. This feature is useful if you want to test settings without impacting "live" scan results, for example.
You can view site map and crawl path information for isolated scans from the Tasks > View details > Target tab. The information displayed on this tab applies to the selected scan task only.
GraphQL introspection:
Burp Scanner can now run introspection queries on GraphQL endpoints to gain information on available queries and mutations. If the introspection query is successful, Burp Scanner sends further requests to each query and mutation discovered in an attempt to discover as much attack surface as possible. To enable GraphQL introspection, select the new Perform GraphQL introspection setting in the Miscellaneous section of the scan configuration.
If it does not find any GraphQL endpoints in the crawl, Burp Scanner can also now attempt to guess GraphQL endpoints using a list of common endpoint suffixes. To enable GraphQL endpoint guessing, select the new Test common GraphQL endpoints setting in the Miscellaneous section of the scan configuration.
Automatic scan throttling:
We have added a new Automatic throttling setting to the Resource pool section of the scan launcher. You can now configure which HTTP response codes should cause Burp Scanner to introduce a short delay between requests. Previously, Burp Scanner could only throttle requests when the server responded with a HTTP 429 code.
Other Burp Scanner improvements:
We have improved crawl optimization to reduce the chance of interesting content being missed. Specifically, Burp Scanner now treats clickables that are using the same event listener with different visible text as separate entities, and visits them all.
Bug fixes:
We've fixed a number of minor bugs, including:
We've fixed an issue that was causing the Proxy response panel to freeze when inspecting a 200 response after inspecting a 302/400 response.
We've improved the reliability of the Send to Organizer function.
We've fixed an issue where requests / responses generated by Intruder in some older versions of Burp could not be seen in newer versions.
We have fixed a bug whereby the crawler was not always waiting for slow asynchronous queries that cause a DOM mutation to return. This was resulting in slow page loads and missing elements in certain circumstances.
We have fixed a bug whereby Burp Organizer items weren't retained when Burp was upgraded to the latest version.

New in Burp Suite 2023.9 (Aug 10, 2023)

Repeater send group in parallel:
We have added a Send group (parallel) option to Repeater's Group send options menu. When you select this option for a tab group, Repeater sends the requests from all of the group's tabs at once.
Repeater synchronizes parallel requests to ensure that they all arrive in full at the same time. It uses different synchronization techniques depending on the HTTP version used:
When sending over HTTP/2, Repeater sends the group using a single packet attack. This is where multiple requests are sent via a single TCP packet.
When sending over HTTP/1, Repeater uses last-byte synchronization. This is where multiple requests are sent over concurrent connections, but the last byte of each request in the group is withheld. After a short delay, these last bytes are sent down each connection simultaneously.
Montoya API changes:
As part of these new Repeater features, we have added two sendRequests methods to the Http interface. These methods enable you to build extensions that can send HTTP requests in parallel and retrieve their responses. You can also explicitly specify the HTTP mode that the requests should use, if required.
Reuse HTTP/1 connections in Intruder to speed up attacks:
You can now control whether Intruder reuses connections to issue multiple HTTP/1 requests. This can greatly increase the speed of your attacks when using HTTP/1, as Burp does not need to open a new connection for each request and close it after receiving a response. Find this in Intruder > Settings > HTTP/1 connection reuse. For more information, see HTTP/1 connection reuse.
Safely open third-party project files:
We've introduced a new startup setting that enables you to trust or untrust projects. If you deselect Trust this project, Burp can now remove potentially harmful settings that could be configured within project files.
This is especially useful if you are opening project files that came from unknown or untrusted sources. Find this setting on the startup wizard, or in Settings > Suite > Startup behavior > Unrecognized project files. For more information, see Startup behavior.
Specify intermediate CA certificates for hardware tokens and smart cards
You can now set intermediate certificates when you add a new PKCS#11 certificate for hardware token and smart cards. This enables you to test target applications that don't directly trust your intermediate CA. For more information, see Client TLS certificates.
Set custom SNI values in Repeater:
You can now set custom SNI values in Repeater. This enables you to reproduce external service interaction issues detected by Scanner using Collaborator payloads within the SNI. For more information, see HTTP Repeater tab.
Project-level scan crawl paths:
All scans in a project can now share crawl path information. This improves scan efficiency, enabling Burp Scanner to build on the paths it has already discovered as new scans are run.
As a result of this, we have added a new Crawl paths tab to the Target tool. This tab displays path information in the same way as the existing scan results Crawl path tab, but is populated by all scans rather than one individual scan. Any new scans that you run can draw on and add to the information displayed in this tab.
Isolated scans:
As part of the global crawl path work, we have added a Run isolated scan option to the scan launcher. Results from isolated scans do not appear in the Target > Site map or Target > Crawl paths tabs, or on the Dashboard's issue activity log. This feature is useful if you want to test settings without impacting "live" scan results, for example.
You can view site map and crawl path information for isolated scans from the Tasks > View details > Target tab. The information displayed on this tab applies to the selected scan task only.
GraphQL introspection:
Burp Scanner can now run introspection queries on GraphQL endpoints to gain information on available queries and mutations. If the introspection query is successful, Burp Scanner sends further requests to each query and mutation discovered in an attempt to discover as much attack surface as possible. To enable GraphQL introspection, select the new Perform GraphQL introspection setting in the Miscellaneous section of the scan configuration.
If it does not find any GraphQL endpoints in the crawl, Burp Scanner can also now attempt to guess GraphQL endpoints using a list of common endpoint suffixes. To enable GraphQL endpoint guessing, select the new Test common GraphQL endpoints setting in the Miscellaneous section of the scan configuration.
Automatic scan throttling:
We have added a new Automatic throttling setting to the Resource pool section of the scan launcher. You can now configure which HTTP response codes should cause Burp Scanner to introduce a short delay between requests. Previously, Burp Scanner could only throttle requests when the server responded with a HTTP 429 code.
Other Burp Scanner improvements
We have improved crawl optimization to reduce the chance of interesting content being missed. Specifically, Burp Scanner now treats clickables that are using the same event listener with different visible text as separate entities, and visits them all.
Bug fixes:
We've fixed a number of minor bugs, including:
We've fixed an issue that was causing the Proxy response panel to freeze when inspecting a 200 response after inspecting a 302/400 response.
We've improved the reliability of the Send to Organizer function.
We've fixed an issue where requests / responses generated by Intruder in some older versions of Burp could not be seen in newer versions.
We have fixed a bug whereby the crawler was not always waiting for slow asynchronous queries tha

New in Burp Suite 2023.8 Early Adopter (Jul 27, 2023)

New in Burp Suite 2023.6.2 Early Adopter (Jun 29, 2023)

Live crawl paths view improvements:
We have made a number of improvements to Burp Scanner's live crawl paths view:
You can now view details of all the possible navigation actions that the crawler was able to take from a given location on the crawl path. This enables you to better understand the structure of your site. To view these details, go to the Crawl paths > Outlinks tab of the scan task details window.
You can now view a screenshot of Burp's browser at any crawl location. Go to the Crawl paths tab of the scan task details window and click Show screenshot.
The shortest crawl path tree is now retained when you reopen a project file.
GraphQL scan checks:
We have introduced a number of GraphQL scan checks. The new scan checks enable you to:
Identify if introspection queries are enabled.
Find out if GraphQL suggestions are enabled.
Test for CSRF vulnerabilities in all discovered GraphQL endpoints.
Montoya API:
We have updated the Montoya API, to enable you to create extensions with additional functionality. You can now:
Convert ByteArray data to different integer bases. This means you no longer need to use additional libraries to complete this task.
Log exceptions to the error output. This means that you don't need to format and convert exceptions manually.
Other improvements:
We have made a number of additional improvements, including:
You can now quickly switch to the Organizer tab using the hotkey Ctrl + Shift + O.
In the Issue activity table on the Dashboard, you can now filter issues by your target scope.
We have changed the way we launch Burp's browser. It now works with accounts for sites that fingerprint the presence of the DevTools listener, such as Google accounts.
Bug fixes:
We fixed a number of minor bugs:
If you change the highlight in the Organizer table, it no longer deselects the current row.
For Burp Suite Community Edition, filters are now correctly applied to Intruder attack results.
Burp Collaborator DNS interactions are now correctly reported by BCheck scan checks.
Browser upgrade:
We have upgraded Burp's built-in browser to 114.0.5735.198 for Mac and Linux and 114.0.5735.198/199 for Windows. This update contains multiple security fixes.

New in Burp Suite 2023.5.4 (Jun 15, 2023)

New in Burp Suite 2023.5.1 (May 19, 2023)

New in Burp Suite 2023.5 (May 12, 2023)

New in Burp Suite 2023.3.5 (Apr 21, 2023)

New in Burp Suite 2023.4.1 (Apr 17, 2023)

New in Burp Suite 2023.2.4 / 2023.3.1 Early Adopter (Mar 24, 2023)

New in Burp Suite 2023.2.3 (Mar 10, 2023)

New in Burp Suite 2023.2.2 (Mar 1, 2023)

New in Burp Suite 2023.2.1 (Feb 15, 2023)

New in Burp Suite 2023.2 (Feb 9, 2023)

New in Burp Suite 2023.1.2 (Feb 9, 2023)

Settings restructure:
We have moved more settings into Burp’s Settings dialog. In particular, we have added:
All settings related to the following Burp tools into the Tools section:
Proxy.
Repeater.
Sequencer.
Intruder - User settings only. Intruder attack configuration settings remain in the Intruder attack tab.
A new page for extensions.
A new page for the configuration library.
Target scope settings into the Scope section.
Resource pools and task auto-start settings into the Tasks section.
As part of this restructuring, we have also:
Added the Repeater Default tab group setting. This enables you to configure the tab group that requests are added to by default when sent to Repeater.
Updated the viewing panel for the Hotkeys settings. This enables you to edit hotkeys from this panel directly.
Moved Inspector settings into the Message editor page.
Montoya API persistence
We have upgraded the Montoya API to version 1.0.0, which enables Burp extensions to store and manage data in project files. Any BApps that you develop with version 1.0.0 will be compatible with future versions of Burp, as all future changes to the API will be backwards compatible.
You can now use the Montoya API to:
Store extension settings and data in the current Burp project. The API can store data both to project files that were created on startup and to temporary projects that you subsequently save to a project file. Each extension can only access its own data.
Select whether or not extension data is saved when you save a copy of the current project.
Import extension data from another project file.
The Montoya API offers support for the following data types:
Primitives.
Strings.
Booleans.
Requests.
Responses.
Byte arrays.
Lists.
Hierarchies.
Note that this functionality is not available in Burp's old Wiener API. You can only write extensions that support data storage and retrieval using the Montoya API from version 1.0.0 onwards.
Macro updates:
You can now define a prefix and suffix for a custom macro parameter. This can be useful, for example, to support Authorization headers, which require a static prefix followed by a dynamic value.
In addition, you can now set headers using macro parameters. When a parameter matches a request header, then Burp replaces the header value with the macro parameter value. This enables you to test APIs without configuring a Burp Extension.
Improvements to Burp Scanner
This release includes several minor improvements to authenticated crawling with popup-based login mechanisms:
We have added a wait after the final event in a recorded sequence. This means that the sequence now captures links that are added by the final page after a delay.
When you login after receiving a temporary failure status code, Burp now authenticates subsequent requests for the same resource.
When you change the Await navigation timeout in a crawler configuration, it now automatically updates in the recorded login sequence replayer. It is also stored in the crawler tuning.
Bug fixes:
We have fixed a bug whereby Burp Repeater tabs were not functioning correctly when a request was sent to portswigger.net and the path was then changed to an absolute URL.
We have also released a couple of bug fixes related to the Montoya API:
Previously, the Javadoc incorrectly stated that the passiveAudit() method of the ScanCheck interface returns null if no issues are identified. The method in fact returns an empty AuditResult object if no issues are identified. We have updated the Javadoc.
We have fixed a bug whereby the copyToTempFile method in HttpRequestResponseImpl was causing null pointer exceptions.

New in Burp Suite 2022.12.7 (Jan 26, 2023)

New in Burp Suite 2023.1.1 Early Adopter (Jan 26, 2023)

New in Burp Suite 2023.1 (Jan 12, 2023)

We have moved more settings into Burp’s Settings dialog. In particular, we have added:
All settings related to the following Burp tools into the Tools section:
Proxy.
Repeater.
Sequencer.
Intruder - User settings only. Intruder attack configuration settings remain in the Intruder attack tab.
A new page for extensions.
A new page for the configuration library.
Target scope settings into the Scope section.
Resource pools and task auto-start settings into the Tasks section.
As part of this restructuring, we have also:
Added the Repeater Default tab group setting. This enables you to configure the tab group that requests are added to by default when sent to Repeater.
Updated the viewing panel for the Hotkeys settings. This enables you to edit hotkeys from this panel directly.
Moved Inspector settings into the Message editor page.
Montoya API persistence:
We have upgraded the Montoya API to version 1.0.0, which enables Burp extensions to store and manage data in project files. Any BApps that you develop with version 1.0.0 will be compatible with future versions of Burp, as all future changes to the API will be backwards compatible.
You can now use the Montoya API to:
Store extension settings and data in the current Burp project. The API can store data both to project files that were created on startup and to temporary projects that you subsequently save to a project file. Each extension can only access its own data.
Select whether or not extension data is saved when you save a copy of the current project.
Import extension data from another project file.
The Montoya API offers support for the following data types:
Primitives.
Strings.
Booleans.
Requests.
Responses.
Byte arrays.
Lists.
Hierarchies.
Note that this functionality is not available in Burp's old Wiener Extender API. You can only write extensions that support data storage and retrieval using the Montoya API from version 1.0.0 onwards.
Macro updates:
You can now define a prefix and suffix for a custom macro parameter. This can be useful, for example, to support Authorization headers, which require a static prefix followed by a dynamic value.
In addition, you can now set headers using macro parameters. When a parameter matches a request header, then Burp replaces the header value with the macro parameter value. This enables you to test APIs without configuring a Burp Extension.
Bug fix:
We have fixed a bug whereby Burp Repeater tabs were not functioning correctly when a request was sent to portswigger.net and the path was then changed to an absolute URL.
Browser update:
This release upgrades Burp's browser to Chromium 109.0.5414.74/.75/.87.

New in Burp Suite 2022.12.6 (Jan 12, 2023)

New in Burp Suite 2022.12.5 (Dec 21, 2022)

New in Burp Suite 2022.12.4 (Dec 15, 2022)

New in Burp Suite 2022.12.3 (Dec 12, 2022)

New in Burp Suite 2022.12.0 (Nov 25, 2022)

Authenticated crawling of applications with popup-based login mechanisms:
Burp Scanner can now replay recorded login sequences that open new windows or tabs. This enables you to run authenticated scans on websites with login mechanisms that require you to interact with popups, such as Google and Amazon's SSO services.
Live crawl view for Burp Scanner:
We have added a new Live crawl view tab to the Scan details dialog. This tab enables you to watch Burp Scanner render web pages in real time, helping you to diagnose unusual crawl activity or simply get a better understanding of Burp Scanner's behaviors when scanning a particular target.
DOM Invader enhancements:
This release adds a number of new features to DOM Invader, as well as some usability improvements.
Detect DOM clobbering vulnerabilities - DOM Invader can now scan for DOM clobbering vulnerabilities as you browse. This feature is disabled by default as it can potentially interfere with your other testing activities. You can enable it from the DOM Invader settings menu.
Detect injectable service workers - DOM Invader now attempts to inject the canary into service workers during registration and flags any controllable properties. You can then manually investigate whether the service worker uses these properties in an unsafe way.
Improved URL injection - We've removed the Inject URL button, which injected a test string into every URL parameter at once. In most cases, this wasn't very useful as it just prevented the site from working properly. Instead, you can now click Inject URL params to inject the canary into each URL parameter separately in individual windows. This is far more practical and yields significantly better results.
Restrict the parameters used for auto-injection - When using the Inject into all sources option, you can now define a custom list of parameters that DOM Invader uses to inject the canary. This makes this feature more useful as injecting all parameters at once typically just prevents the site from working at all.
We have also divided the main settings menu into collapsible categories to make it easier to use.
Rolling licenses:
We have added support for rolling licenses in Burp Suite. If your Burp license key has expired but you have a new, valid license associated with your account, then Burp Suite automatically applies your new license key the next time it starts up.
Change to Java requirements
Burp Suite now requires Java 17 or later to run. This change should not impact you unless you launch Burp Suite from the command line, as the installer includes a bundled private Java Runtime Environment so that you don't need to worry about installing or updating Java.
Minor improvements
This release includes several minor improvements, including:
We have made a number of changes to increase Burp Scanner's resilience and better support scanning of single-page applications.
The Collaborator client now shows the source port in the interaction details panel. This can help you to gauge how vulnerable a particular server is to certain attacks.
In Repeater, you can now drag and drop a tab into a collapsed group. The dragged tab is added to the end of the group.
We have changed the way in which Intruder attack results are stored in order to minimize the impact on project file size.
Bug fixes:
We have fixed the following bugs:
Previously, Burp was stripping out manually-modified Connection headers when using NTLM authentication. This has now been fixed.
We have fixed a request time discrepancy between Intruder and Logger, in which Intruder was incorrectly reporting that requests were sent to the server a few seconds before the request was actually sent.

New in Burp Suite 2022.11.1 (Nov 13, 2022)

New in Burp Suite 2022.9.6 (Nov 10, 2022)

New in Burp Suite 2022.9.5 (Oct 28, 2022)

Montoya API:
We have released the Montoya API, an all-new API that enables you to develop extensions for Burp Suite. The new API offers a more modern design than the existing Extender API, making it easier to use and enabling us to add future features that we could not have supported with the old API.
This change will not affect any current BApps, and the existing Extender API will continue to work as normal for the immediate future. However, we strongly recommend that you write any new extensions using the new Montoya API, as we will eventually end support for the Extender API.
The Montoya API offers all of the same features as the existing version. It also includes several new features, such as:
New methods to create, modify, and delete request / response headers.
The ability for an extension to query which edition of Burp (that is, Professional, Community Edition, or Enterprise Edition) it is currently running in.
The ability to generate Collaborator payloads from your own custom data.
The ability to export the secret key that the Collaborator uses for extensions and restore a previous Collaborator client session from it.
New utilities to generate random sequences and manipulate byte arrays.
Collaborator client improvements:
We have moved the client from the Burp menu to its own top-level tab.
You can now open multiple Collaborator client tabs, enabling you to track interactions from multiple payloads in separate tables.
Collaborator interactions are now persisted in the project file, meaning that any interactions in the table are retained if you close and reopen your project. You can also now save Collaborator interaction data directly to your project file.
You can now insert a Collaborator payload in the message editor by selecting Insert Collaborator payload from the context menu. This pastes in a new ID from the most recently-created Collaborator client tab.
The interaction table now displays interaction timings in milliseconds and the source IP of the interaction.
Automatic license key updates:
Renewed license keys now update automatically. If your existing license is expiring or has expired altogether, Burp Suite automatically checks your account for a renewed license key. If you have a renewed key associated with your account, then the system retrieves and activates that key.
Adaptive request throttling for Burp Scanner:
When Burp Scanner receives a 429 response due to sending too many requests in quick succession, it now incrementally adds a short delay between requests until it complies with the server's rate limit. This enables the scan to continue as normal, albeit with an increased duration.
If you prefer, you can disable this behavior using a custom scan configuration - just go to Request throttling configuration and deselect Adaptive request throttling.
Security patch:
We have fixed an HTML injection vulnerability that could be triggered by attackers with direct access to the proxy listener. Note that the proxy listener only accepts connections from localhost by default. This issue was privately reported via our bug bounty program.
Browser upgrade:
We have upgraded Burp's browser to Chromium 107.0.5304.62, which fixes a number of high-severity security issues.
Bug fixes:
Previously, you could still use the Collaborator client to generate payloads and poll manually even if the Collaborator was disabled in the project options. We have now amended this so that disabling the Collaborator disables all of the Collaborator client's functions.
We have fixed a bug whereby disabling the Collaborator did not stop the Collaborator client from polling for payloads that had already been created.
We have fixed a bug whereby the Learn More link on the Collaborator client tab was pointing to an invalid URL.
We have fixed a bug that prevented the crawler from handling links that are added to a page by JavaScript following a delay.
We have fixed a bug whereby Burp Scanner was failing to find CSRF vulnerabilities on sites that return a 302 response when CSRF is exploited.
We have fixed a bug whereby Repeater was not identifying streaming responses correctly, meaning that the affected responses would never complete.
We have fixed a UI issue whereby checkboxes and radio buttons were not displaying correctly on the Extensions tab when using the Light display theme.

New in Burp Suite 2022.9.5 Early Adopter (Oct 27, 2022)

Montoya API:
We have released the Montoya API, an all-new API that enables you to develop extensions for Burp Suite. The new API offers a more modern design than the existing Extender API, making it easier to use and enabling us to add future features that we could not have supported with the old API.
This change will not affect any current BApps, and the existing Extender API will continue to work as normal for the immediate future. However, we strongly recommend that you write any new extensions using the new Montoya API, as we will eventually end support for the Extender API.
The Montoya API offers all of the same features as the existing version. It also includes several new features, such as:
New methods to create, modify, and delete request / response headers.
The ability for an extension to query which edition of Burp (that is, Professional, Community Edition, or Enterprise Edition) it is currently running in.
The ability to generate Collaborator payloads from your own custom data.
The ability to export the secret key that the Collaborator uses for extensions and restore a previous Collaborator client session from it.
New utilities to generate random sequences and manipulate byte arrays.
Collaborator client improvements:
This release introduces various usability improvements for the Burp Collaborator client, including:
We have moved the client from the Burp menu to its own top-level tab.
You can now open multiple Collaborator client tabs, enabling you to track interactions from multiple payloads in separate tables.
Collaborator interactions are now persisted in the project file, meaning that any interactions in the table are retained if you close and reopen your project. You can also now save Collaborator interaction data directly to your project file.
You can now insert a Collaborator payload in the message editor by selecting Insert Collaborator payload from the context menu. This pastes in a new ID from the most recently-created Collaborator client tab.
The interaction table now displays interaction timings in milliseconds and the source IP of the interaction.
Automatic license key updates:
Renewed license keys now update automatically. If your existing license is expiring or has expired altogether, Burp Suite automatically checks your account for a renewed license key. If you have a renewed key associated with your account, then the system retrieves and activates that key.
Please note that you will need to allow network access to https://portswigger.net for this process to work.
Adaptive request throttling for Burp Scanner:
When Burp Scanner receives a 429 response due to sending too many requests in quick succession, it now incrementally adds a short delay between requests until it complies with the server's rate limit. This enables the scan to continue as normal, albeit with an increased duration.
If you prefer, you can disable this behavior using a custom scan configuration - just go to Request throttling configuration and deselect Adaptive request throttling.
Security patch:
We have fixed an HTML injection vulnerability that could be triggered by attackers with direct access to the proxy listener. Note that the proxy listener only accepts connections from localhost by default. This issue was privately reported via our bug bounty program.
Browser upgrade:
We have upgraded Burp's browser to Chromium 107.0.5304.62, which fixes a number of high-severity security issues.
Bug fixes:
We have also fixed some minor bugs, including:
Previously, you could still use the Collaborator client to generate payloads and poll manually even if the Collaborator was disabled in the project options. We have now amended this so that disabling the Collaborator disables all of the Collaborator client's functions.
We have fixed a bug whereby disabling the Collaborator did not stop the Collaborator client from polling for payloads that had already been created.
We have fixed a bug whereby the Learn More link on the Collaborator client tab was pointing to an invalid URL.
We have fixed a bug that prevented the crawler from handling links that are added to a page by JavaScript following a delay.
We have fixed a bug whereby Burp Scanner was failing to find CSRF vulnerabilities on sites that return a 302 response when CSRF is exploited.
We have fixed a bug whereby Repeater was not identifying streaming responses correctly, meaning that the affected responses would never complete.
We have fixed a UI issue whereby checkboxes and radio buttons were not displaying correctly on the Extensions tab when using the Light display theme.

New in Burp Suite 2022.9.4 Early Adopter (Oct 20, 2022)

New in Burp Suite 2022.9.2 Early Adopter (Oct 4, 2022)

New in Burp Suite 2022.8.5 (Sep 29, 2022)

New in Burp Suite 2022.9.1 Early Adopter (Sep 17, 2022)

New in Burp Suite 2022.9.0 Early Adopter (Sep 5, 2022)

New Extender API:
We have released an entirely new Extender API. The new API offers a more modern design than the existing version, making it easier to use and enabling us to add future features that we could not have supported with the old API.
The new API offers all of the same features as the existing version. For reference information, see the API Javadoc.
Collaborator client improvements:
This release introduces various usability improvements for the Burp Collaborator client, including:
We have moved the client from the Burp menu to its own top-level tab.
You can now open multiple Collaborator client tabs, enabling you to track interactions from multiple payloads in separate tables.
Collaborator interactions are now persisted in the project file, meaning that any interactions in the table are retained if you close and reopen your project. You can also now save Collaborator interaction data directly to your project file.
You can now insert a Collaborator payload in the message editor by selecting Insert Collaborator payload from the context menu. This pastes in a new ID from the most recently-opened Collaborator client tab.
The interaction table now displays interaction timings in milliseconds and the source IP of the interaction.
Automatic license key updates:
Renewed license keys now update automatically. If your existing license is expiring or has expired altogether, Burp Suite automatically checks your account for a renewed license key. If you have a renewed key associated with your account, then the system retrieves and activates that key.
Please note that you will need to allow network access to https://portswigger.net for this process to work.
Adaptive request throttling for Burp Scanner:
When Burp Scanner receives a 429 response due to sending too many requests in quick succession, it now incrementally adds a short delay between requests until it complies with the server's rate limit. This enables the scan to continue as normal, albeit with an increased duration.
If you prefer, you can disable this behavior using a custom scan configuration - just go to Request throttling configuration and deselect Adaptive request throttling.

New in Burp Suite 2022.8.4 (Sep 5, 2022)

New in Burp Suite 2022.8.3 (Sep 2, 2022)

New in Burp Suite 2022.8.2 (Aug 19, 2022)

New in Burp Suite 2022.8.1 (Aug 11, 2022)

This release provides new scan checks based on James Kettle's Browser-Powered Desync Attacks, first presented at Black Hat USA 2022. It also introduces the new capabilities for Burp Repeater that enable you test for these vulnerabilities manually.
New scan checks for client-side desync and CL.0 request smuggling
Burp Scanner now reports client-side desync vulnerabilities. We've also upgraded our existing HTTP request smuggling checks to detect CL.0 vulnerabilities.
For more details on both of these issues, check out James's whitepaper and the new Web Security Academy content.
Send a sequence of requests in Burp Repeater:
You can now send the requests from a group of Repeater tabs as an automated sequence. When viewing a tab that belongs to a group, there is now a drop-down menu next to the Send button that lets you choose how your request sequence is sent. You can either send all of the requests over a single connection or use a separate connection for each request.
Sending requests over a single connection enables you to test for client-side desync vulnerabilities. For more information about how to do this, as well as some deliberately vulnerable labs for you to practice on, check out the new content on the Web Security Academy.
Sending over a single connection is also useful for timing-based attacks that rely on being able to compare responses with very small differences in timings as it reduces the "jitter" that can occur when establishing TCP connections.
Sending requests over separate connections is primarily useful when testing for vulnerabilities that require a multi-step process.
Adjusted issue severity - External service interaction (DNS):
Burp Scanner uses OAST techniques to identify critical vulnerabilities via DNS pingbacks to Burp Collaborator. Both the DNS interaction itself and the identified vulnerability are reported as separate issues. In some cases, such as when testing for SSRF, we may induce the application to perform a DNS lookup without this leading to the discovery of any further vulnerability. To better reflect this latter scenario, we have adjusted the severity of the External service interaction (DNS) issue.
We previously classed this as a high-severity issue on the assumption that a corresponding HTTP request was probably sent by the server, but subsequently blocked by a firewall's egress filters. Although we can't detect this externally, it could still provide a vector for pivoting attacks against the internal network.
However, we've increasingly encountered cases where systems perform a DNS lookup with no intention of ever connecting to the remote host, meaning that no HTTP request ever existed. For example, this could be triggered simply by adding a URL as the key of a Java Map.
This behavior can still indicate a serious vulnerability, and is worthy of further investigation, but we have reduced the reported severity to reflect the typical impact.
Handling changes for Unknown Host errors:
Previously, Burp Scanner automatically terminated audits if it encountered Unknown Host errors, even if the scan scope also included separate, valid domains. Unknown host errors are now treated in the same way as other scanner errors, and the audit does not automatically terminate if one is encountered.
Browser upgrade:
We have upgraded Burp's browser to Chromium 104.0.5112.79.
Bug fixes:
This release also provides some minor bug fixes, including:
You can now use shift-click to select any tabs on the Create new group dialog. Previously, this functionality did not work with preselected tabs.
We have fixed an issue whereby tab groupings were being lost if you selected Save in-scope items only on projects with groups where some of the group's tabs were in-scope and some were not.
We have fixed a bug whereby under certain circumstances Burp Scanner was not detecting a multiple content type issue for responses with multiple Content-Type headers.
We have fixed a bug whereby scans were hanging during the crawl phase if they could not find any reachable destinations to scan.
Usage of this software is subject to the licence agreement.

New in Burp Suite 2022.8.0 Early Adopter (Jul 26, 2022)

This release introduces the ability to send all of the requests in a group of Repeater tabs sequentially with a single click. It also updates the Scanner's listed issue severity for External service interaction (DNS) issues and provides various minor bug fixes.
Send a sequence of requests in Burp Repeater:
You can now send the requests from a group of Repeater tabs as an automated sequence. When you select a tab that is in a group, the Send button now displays a drop-down menu from which you can choose how your requests are sent. You can either send all of the requests over one single connection or use a separate connection for each request.
Sending over a single connection is useful for timing-based attacks that rely on being able to compare responses with very small differences in timings, as it reduces the "jitter" that can occur when establishing TCP connections.
Sending over separate connections is primarily useful when testing for vulnerabilities that require a multi-step sequence to be performed.
Adjusted issue severity - External service interaction (DNS):
Burp Scanner uses OAST techniques to identify critical vulnerabilities via DNS pingbacks to Burp Collaborator. Both the DNS interaction itself and the identified vulnerability are reported as separate issues. In some cases, such as when testing for SSRF, we may induce the application to perform a DNS lookup without this leading to the discovery of any further vulnerability. To better reflect this latter scenario, we have adjusted the severity of the External service interaction (DNS) issue.
We previously classed this as a high-severity issue on the assumption that a corresponding HTTP request was probably sent by the server, but subsequently blocked by a firewall's egress filters. Although we can't detect this externally, it could still provide a vector for pivoting attacks against the internal network.
However, we've increasingly encountered cases where systems perform a DNS lookup with no intention of ever connecting to the remote host, meaning that no HTTP request ever existed. For example, this could be triggered simply by adding a URL as the key of a Java Map.
This behavior can still indicate a serious vulnerability, and is worthy of further investigation, but we have reduced the reported severity to reflect the typical impact.
Browser upgrade:
We have upgraded Burp's browser to Chromium 103.0.5060.134.
Bug fixes:
This release also provides some minor bug fixes, including:
You can now use shift-click to select any tabs on the Create new group dialog. Previously, this functionality did not work with preselected tabs.
We have fixed an issue whereby tab groupings were being lost if you selected Save in-scope items only on projects with groups where some of the group's tabs were in-scope and some were not.
We have fixed a bug whereby under certain circumstances Burp Scanner was not detecting a multiple content type issue for responses with multiple Content-Type headers.
We have fixed a bug whereby scans were hanging during the crawl phase if they could not find any reachable destinations to scan.

New in Burp Suite 2022.7.1 (Jul 26, 2022)

New in Burp Suite 2022.7.1 Early Adopter (Jul 24, 2022)

New in Burp Suite 2022.7.0 Early Adopter (Jul 7, 2022)

New in Burp Suite 2022.6.1 (Jul 1, 2022)

New in Burp Suite 2022.5 (May 29, 2022)

New in Burp Suite 2022.5 (May 27, 2022)

JWT scan checks:
JWT implementations often contain serious vulnerabilities, but these can be tricky to thoroughly audit. Burp Scanner can now detect 8 common JWT-based vulnerabilities - saving you time, and making it easier to secure sites that use JWTs.
Feedback on BApp performance impact:
On the Extender > BApp store tab, we now display an indication of how much load we estimate that each BApp places on your system.
BApp Store system impact ratings:
The estimated system impact is divided into the following categories:
Memory shows what impact the BApp is likely to have on Burp Suite's memory usage.
CPU shows an estimate of how much additional load the BApp places on your CPU.
Time shows the BApp's impact on the speed of Burp Suite. This includes the responsiveness of the interface and how long tools take to complete tasks.
Scanner shows the likely impact on how long scans take to complete.
Overall shows the highest impact rating across all of these categories.
If you think that Burp is performing slower than it should be, we recommend checking these estimates for any BApps that you have loaded and removing those that you're not actively using. This should help you to extend Burp's capabilities without impairing performance.
Using multiple extensions at the same time has a cumulative effect on performance. The bar at the top of the screen shows the cumulative impact of all of the BApps that are currently loaded.
Skip unauthenticated crawling during scans
You can now choose to skip unauthenticated crawling in cases where you have provided application logins for Burp Scanner to use. This helps to reduce the crawl time.
To enable this option, go to the Crawl Optimization settings in your scan configuration and select Crawl using my provided logins only. Note that if you do not provide any application logins, the crawler automatically reverts to performing an unauthenticated crawl instead.
Improved Repeater tab behavior:
We have made several minor tweaks to the appearance and behavior of tabs in Burp Repeater. These will pave the way for some additional features in the future.
When Repeater tabs overflow onto a new row, these now stay the same size rather than stretching to fill the entire row. This makes it easier to keep track of where tabs are.
From the context menu, you now have options for renaming tabs and deleting all tabs to the left or right of the current tab.
There is a new actions menu (3 dots) in the upper-right corner of the screen. At the moment, this provides a limited range of options, but we'll continue to add to this in the future.
Set headers in session handling options:
You can now use Burp Suite's session handling options to add headers and values to requests. When you create a session handling rule using the new Set a specific header value action, the header and value pair you provide are added to any requests that are within the rule's scope.
Browser upgrade:
We have upgraded Burp's browser to Chromium 102.0.5005.61
Changes to Java requirements:
Burp Suite now requires Java 11 or later to run. This change should not impact you unless you installed Burp Suite as a .jar file, as the installer includes a bundled private Java Runtime Environment so that you don't need to worry about installing or updating Java. However, any extensions written in a version of Java earlier than 11 may not run correctly from this release onward.
Other improvements:
We have added a range of common Google Analytics cookies to the list of ignored insertion points for scans.
We have improved the performance of Burp Scanner by tweaking the way we identify locations to audit after the crawl is completed.
In your scan configuration, you can now define separate timeout settings for the crawl and audit phases of a scan, overriding the global project setting.
Bug fixes:
We have resolved some performance issues that some users faced when using Intruder with large resource pools.

New in Burp Suite 2022.3.8 (May 20, 2022)

New in Burp Suite 2022.3.7 (May 11, 2022)

New in Burp Suite 2022.3.6 (May 1, 2022)

New in Burp Suite 2022.3.5 (Apr 19, 2022)

New in Burp Suite 2022.3.4 (Apr 13, 2022)

New in Burp Suite 2022.3.3 (Apr 8, 2022)

New in Burp Suite 2022.3.2 (Apr 4, 2022)

New in Burp Suite 2022.3.1 (Mar 29, 2022)

New in Burp Suite 2022.3 (Mar 22, 2022)

New in Burp Suite 2022.2.1 Early Adopter (Feb 23, 2022)

New in Burp Suite 2022.1.1 (Feb 9, 2022)

New in Burp Suite 2022.1 Early Adopter (Jan 27, 2022)

New in Burp Suite 2021.12.1 (Jan 12, 2022)

New in Burp Suite 2021.10.3 (Dec 2, 2021)

New in Burp Suite 2021.10.2 (Nov 19, 2021)

New in Burp Suite 2021.10.1 (Nov 11, 2021)

New in Burp Suite 2021.9.1 (Oct 26, 2021)

Manually test hidden HTTP/2 attack surface in Burp Repeater:
You can now send HTTP/2 requests from Burp Repeater even if the server doesn't explicitly advertise HTTP/2 support via ALPN. This allows you to manually explore additional "hidden" HTTP/2 attack surface.
To enable this behavior, first select the Allow HTTP/2 ALPN override option from the Repeater menu, then switch the protocol to HTTP/2 from the Inspector panel.
Burp Intruder improvements:
We have made the following improvements to Burp Intruder:
When configuring a list of payloads to send during your attack, you can now click the Deduplicate button to remove any duplicate entries. This helps to increase the efficiency of your attacks as you can avoid sending redundant, duplicate requests when combining multiple wordlists for example.
When using the Grep - Match or Grep - Payloads options, the results table now contains a column displaying the number of matches found in the response rather than just a checkbox.
In the resource pool configuration, there is now an option for setting the delay between requests to an incremental value. This enables you to study how the target application's behavior changes as requests become more spread out. You can use this to determine how long a session is kept alive between requests for example.
You can now select multiple rows and perform bulk operations on some of the tables in the Intruder configuration settings.
Improved scan check for server-side template injection:
We have added payloads to the server-side template injection (SSTI) scan check to detect vulnerabilities in the following Java-based template engines:
SpEl
JSF
Freemarker
Thymeleaf
Velocity
JSTL
We have also integrated additional out-of-band detection methods using Burp Collaborator.
Audit asynchronous traffic in Burp Scanner:
API calls that are triggered by the crawler interacting with elements on the page will now be sent for audit.
We have also improved the way the crawler interacts with forms on a page to better support modern single-page applications.
Improved handling of XML and JSON insertion points in Burp Scanner:
We have made the following changes to improve the handling of XML and JSON insertion points during scans:
Payloads injected into unquoted JSON contexts are now automatically wrapped with quotation marks to ensure that Burp Scanner always generates valid JSON documents.
Insertion points in standard XML attributes such as xml:lang and xmlns:* are now ignored by default. If you prefer, you can override this setting in your scan configuration under Audit options > Ignored insertion points.
When appending payloads to insertion points within XML CDATA sections, Burp Scanner now removes the CDATA block and correctly entity-encodes the payloads.
Recorded login improvements:
Burp Scanner can now handle iframes, multi-selects, scrolling elements, and SVG elements in recorded login sequences. We have also improved reliability of recorded logins by changing the way we locate and interact with elements on the page.
Other improvements:
On the Logger tab, we have added an option to the context menu for exporting the log as a CSV file.
On the Dashboard tab, you can now rename tasks to help you identify them more easily. You can now also search for tasks by their name or other details.
You can now set a default preference for whether tasks are resumed or paused when you launch Burp. To change the default setting, go to User options > Misc > Tasks.
Security fix:
We have updated Burp's embedded browser to Chromium version 95.0.4638.54, which fixes a number of high-severity bugs.
Bug Fixes:
This release also provides a number of bug fixes, most notably for a bug when highlighting or selecting text in Burp Repeater.

New in Burp Suite 2021.8.4 (Oct 2, 2021)

New in Burp Suite 2021.8.3 (Sep 15, 2021)

New in Burp Suite 2021.8.2 (Aug 24, 2021)

New in Burp Suite 2021.8.1 (Aug 12, 2021)

New in Burp Suite 2021.7.2 (Jul 22, 2021)

New in Burp Suite 2021.7.1 (Jul 13, 2021)

New in Burp Suite 2021.6.2 (Jun 19, 2021)

New in Burp Suite 2021.6.1 (Jun 11, 2021)

New in Burp Suite 2021.5.2 (Jun 2, 2021)

New in Burp Suite 2021.5.1 (May 13, 2021)

New in Burp Suite 2021.4.3 (May 4, 2021)

New in Burp Suite 2021.4.2 (Apr 22, 2021)

This release provides a native logging tool to Burp Suite, which allows for logging global and individual task traffic. It also strengthens support for HTTP/2, allows saving settings for Burp's embedded browser and message editor's search bar, and allows you to turn off Repeater's line ending normalization. The release provides some minor improvements, an update to Burp Suite's embedded browser, and fixes several bugs.
Logger:
Burp Suite now has a native logging tool called Logger, which is available from the main row of tool tabs. Some highlights of Logger are:
You can view traffic made by all Burp tools, analyze messages, and send them to other Burp tools.
You can configure separate capture and view filters to focus on the messages that you are interested in.
Logger is optimised for performance and limits the amount of memory that is used. The default limit is 50MB (or 100MB if you give Burp Suite at least 1GB of memory), but you can change this. Once the memory limit has been reached, Logger will keep a rolling log of entries.
You can turn off Logger if you prefer.
This release provides a native logging tool to Burp Suite, which allows for logging global and individual task traffic. It also strengthens support for HTTP/2, allows saving settings for Burp's embedded browser and message editor's search bar, and allows you to turn off Repeater's line ending normalization. The release provides some minor improvements, an update to Burp Suite's embedded browser, and fixes several bugs.
Logger
Burp Suite now has a native logging tool called Logger, which is available from the main row of tool tabs. Some highlights of Logger are:
You can view traffic made by all Burp tools, analyze messages, and send them to other Burp tools.
You can configure separate capture and view filters to focus on the messages that you are interested in.
Logger is optimised for performance and limits the amount of memory that is used. The default limit is 50MB (or 100MB if you give Burp Suite at least 1GB of memory), but you can change this. Once the memory limit has been reached, Logger will keep a rolling log of entries.
You can turn off Logger if you prefer.
Here is a short video showing Logger in action:
Task logger:
You can also view log traffic for individual tasks (such as scans). This allows you to analyze what's happening if one of your tasks shows unexpected behavior, or to monitor a task's progress.
To see the log for a task, click on the task's "View details" icon and then select the "Logger" tab. Logging for each task has its own memory limit, separate from the main Logger.
HTTP/2 support:
We have strengthened support for HTTP/2 within Burp Suite. HTTP/2 support is now turned on by default and is no longer considered experimental. Burp will interact with targets via HTTP/2 when a target supports it.
HTTP/2 support brings a significant performance improvement to the network layer, benefiting Scanner and Intruder speed. It also provides future compatibility with any site that no longer supports HTTP/1.1.
If you prefer not to use HTTP/2, you can disable its use under Project Options / HTTP.
Message editor search settings:
You can now configure the default settings of the message editor's search bar. Change the defaults by going to User options > Misc and selecting the check boxes under "Message search".
Normalized line endings in Repeater:
Repeater usually normalizes the line endings of requests. However, this behaviour may not always be useful, especially when you are testing request smuggling. You can now turn off normalizing line endings by going to the Repeater menu and unchecking "Normalize line endings".
Improved DNS records in Burp Collaborator:
We have added support for single custom CNAME and multiple custom TXT DNS records within Burp Collaborator, which can optionally contain specific TTL values.
Embedded browser settings:
When using Burp's embedded Chromium browser, your history and any changes you make to the browser settings are now saved even after you close Chromium. This means you no longer need to reconfigure your preferences each time you use the browser and can even keep any extensions that you install.
By default, your settings and history will be persisted. If you'd prefer to disable this behavior, go to User options > Misc and deselect the corresponding checkbox in the "Embedded browser" section.
Embedded browser update:
This release includes an update of Burp Suite's embedded browser to Chromium 90.0.4430.85, which fixes several security issues that Google have classified as high.
Minor improvements
This release provides several minor improvements, including:
We have improved the heuristics of the crawler to better fill out text fields in forms.
Custom menu items added by extensions are now shown in a sub-menu of the context menu, to avoid cluttering.
The hash algorithm list within Burp Decoder is now sorted alphanumerically.
The resource pool button is now disabled when configuring a live passive crawl, as this crawl does not make requests.
We have added "Clear all payload markers", for Intruder, to the list of actions that you can assign a hotkey to.
Bug fixes:
This release provides several bug fixes, including:
Filter dialogs now work correctly when you use the settings button to restore defaults or load a configuration.
The crawler now correctly clears session data held in local storage when it is no longer needed.
The crawler no longer produces an error when it encounters request bodies that contain JSON literals when it is crawling OpenAPI definitions.
Burp Suite now shuts down correctly on macOS.
The number of characters selected now shows in the message inspector when selecting non-editable messages.
The automatic backup progress dialog box no longer appears if Burp Suite is minimized.
Message inspector buttons now work correctly when you paste content into a "Decoded from" panel.
Burp Collaborator server now responds to CAA queries with a NOERROR rather than a SERVFAIL response code.
Burp Suite is not entirely compatible with Java 16. It will now warn you if you try to launch it with Java 16, and provide a workaround to enable you to use both together.
Requests to restore Proxy default settings no longer fail to restore Proxy filter configuration defaults.
When you load an existing project, the Proxy filter settings now are correctly honored.
You can now cancel Proxy filters.
The message inspector no longer sends spurious HTTP messages.

New in Burp Suite 2021.4.1 (Apr 12, 2021)

New in Burp Suite 2021.3.2 (Mar 18, 2021)

New in Burp Suite 2021.3.1 (Mar 16, 2021)

New in Burp Suite 2021.2.1 (Feb 16, 2021)

New in Burp Suite 2020.12.1 (Dec 17, 2020)

New in Burp Suite 2020.11.3 (Dec 1, 2020)

New in Burp Suite 2020.11.2 (Nov 27, 2020)

New in Burp Suite 2020.11.1 (Nov 19, 2020)

New in Burp Suite 2020.9.2 (Oct 2, 2020)

New in Burp Suite 2020.9.1 (Sep 5, 2020)

New in Burp Suite 2020.8.1 (Aug 20, 2020)

New in Burp Suite 2020.6 (Jul 9, 2020)

New in Burp Suite 2020.5.1 (Jun 19, 2020)

New in Burp Suite 2.1.02 (Jul 26, 2019)

New in Burp Suite 2.1.01 (Jul 17, 2019)

New in Burp Suite 2.1 (Jul 2, 2019)

New in Burp Suite 2.0.19 Beta (Mar 26, 2019)

New in Burp Suite 2.0.18 Beta (Mar 5, 2019)

New in Burp Suite 2.x Beta (Feb 21, 2019)

New in Burp Suite 1.7.37 (Aug 10, 2018)

New in Burp Suite 1.7.36 (Jul 30, 2018)

New in Burp Suite 1.7.35 (Jun 29, 2018)

New in Burp Suite 1.7.34 (Jun 14, 2018)

A number of bugs have been fixed:
A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
Some bugs in Burp's project repair function that caused some actually recoverable data to be lost.
A bug that prevented autocomplete popups from closing on some Linux window managers.
A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.
The following enhancements have been made:
Burp ClickBandit has been updated to support sandboxed iframes.
A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

New in Burp Suite 1.7.33 (Mar 28, 2018)

New in Burp Suite 1.7.32 (Feb 3, 2018)

This release adds a new automatic project file backup function. If you are using a disk-based project, this function automatically saves a backup copy of your project file periodically in the background. The options for the new function can be found at User options / Misc / Automatic Project Backup:
The new function is superior to the older function that saved a state file backup in several respects:
Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.
You can optionally include in-scope items only, to reduce the size of the backup file.
Available disk space is checked before performing a backup. If insufficient space is available, the backup is skipped and an alert is shown.
A single backup file is saved alongside the main project file. On successful completion of a new backup, the previous backup file is deleted.
On attempting to open a corrupted project file, Burp checks if a backup is available, and if so offers to open that as an alternative to repairing the original.
By default, the backup file is deleted on clean shutdown of Burp. Since the main project file is saved incrementally in real time, and project file corruption is typically caused by abnormal termination of the OS, it is not normally necessary to retain backup files following a clean shutdown. You can choose to retain the backup file on shutdown in the automatic project backup options.
You can optionally disable the progress dialog that is shown when a backup is performed, so you can continue working without interruption.
Backups are enabled by default with no configuration required. If you don't want to use the feature, you can quickly turn it off using the option that is shown in the progress dialog.
Other enhancements include:
Installed BApps are now updated automatically on startup. We issue frequent updates to BApps and it is highly recommended to be using the latest versions. You can disable automatic BApp updates in Extender options.
A bug in the import project function, which omitted to import the Scanner issue activity log, has been fixed.
Requests made by extensions during custom scan checks are now correctly reflected in the scan queue request counts, and are correctly subjected to configured request throttling.

New in Burp Suite 1.7.31 (Jan 19, 2018)

New in Burp Suite 1.7.30 (Dec 12, 2017)

New in Burp Suite 1.7.29 (Nov 20, 2017)

New in Burp Suite 1.7.28 (Nov 16, 2017)

New in Burp Suite 1.7.27 (Sep 1, 2017)

This release adds various minor enhancements:
There is a new hotkey for adding an Intruder payload position marker. This is not mapped to any keystroke by default, but this can be done at User options / Misc / Hotkeys.
There is a new option on startup to disable extensions. This can help resolve situations where a misbehaving extension causes problems during startup.
Burp Collaborator server now responds to DNS lookups containing the subdomain "spoofed" with the IP address 127.0.0.1. This is to prevent the Collaborator being wrongly incriminated when a server being scanned is vulnerable to client IP spoofing, as happened here.
The option to strip the "Accept-Encoding" header in incoming requests to the Proxy has been modified so that it normalizes the header to a default value rather than stripping it altogether. The previous behavior caused problems with some WAFs configured to drop requests without this header.
The default max heap size requested by the platform installer has been reduced from 75% to 50% of total physical memory, in order to prevent OS performance issues on some platforms. This can be modified after installation by editing the vmoptions file in the installation directory.
MacOS App Nap has been disabled as this can cause Burp's automated activity (like scanning) to be suspended when the Burp window is in the background.
Additionally, a number of bugs have been fixed:
A bug that caused temporary data saved by Burp extensions and the sessions tracer to actually get stored in project files.
A bug that caused the Spider not to honor the "Maximum parameterized requests per URL" setting.
A bug that caused some lightweight popups to have full window decoration on some Linux desktop managers.
A bug that incorrectly handled loading of IP addresses from file into the scope configuration UI.
A bug that prevented upstream SNI from working when proxying traffic through Burp from an Android emulator.
A bug that caused report generation to fail altogether when it encountered an incomplete issue due to project file corruption.

New in Burp Suite 1.7.26 (Aug 3, 2017)

New in Burp Suite 1.7.24 (Jul 19, 2017)

New in Burp Suite 1.7.23 (May 23, 2017)

New in Burp Suite 1.7.22 (Apr 28, 2017)

New in Burp Suite 1.7.21 (Apr 9, 2017)

New in Burp Suite 1.7.20 (Apr 6, 2017)

This release considerably enhances the detection of blind injection vulnerabilities based on response diffing. Various Burp Scanner checks involve sending pairs of payloads (such as or 1=1 and or 1=2) and looking for a systematic difference in the resulting responses. Previously, Burp used a fuzzy diffing algorithm that analyzed the whole content of responses. This approach has various limitations that can lead to false negatives, such as:
Small variations that are insignificant in the context of the whole response content are liable not to trigger the fuzzy diffing threshold, despite being highly significant when their precise syntactic context is taken into account.
Situations where application responses vary due to non-deterministic or unrelated factors can lead to large variations that trigger the fuzzy diffing threshold for all payloads, thereby masking other variations that depend systematically on the supplied payload.
Burp now uses a more granular diffing logic that takes into account all of the response attributes that were previously exposed in the analyzeResponseVariations API and used in our backslash powered scanning research. Variations are separately analyzed for attributes such as tag names, HTTP status code, line count, HTML comments, and many others. This granularity avoids the limitations described above and dramatically improves the accuracy of blind scan checks in many cases.
Additionally, several of the payloads used in diff-based scan checks have been enhanced to ensure that observed differences are indeed the result of injecting into the intended technology, rather than other input-dependent logic. For example, some web application firewalls (lamely) filter input that matches or N=N and cause a different response than is observed for or N=M. Burp's payloads are now intelligent enough to avoid false positives in situations like this.
The scan checks whose logic has improved include: SQL injection, LDAP injection, XPath injection, file path manipulation, User-agent-dependent response, X-forwarded-for-dependent response, and Referer-dependent-response.
We welcome feedback about the real-world performance of the new scanning logic, particularly in relation to false negatives or positives for diff-based injection issues.
Burp Proxy's generated per-host SSL certificates now include the site's commonName in the subjectAlternativeName extension. Apparently fallback to the commonName was deprecated by RFC2818 (in 2000), and browsers have recently decided to implement this.
Burp Collaborator server now has a configurable logging function that can be used for diagnostic purposes. See the Collaborator configuration file documentation for more details.
Various other minor fixes and enhancements have been made.

New in Burp Suite 1.7.19 (Mar 1, 2017)

New in Burp Suite 1.7.18 (Feb 28, 2017)

New in Burp Suite 1.7.17 (Feb 2, 2017)

New in Burp Suite 1.7.16 (Jan 30, 2017)

New in Burp Suite 1.7.15 (Jan 30, 2017)

New in Burp Suite 1.7.14 (Jan 30, 2017)

This release fixes the following security issues that were identified through our bug bounty program. Note that all of these issues involve the Burp user actively testing a malicious website that has been designed specifically to attack Burp Suite.
If a user visits a malicious website in their browser, and in Burp selects a crafted request that was generated by that website, and uses either the "Request in browser" function or the "Generate CSRF Poc" and "Test in browser" function, then the malicious website can XSS an arbitrary website.
If a user scans a malicious website and another website within the same Burp project, and exports all of the scan results as a single HTML report, and views that report in a browser, then the malicious website can capture the scan results for the other site.
If a user scans a malicious website and another website within the same Burp project, then the malicious website might be able to capture the raw data of any Burp Collaborator interactions that were performed by the other website.
We are pleased that our bug bounty program has alerted us to these issues within Burp. As well as fixing known issues at source, we have taken a defense-in-depth approach to hardening Burp in response to them, including:
Some functions within Burp's in-browser interface that increased its attack surface have been removed altogether, including the Proxy history, the buttons to repeat requests and view responses, and support for the plug-n-hack Firefox extension.
Scan issue descriptions, including those generated by Burp extensions, are now subject to an HTML whitelist that allows only formatting tags and simple hyperlinks.
HTML scan reports now include a Content Security Policy directive that prevents execution of scripts in modern browsers.
Note: The security issues identified have all been fixed within Burp Suite. As a defense-in-depth measure, some hardening has also been performed of Burp Collaborator. It is recommended that users who have deployed a private Burp Collaborator server should update to the current version in a timely way.
Thanks are due to @_Abr1k0s_ for reporting the aforementioned issues.
A number of other enhancements were made, including:
A number of improvements to existing Scanner checks to improve accuracy.
When a request is sent to Repeater but never issued, the request is now stored in the Burp project file, so the initial unrequested item will reappear when the project is reopened.
The Proxy listener now accepts SSL negotiations from browsers that are hardened only to support selected protocols and ciphers.

New in Burp Suite 1.7.13 (Jan 30, 2017)

This release adds various enhancements and bugfixes.
Burp Infiltrator has been enhanced with a large number of new API sink definitions, for both the Java and .NET platforms. This dramatically increases the coverage of existing vulnerabilities, such as OS command injection and file path traversal.
You can export the updated Infiltrator installers from the "Burp" menu in Burp Suite Professional. If you have already installed an earlier version of Infiltrator in an application, you can just run the new installer to update the instrumentation with the new API sink definitions.
The BurpInfiltrator.dll .NET assembly is now signed, and all instrumented assemblies refer to it by its strong name. This change will address some issues that can arise with usage of signed assemblies.
The manual Burp Collaborator client has been enhanced to give full details of Infiltrator interactions. This can greatly assist manual testing and exploitation of vulnerabilities, for example by showing the full SQL query that is executed when some particular input is submitted. Also, the Collaborator client UI now shows the Collaborator payload in the table of interactions, and supports user comments and highlights.
The IBurpCollaboratorClientContext API now supports separate retrieval of regular Collaborator interactions and Infiltrator-driven interactions.
The following bugs have been fixed:
A bug in the "copy as curl command" function which could enable a malicious website to generate an HTTP request which, if the Burp user uses the "copy as curl command" function and executes the output in a shell context, will cause arbitrary commands to be executed. There is no exposure to users who do not use the "copy as curl command" function, but it is recommended that all users upgrade to the latest version. This issue was discovered through an internal security review, rather than a user report.
A bug in the Burp Collaborator health check which caused SMTP/S connections made by the health check not to honor the configured SOCKS proxy settings.
A bug which caused Proxy match/replace rules to display as type "regex" even if they are not.
A bug where use of a partial/incomplete configuration file at project startup caused any undefined configuration options to have blank values. Now, any undefined options are assigned their default values.
A bug which caused Burp to leave temporary files on disk if the user cancels out of the project startup wizard.
A bug which caused items in the active scan queue in the "waiting to cancel" state to display in that state indefinitely if the project is closed and reopened.

New in Burp Suite 1.7.12 (Jan 30, 2017)

New in Burp Suite 1.7.11 (Jan 30, 2017)

New in Burp Suite 1.7.10 (Jan 30, 2017)

This release adds some new APIs that extensions can use to easily implement powerful scan checks and other logic that involves response diffing.
Two new APIs have been added to IExtensionHelpers. The method:
IResponseVariations analyzeResponseVariations(byte[]... responses)
analyzes a collection of responses to identify variations in a range of attributes. The IResponseVariations object that is returned can be queried to determine the invariant or variant attributes, and the "value" of each attribute for each response:
List<String> getVariantAttributes();
List<String> getInvariantAttributes();
int getAttributeValue(String attributeName, int responseIndex);
The attributes that are currently supported are as follows:
anchor_labels
button_submit_labels
canonical_link
comments
content_length
content_type
css_classes
div_ids
etag_header
first_header_tag
header_tags
initial_body_content
input_image_labels
input_submit_labels
last_modified_header
limited_body_content
line_count
outbound_edge_count
outbound_edge_tag_names
page_title
set_cookie_names
status_code
tag_ids
tag_names
visible_text
visible_word_count
whole_body_content
word_count
Note that all values are represented as integer numbers, and the values of some attributes are intrinsically meaningful (e.g. word count) while the values of others are less so (e.g. checksum of HTML tag names).
The method:
IResponseKeywords analyzeResponseKeywords(List<String> keywords, byte[]... responses)
analyzes a collection of responses to identify the number of occurrences of the specified keywords. The IResponseKeywords object that is returned can be queried to determine the keywords whose counts vary or do not vary, and the number of occurrences of each keyword for each response:
List<String> getVariantKeywords();
List<String> getInvariantKeywords();
int getKeywordCount(String keyword, int responseIndex);
The new APIs allow your extensions to let Burp handle the messy work of analyzing responses to determine if they are the same or different, and you can easily create powerful scan checks with some simple logic:
Send novel payload.
Ask Burp whether the response changed in some interesting respect.
If so, report an issue.
On Friday, to coincide with our Backslash Powered Scanning talk at Black Hat EU, we will be releasing an extension to the BApp Store that demonstrates how the new APIs can be used to create powerful new scanning capabilities.

New in Burp Suite 1.7.09 (Jan 30, 2017)

New in Burp Suite 1.7.08 (Jan 30, 2017)

New in Burp Suite 1.7.07 (Jan 30, 2017)

New in Burp Suite 1.7.06 (Sep 9, 2016)

New in Burp Suite 1.7.05 (Aug 22, 2016)

New in Burp Suite 1.7.04 (Aug 22, 2016)

New in Burp Suite 1.7.03 Beta (Aug 22, 2016)

New in Burp Suite 1.7.02 Beta (Aug 22, 2016)

New in Burp Suite 1.7.01 Beta (Aug 22, 2016)

New in Burp Suite 1.7 Beta (Aug 22, 2016)

New in Burp Suite 1.6.39 (Aug 22, 2016)

This release improves the logic of some scan checks that depend upon the content type of responses.
Burp has previously reported content type incorrectly stated on any occasion where the stated content type of a response differs from the actual content (as determined by Burp). This has frequently led to a lot of noise because (a) Burp's own content type sniffing has not been perfect; and (b) many content type mismatches have no security implications. Hence, many users got accustomed to just ignoring this issue, despite the fact that, in some rare situations, it can lead to high-severity issues like cross-site scripting.
The cases where this issue matters occur when a response is intended to actually contain non-HTML content such as an image, but a browser may attempt to interpret the response as HTML based on the stated content type. This can lead to XSS if the content is dynamically generated, uploaded by a user, or otherwise contains user input.
In the real world, browsers' actual sniffing of responses depends on several factors, including:
The stated content type
The presence of the header X-content-type-options: nosniff
The file extension of the request URL
The browser type and version
The Burp research team have generated every possible permutation of these factors and identified all of the permutations that might lead to a browser attempting to interpret a response as HTML. This knowledge is now baked into Burp, so that Burp only reports the issue when a suitable combination of the above factors is observed. Further, the Burp advisory identifies precisely which browsers may be affected by an issue.
The other type of issue where the situation arises is cross-site scripting. In the past, Burp applied XSS checks to all responses that were either stated or appeared to contain HTML. The scan logic has now been tightened to be more accurate and informative in cases where exploitability of the issue depends upon browser sniffing:
Burp now uses its knowledge of actual browser behavior (based on the factors listed above) to determine whether any browser might attempt to interpret a response as HTML.
If content sniffing depends on the request URL having a different file extension, Burp will attempt to manipulate the extension so as to trigger this.
Any relevant details about specific browsers' behavior is included in the issue detail.
Seemingly unexploitable issues are still reported as informational, because a manual tester might nonetheless be able to find a way to exploit them.
Unrelatedly, the configuration of client SSL protocols and ciphers has been modified to include a master toggle specifying whether to use the default protocols and ciphers of the Java installation. This is the new default option, and can be overridden to allow configuration of specific protocols and ciphers. This change simplifies the configuration UI and makes it easier to share Burp configurations between different machines.

New in Burp Suite 1.6.38 (Aug 22, 2016)

New in Burp Suite 1.6.37 (Aug 22, 2016)

New in Burp Suite 1.6.36 (Aug 22, 2016)

New in Burp Suite 1.6.35 (Aug 22, 2016)

New in Burp Suite 1.6.34 (Aug 22, 2016)

New in Burp Suite 1.6.33 (Aug 22, 2016)

This release adds the ability to detect blind XSS, via Burp Collaborator.
Blind XSS is a special type of stored XSS in which the data retrieval point is not accessible by the attacker - for example, due to lack of privileges. This makes the vulnerability very difficult to test for using conventional techniques. In many cases, there is no hint whatsoever in the application's visible functionality that a vulnerability exists. Since security testers are in the habit of spraying target applications with alert(1) type payloads, countless admins have been hit by harmless alert boxes, indicating a juicy bug that the tester never finds out about. Due to the inherent difficulty in detecting blind XSS vulnerabilities, these bugs remain relatively prevalent, still waiting to be discovered. This new release of Burp empowers testers to easily find these critical vulnerabilities, with no special configuration or other tools required.
Previously, Burp Scanner has used purely in-band techniques to detect stored XSS. This involves first scanning the data entry point, later scanning the data retrieval point, identifying the connection between the two, and then supplying suitable payloads to the entry point to formulate a proof-of-concept attack. This approach can often be effective, but has some significant limitations:
It cannot detect blind XSS, because the data retrieval point is not accessible.
It requires that the entry and retrieval points are scanned in the correct order.
It is highly vulnerable to previously submitted data being overwritten by another user's actions in the time between scanning the entry and retrieval points.
Burp still uses conventional in-band techniques to detect stored XSS, but now also sends payloads.
This payload starts with a multi-context break-out sequence which, in all normal retrieval locations, will convert the HTML context to one where JavaScript can be executed. It then executes some script that triggers a connection to the Burp Collaborator server. This out-of-band interaction enables Burp to confirm when the payload has been successful. For more details on the breakdown of this payload, see our blog post on hunting asynchronous vulnerabilities.
The new approach to finding stored XSS has some significant benefits:
It can detect blind XSS, provided that another user, such as an administrator, eventually views a page containing the stored payload.
It only requires that the entry point be scanned by Burp. Other users' interaction with the application, or the Burp tester's own browser-based use of the application (if non-blind), is likely to lead to connections to the Collaborator server that enable Burp to report the issue.
Even where the stored data is short-lived, and has been overwritten by the time the Burp tester visits or scans the retrieval point, Burp may still detect the issue due to other users viewing the data.
As with other deferred Collaborator interactions, Burp can report stored XSS issues after the Burp user has finished testing, without any additional requests to the application.

New in Burp Suite 1.6.32 (Dec 10, 2015)

New in Burp Suite 1.6.25 (Sep 21, 2015)

New in Burp Suite 1.6.01 (Jun 11, 2014)

New in Burp Suite 1.6 (Apr 15, 2014)

New in Burp Suite 1.5 (Dec 21, 2012)

New in Burp Suite 1.5rc3 (Dec 21, 2012)

New in Burp Suite 1.5rc2 (Dec 21, 2012)

New in Burp Suite 1.5rc1 (Dec 21, 2012)

New in Burp Suite 1.4.12 (Dec 21, 2012)

New in Burp Suite 1.4.11 (Dec 21, 2012)

This release fixes a number of bugs and stability issues, mainly arising from the recent new user interface:
Various causes of UI deadlock when modifying the site map tree and active scan queue have been resolved.
A bug has been fixed when manually adding payloads to the Intruder preset list (and elsewhere), where hitting enter to add an item to the list caused the text field to become unstable.
A bug in Intruder, where exporting selected result rows from a reordered table caused the wrong rows to be saved, has been fixed.
A bug in the handling of built-in world lists in the Content Discovery function has been fixed.
A bug has been fixed in the ViewState renderer, where the root tree node, including the ViewState version and MAC status, was hidden.
A bug in Intruder, where modifying a live attack config and then repeating the attack caused the original config to be used, has been fixed.
A bug in tab renaming (Intruder and Repeater) which sometimes caused the cursor and modified text to disappear, has been fixed.
An accidental change made to the use of the Burp Extender API processHttpMessage(), where the tool name became capitalized, has been reversed.
An occasional bug in the active scan queue where restoring state caused some scan threads to become stalled has been fixed.
Column reordering is re-enabled in the Proxy history.
Burp Sequencer's behavior has been modified when handling samples whose character set size is not a round value of 2^N. Previously, these partial bits of entropy were rounded down to the nearest bit, resulting in some original data being lost, and the likely introduction of bias into the remaining data. In this situation, Burp now transforms the input data so that it uses a round 2^N-sized character set without losing any original data (partial bits are merged into the whole bits at the same character position). No solution to this problem is going to be perfect, but in most cases the new algorithm markedly improves Sequencer's accuracy.
A new feature has been added to optionally prevent Burp from saving configured passwords in persisted settings or state files. If this setting is used, then the user is prompted for the required passwords when Burp is launched, or the state file is restored

New in Burp Suite 1.4.01 (Nov 8, 2011)