Burp Suite Changelog

What's new in Burp Suite 2024.3.1.3

Apr 26, 2024

This release introduces custom Bambda columns, global Collaborator settings, and streamlined headers. We've also made other improvements and bug fixes.
Custom table columns with Bambdas:
We have introduced a feature that enables you to add custom columns to the HTTP history, WebSockets history, and Logger tables using Bambdas. With these custom columns, you can display additional details about the items in your tables for a more tailored analysis based on your specific focus.
Please note that this feature is available in Burp Suite Professional only.
Burp Collaborator server settings override:
We've added the Burp Collaborator server as user settings. This means that instead of configuring the Collaborator server for each project individually, you can now set it once and have it apply across all Burp installations on your machine. If you need to customize the Collaborator server for a specific project, you can still do so by turning on the Override options for this project only toggle.
Hide uninteresting headers in Pretty tab:
The Pretty tab of the message editor now has an option to hide headers such as Sec-Ch-Ua, Accept-Language, and Upgrade-Insecure-Requests, helping to declutter the view and focus on more relevant information.
Other improvements:
We've upgraded the Bambda Java version to 21.
Scanner's crawl paths view now includes the Rendered DOM, offering a clearer insight into the final page structure after dynamic changes.
You can now identify endpoints that Burp won't scan due to unsupported features in your API specification, helping to clarify the scope of API scans and reduce confusion about missing endpoints.
Bug fixes:
Fixed an issue where changes to Burp Collaborator project settings weren't retained in the project file.
Fixed an issue where hiding uninteresting headers caused display issues when highlighting message text.
Fixed an issue preventing tabs created by extensions from appearing in Burp Suite search results.
Fixed an issue causing Target > Site map to not always update to show the correct request/response.
Fixed an issue with slow load times in the Crawl paths view, resulting in significantly reduced wait times.
Fixed a performance issue in Burp Scanner, enabling more efficient processing of large responses.
Browser upgrade:
We've upgraded Burp's built-in browser to 124.0.6367.60 for Linux & Windows and 124.0.6367.61 for MacOS.

New in Burp Suite 2024.2.1.5 (Apr 16, 2024)

New in Burp Suite 2024.2.1.4 (Apr 12, 2024)

New in Burp Suite 2024.2.1.3 (Apr 2, 2024)

This release introduces specific API scanning functionality, and incorporates Bambdas into the Logger capture filter. We've also improved the functionality of DOM Invader and the Burp Suite Navigation Recorder, and made a number of other improvements and bug fixes.
API scanning:
We've introduced specific API scanning functionality. You can now upload an OpenAPI definition (v3.0.x) to seed an API scan. In particular, you can upload an API definition from a local file. This enables you to start an API scan without having to host your definition on a web server. You can also view and configure the API endpoints that will be scanned for more visibility and control over the scan. In the future, we plan to add even more functionality, including endpoint authentication handling. Watch this space!
To start an API scan, click New scan > API scan on the Dashboard. To learn more about how to run an API scan, see Scanning APIs.
Advanced filtering of Logger capture filter with Bambdas
We're introducing Bambdas into more areas of Burp Suite. These Java-based code snippets enable you to customize Burp directly from the UI.
This release introduces Bambdas into the Logger capture filter. This enables you to customize Logger to capture exactly what you need, helping you to focus your analysis by filtering out unnecessary traffic.
To learn more about Bambdas in Burp, see Bambdas.
New scan checks: CSP vulnerabilities:
We’ve added new passive scan checks that identify Content Security Policy (CSP) vulnerabilities. Burp Scanner can now identify issues like unsafe script permissions, clickjacking, form hijacking, and incorrect CSP syntax.
Improvements to Burp Suite Navigation Recorder:
We've fixed a number of minor bugs in the Burp Suite Navigation Recorder:
We've removed the instrumentation of shadow DOM elements that were causing errors for some websites.
We've fixed a bug whereby non-Incognito windows were being recorded when in Incognito mode.
We've introduced a more reliable URL retrieval method to fix a bug whereby the reported URL was sometimes incorrect.
We've fixed a bug whereby XPath generation was sometimes incorrectly generated, resulting in a replay failure in Burp.
Improvements to DOM Invader:
We've made some improvements to DOM Invader:
We've added support for instrumentation of custom sinks. This may enable you to find vulnerabilities in client side JavaScript that don't map to a JavaScript sink.
We've fixed a bug that impacted POC generation.
Other improvements:
We've also made the following improvements:
To give you more control over memory optimization, we’ve added a setting that enables you to set a maximum memory allowance for Burp's Java Virtual Machine.
We've enhanced the table sorting functionality, restoring your ability to sort by up to three columns. This update gives you more control over how you organize table data.
We've introduced a feature to Collaborator that displays the number of unread interactions on the tab label, enabling you to easily monitor interaction counts at a glance.
We've removed the Password field with autocomplete enabled scan check, addressing the issue's redundancy due to modern browsers' behavior.
To facilitate easier copying of Bambdas between filters, we've introduced non-modal filter dialogs. This enables you to open multiple filter dialogs simultaneously and keep them open while using Burp Suite.
Bug fixes:
We've fixed a number of minor bugs in Burp Scanner, including:
We've improved the recorded login functionality for complex websites.
We've fixed a bug where Burp Scanner wouldn't start a new scan if a task was paused and deleted during the audit phase.
We've optimized the Source code disclosure scan check to prevent excessive memory allocation.
We've fixed a bug where Burp Scanner's browser request handling was failing under high request concurrency.
We have fixed an issue where some browser-related errors were causing scan failures.
We've fixed an issue in the Target > Site map to ensure it accurately displays request/response pairs.
We've fixed a bug that prevented Burp Scanner from running some scan checks on API endpoints.
Browser upgrade:
We've upgraded Burp's built-in browser to 123.0.6312.58 for Linux & Windows and 123.0.6312.59 for MacOS. For more information, see the Chromium release notes.

New in Burp Suite 2024.1.1.6 (Mar 13, 2024)

New in Burp Suite 2024.1.1.5 (Mar 7, 2024)

New in Burp Suite 2024.1.1.4 (Mar 1, 2024)

This release introduces the new Insertion points panel in Burp Scanner, enhancing visibility into the attack surface coverage. Major usability improvements come to Intruder and Proxy data tables, with customizable layouts. Native ARM64 builds for Windows are now available for better performance on ARM64 devices. Other notable improvements include easier access to the search feature, custom keyboard shortcuts for macOS, reintroduced Scope sub-tab in the Target tab, updated dashboard notifications, and enhanced GraphQL tab functionalities. The update also includes a performance improvement and fixes several bugs.
Insertion points panel:
We've introduced an Insertion points panel in Burp Scanner's Audit items tab. This new panel lists all the insertion points for a request, which can help you understand how much attack surface the scanner is covering.
The panel organizes the insertion points into a tree view, and categorizes them into three main types: Detected (those identified from the base request), Moved (those identified after existing parameters within the request were moved), and Added (those identified after new parameters were added to the request). It also identifies nested insertion points (encoded insertion points that reveal additional insertion points when decoded), and displays these hierarchically. The panel also displays the status of each insertion point, such as Pending, Audited, or Skipped, to reflect the action taken by the scanner based on the scan configuration and the behavior of the insertion point.
Improved usability of tables in Burp Suite
We've continued our rollout of major usability improvements to include Intruder and Proxy data tables. In addition to sorting and filtering, you can now:
Change the order of columns.
Hide columns.
Burp remembers the changes you make to the layouts of your tables, and will apply your preferences when you create a new project, or open an existing project, on your machine.
Native Windows ARM64 builds:
We're introducing native ARM64 builds for Windows, optimized for better performance on ARM64 devices. You can download the new builds directly from our website, and if you are using the x64 version on ARM machines with auto-updates turned on, you will automatically upgrade to the ARM64 version in future updates.
Performance improvements:
We're working on a number of performance improvements for Burp Suite Professional. In this release, we've reduced the number of browsers that Burp Scanner creates during the audit phase, which lowers demand on system resources while maintaining scan speed.
Other improvements:
In Burp Suite Professional, we have added a new search icon to the tab bar to help make the search feature easier to access. This change does not affect Burp Suite Community Edition.
We've reintroduced the Target > Scope tab to help make it easier to access. It's also still accessible via the settings menu.
We've updated the dashboard to ensure any applied filters now influence which notifications appear in the bottom dock tabs. This means irrelevant notifications will no longer be shown.
We've adjusted the sensitivity of the event log so that messages that always occur at startup, like the 'proxy is running' notification, are now logged at debug level.
We've enhanced the 'Update ready to install' notification to include a short description of new features, with a link to detailed release notes.
We've added syntax highlighting and automatic indentation for queries in the GraphQL tab, making it easier to read, write, and edit queries.
We've added a Start response timer column to the HTTP history table. This enables you to monitor how long it takes for responses to start.
Bug fixes:
We've fixed several bugs, including:
The drag sensitivity on tabs was too high, leading to accidental detachment of tabs into separate windows.
RequestOptions in the Montoya API was not working as expected.
Adding items to the scope using the Montoya API was not working as expected.
WOFF2 content types were being incorrectly identified, resulting in erroneous 'Content Type Incorrectly Stated' vulnerabilities.
Notes and highlights were sometimes being lost when closing a project file.
Browser upgrade:
We've upgraded Burp's built-in browser to 121.0.6167.160 for Mac and Linux and 121.0.6167.160/161 for Windows. For more information, see the Chromium release notes.

New in Burp Suite 2023.12.1.5 (Feb 14, 2024)

New in Burp Suite 2023.12.1.4 (Feb 9, 2024)

New in Burp Suite 2023.12.1.3 (Jan 26, 2024)

This release introduces Bambdas into Proxy > WebSockets history filter and Logger > View filter, as well as the ability to duplicate Repeater tabs multiple times. We have also enhanced the layout of Burp's Dashboard, added a Connection ID column to Logger, and improved the usability of data tables across Burp.
Advanced filtering in more tools with Bambdas:
We're introducing Bambdas into more areas of Burp Suite. These Java-based code snippets enable you to customize Burp directly from the UI.
This release introduces Bambdas into two new areas of Burp:
Proxy > WebSockets history filter.
Logger > View filter.
We've also created a Bambdas GitHub repository, where you can browse submissions from community members or contribute your own Bambdas.
Keep an eye out for more Bambdas appearing across Burp in future releases!
Improved Dashboard:
We've completely redesigned the Dashboard to make better use of on-screen space. You're now able to see detailed information about your scans and other tasks, without having to open additional popup windows.
To make room for all this information, we've moved the event log and the list of issues to a collapsible panel, which you access from the dock at the bottom of the screen.
Improved usability of tables in Burp:
We've started rolling out major usability improvements to data tables in Burp. For most tables in Burp, in addition to sorting and filtering, you can now:
Change the order of columns.
Hide columns.
Burp remembers the changes you make to the layouts of your tables, and will apply your preferences when you create a new project, or open an existing project, on your machine.
Ability to duplicate Repeater tabs multiple times:
We've added functionality that enables you to create multiple copies of a grouped Repeater tab in one go. This can be helpful if you're testing for race condition vulnerabilities as it makes the process of creating identical requests much more efficient.
Connection ID column added to Logger:
We’ve added a Connection ID column to Logger, which enables you to see which requests used the same connection. This makes it easier to detect if a website’s behavior changes, based on previous requests sent down the same connection.
Other improvements:
We've also made the following improvements:
We've added a Format BChecks action to the right-click menu, which can automatically adjust whitespace and indentation when writing BChecks.
Scanner now manages memory usage much more efficiently during the audit phase of browser-powered scans.
Scanner is now able to submit requests that match the Content-Type of non-standard JSON endpoints, for example, application/json-patch+json or application/*+json.
Scanner can now send arrays as query string parameters when scanning an OpenAPI schema. This enables it to find more endpoints.
Scanner is now better able to identify - and disregard - duplicate items in different areas of your application during scans. This helps to reduce the time it takes for scans to complete.
To reduce notification noise when launching Burp, the log message indicating that the Proxy is running is now recorded as a debug log item.
Bug fixes:
We've fixed a bug that prevented Notes from saving when clicking Save item or Save entire history in Repeater.

New in Burp Suite 2023.11.1.5 (Jan 17, 2024)

New in Burp Suite 2023.11.1.4 (Jan 10, 2024)

New in Burp Suite 2023.11.1.3 (Dec 11, 2023)

This release introduces new features for manual testing of GraphQL APIs, BChecks syntax highlighting, and broken access control scan checks.
Manual GraphQL testing tools:
This release introduces new tools that make it simpler and more efficient to work with GraphQL APIs in Burp Suite.
Viewing and editing GraphQL requests:
When Burp detects a GraphQL request from your target, it adds a GraphQL tab to the message editor for the request. This tab separates the GraphQL query from the rest of the request, and formats it in a way that makes it easy to view and edit the query structure and its associated variables.
Generating introspection queries:
We've added functionality that makes it possible to generate and send an introspection query in just a few short clicks. Additionally, you can save the results of your introspection query to the site map, giving you a clear overview of the attack surface and potential vulnerabilities in GraphQL APIs.
BChecks syntax highlighting:
We've added syntax highlighting to the BChecks editor. The editor now automatically colors your keywords, literals, functions, and variables, making it easier to read and edit BCheck definitions.
New scan check: Broken access control:
We've added an experimental new scan check for broken access control vulnerabilities.
While we refine it to reduce the number of false positives it generates, we've disabled this check when using Normal audit accuracy. To try it out, from your audit configuration, go to Audit optimization > Audit accuracy and select Minimize false negatives. We welcome any feedback.
If you want to learn more about broken access control vulnerabilities, check out the Access control topic on the Web Security Academy.
Other updates
We have made a number of additional improvements, including:
The option to add notes and highlights to your Bambdas.
Burp Scanner now automatically generates logical examples for path parameters when scanning open API specifications, meaning fewer pages are missed during the audit.
Bug fixes:
We've fixed some bugs, including:
An issue with request kettling in Repeater.
Vulnerability classifications not appearing on extension-generated reports.
Browser upgrade:
We've upgraded Burp's built-in browser to 120.0.6099.62 (Linux and Mac), 120.0.6099.62/.63 (Windows).

New in Burp Suite 2023.10.3.7 (Dec 5, 2023)

New in Burp Suite 2023.10.3.6 (Nov 21, 2023)

New in Burp Suite 2023.10.3.5 (Nov 17, 2023)

New in Burp Suite 2023.10.3.4 (Nov 10, 2023)

This release introduces Bambdas into the HTTP history filter, offering a new way to customize Burp Suite directly from the UI, using small snippets of Java code. We've also enabled a way to export BChecks, the rollout of notes in other areas of Burp, TLS passthrough for out-of-scope items, and the ability to include subdomains in your target scope.
In Burp Scanner, we have made improvements to the Task details dialog to make it easier to find information about scan results and live tasks.
Advanced HTTP history filtering using Bambdas:
Bambdas are a new way to customize Burp Suite directly from the UI, using small snippets of Java code. This release introduces Bambdas into the Proxy > HTTP history tab, enabling you to write custom filters for your HTTP history. These highly customizable filters can help you cut out white noise in your HTTP history, helping you to focus on only the exact items you're interested in seeing.
To try Bambdas for yourself, go to the Proxy > HTTP history tab filter, switch to Bambda mode, and write a custom filter using your own code.
Keep an eye out for Bambdas appearing in more Burp tools over the next few months.
Exporting BChecks:
You can now export BChecks, making it easier to share them between different instances of Burp. Just select the BChecks you want, then click Export.
Check out our BChecks GitHub repository for BChecks from PortSwigger and from the Burp Suite community.
Increased support for notes throughout Burp:
We're rolling out the notes feature into more areas of Burp. This feature enables you to record key information on tabs, making it easier to return to at a later time. Notes are copied when items are sent between different tabs. Use the Notes panel in the tab sidebar to add a note.
This update also introduces functionality that copies your notes when you send items between different tools in Burp.
This release introduces notes into:
Target > Site map
Proxy > Intercept
Proxy > HTTP history
Proxy > WebSockets history
TLS passthrough for out-of-scope items:
You can now apply TLS passthrough for out-of-scope items when you set the target scope, which can greatly improve performance. This behavior is automatically enabled when you accept the option to Stop logging out-of-scope items.
Include subdomains in target scope:
You can now include subdomains of hosts you've included or excluded from your target scope. Enable this feature by selecting the Include subdomains checkbox in Target > Scope settings.
Improved Task details dialog:
We've made some improvements to the Task details dialog to make it easier to find information about scan results and live tasks:
We've replaced the Details tab with a new Summary tab. The Summary tab contains all the information that the Details tab did, but also features a list of the most serious vulnerabilities found, more detailed information on task progress, and a task log to give you real-time information on the task's actions.
We've added a new Issues tab listing all of the issues found during a scan. As part of this change, we've renamed the Issue activity tab (which also details changes from previous scans, such as an issue being deleted or more evidence being found) to the Audit log tab.
You can now view further details on an item in the Event log by selecting it. Previously, you had to double-click an item to display the Event detail dialog.
BChecks grammar enhancements:
We have added some new features to the BChecks grammar, including:
A removing query_string action that removes an entire query string from a request.
A new variable that returns Burp's User-Agent header.
A new pre-defined variable called insertion_point_base_value that contains the base value of the current insertion point.
A new per-path BCheck template that you can base your checks on.
BChecks can now return more than one issue. As a result of this, the issues reported by BChecks can now have individual names.
As a result of these changes, we have updated the grammar version to v2-beta. Please use this value in the metadata.language property when writing a check that uses these new features.
Other improvements:
When a scan finishes, Burp Scanner now polls the Collaborator server for new interactions every minute for the first 10 minutes. After this, it reverts to the default interval of once every 10 minutes. This means you no longer have to wait as long for Burp Scanner to report out-of-band interactions that are triggered almost instantly.
Browser upgrade:
We have upgraded Burp's built-in browser to 119.0.6045.123 for Mac and Linux and 119.0.6045.123/.124 for Windows. For more information, see the Chromium release notes.

New in Burp Suite 2023.10.2.5 (Nov 7, 2023)

New in Burp Suite 2023.10.2.4 (Oct 27, 2023)

New in Burp Suite 2023.10.2.3 (Oct 20, 2023)

New in Burp Suite 2023.10.2.2 (Oct 16, 2023)

This release introduces new functionality for BChecks, including the ability to test your checks from within the editor and create definitions from a blank template. We have also added a notes feature to Repeater tabs.
For Burp Scanner, we have added new issue filters to the Issue Activity Dashboard panel and improved the quality of the text displayed on the Crawl paths tab.
Test BChecks in the editor:
You can now test your BChecks from within the editor, enabling you to quickly confirm whether a check is working as expected without having to run a scan manually.
BCheck tests use pre-selected requests and responses as test cases. When you run a test, Burp Scanner runs the BCheck on the selected HTTP messages and reports the results.
For more information about the new BCheck test features, see Testing BChecks.
Make notes on Repeater tabs:
You can now add notes to Repeater tabs. This feature enables you to record key information about a tab, making it easier to return to at a later time. If you subsequently send the item to Organizer, the new Organizer entry contains the existing note content.
To record a Repeater note, select the Notes panel in the tab sidebar and enter the required text.
Blank BCheck template:
You can now start from a blank template when creating BChecks, rather than copying and modifying one of the default checks. We have added the new template to the BCheck templates list, which is displayed when creating a new BCheck.
Scanner improvements:
We have made the following improvements to the Scanner:
The crawler can now access any available alt text for its target items. This has enabled us to improve the quality of the information displayed on the Crawl paths tab.
We have added three new filter buttons to the Issue Activity Dashboard panel:
BCheck generated filters the list to display only issues that were identified via a BCheck.
Extensions filters the list to display only issues that were identified via an extension-generated scan check.
Scan checks filters the list to display only issues that were found by a regular Burp scan check (i.e. not by a BCheck or extension).
Brotli and Deflate decoding support for the Montoya API:
The Montoya API's decode method now supports Brotli and Deflate encodings.
Decoder improvements:
When you pass a base64 string without padding to Decoder, it now decodes the string as if it were padded. This brings Decoder's behavior in line with that of the Inspector. Previously, Decoder required the appropriate padding to be added before the string was passed.
Bug fixes:
We have fixed the following bugs:
Previously, the Send to Repeater context menu option was not sending WebSocket tabs to Repeater in certain circumstances. This function now works as expected.
We have fixed an issue with the BCheck validator whereby variables incorrectly defined outside of the define block were not causing the check to fail validation.
We have fixed some performance issues when viewing and searching large responses in the request/response viewer.
Browser upgrade:
We have upgraded Burp's built-in browser to 118.0.5993.70 for Mac and Linux and 118.0.5993.70/.71 for Windows. This update contains security fixes.

New in Burp Suite 2023.10.1.2 (Sep 30, 2023)

New in Burp Suite 2023.10.1.1 (Sep 14, 2023)

This release introduces the ability to unpack Brotli-compressed messages in the Proxy and Repeater tools, and adds Organizer functionality to the Montoya API.
In Burp Scanner, we have introduced some new features to help keep you better informed of the progress of your scans, and reduced the overall load time of pages.
We've also made some minor improvements and fixed a few bugs.
Brotli-compression now supported:
We've added Brotli to our list of supported compression types. This means you can now unpack Brotli-compressed messages in the Proxy and Repeater tools.
Montoya API changes:
We have made the following changes to the Montoya API:
You can now send requests and responses to Burp Organizer via the Montoya API.
The Montoya API's decode method now supports Brotli and Deflate encodings.
You can now send requests and responses to Burp Organizer via the Montoya API.
Scanner improvements:
We've made a number of improvements to Burp Scanner, including:
Overall load time breakdown:
On the Crawl paths tab, we've added a hover-over that shows a breakdown of the overall load time of a page to show initial load time, time waiting for background requests, and time waiting for page to stabilize.
Scan progress indicators:
We've added some new features to help keep you better informed of the progress of your scans:
The current crawl depth and the number of pending actions have been added to the First crawl path to location panel of the Crawl paths tab.
Pending URLs (links that the crawler has found but not yet sent a request to) have been added to the Tree view panel of the Site map tab.
Other Scanner improvements:
We've made a number of additional improvements to the Scanner, including:
Reducing the time it takes to wait for a page to stabilize, which has decreased the overall load time of pages.
Improving the functionality of recorded login sequences.
Bug fixes:
We've fixed some minor bugs, including:
A bug that caused some extensions to return an incorrect indexOf() value when using the Montoya or Wiener APIs.
A bug that caused hidden tabs to remain hidden when requests or responses were sent to them.
A bug in Burp's search that said there were 0 highlights in the request and response panels, even when results had been found.
Browser upgrade:
We have upgraded Burp's built-in browser to Chromium 117.0.5938.62 for Mac / Linux and 117.0.5938.63 for Windows. This update contains several security fixes, including one for a critical vulnerability.

New in Burp Suite 2023.9.4 (Sep 1, 2023)

New in Burp Suite 2023.9.3 (Aug 25, 2023)

New in Burp Suite 2023.9.2 (Aug 18, 2023)

New in Burp Suite 2023.9.1 (Aug 11, 2023)

This release introduces new Repeater functionality based on the techniques discussed in James Kettle's talk "Smashing the State Machine: The True Potential of Web Race Conditions", first presented at Black Hat USA 2023. Repeater's new single-packet attack feature nullifies network jitter, enabling you to send multiple requests in parallel. These requests are synchronized to arrive within a very small time window, making it much simpler to test for race conditions.
We have also introduced various other improvements for Burp Suite Professional and Burp Scanner, including the ability to reuse HTTP/1 connections in Intruder, a new project-level Crawl paths tab in the Target tool, and support for GraphQL introspection during scans.
Repeater send group in parallel:
We have added a Send group (parallel) option to Repeater's Group send options menu. When you select this option for a tab group, Repeater sends the requests from all of the group's tabs at once.
Repeater synchronizes parallel requests to ensure that they all arrive in full at the same time. It uses different synchronization techniques depending on the HTTP version used:
When sending over HTTP/2, Repeater sends the group using a single packet attack. This is where multiple requests are sent via a single TCP packet.
When sending over HTTP/1, Repeater uses last-byte synchronization. This is where multiple requests are sent over concurrent connections, but the last byte of each request in the group is withheld. After a short delay, these last bytes are sent down each connection simultaneously.
Sending synchronized requests in parallel makes it much easier to test for race conditions. For more information about how to do this, as well as some deliberately vulnerable labs for you to practice on, check out the Race conditions topic on the Web Security Academy.
For more information on sending Repeater groups in parallel, see Sending grouped HTTP requests.
Montoya API changes:
As part of these new Repeater features, we have added two sendRequests methods to the Http interface. These methods enable you to build extensions that can send HTTP requests in parallel and retrieve their responses. You can also explicitly specify the HTTP mode that the requests should use, if required.
Reuse HTTP/1 connections in Intruder to speed up attacks
You can now control whether Intruder reuses connections to issue multiple HTTP/1 requests. This can greatly increase the speed of your attacks when using HTTP/1, as Burp does not need to open a new connection for each request and close it after receiving a response. Find this in Intruder > Settings > HTTP/1 connection reuse. For more information, see HTTP/1 connection reuse.
Safely open third-party project files:
We've introduced a new startup setting that enables you to trust or untrust projects. If you deselect Trust this project, Burp can now remove potentially harmful settings that could be configured within project files.
This is especially useful if you are opening project files that came from unknown or untrusted sources. Find this setting on the startup wizard, or in Settings > Suite > Startup behavior > Unrecognized project files. For more information, see Startup behavior.
Specify intermediate CA certificates for hardware tokens and smart cards:
You can now set intermediate certificates when you add a new PKCS#11 certificate for hardware token and smart cards. This enables you to test target applications that don't directly trust your intermediate CA. For more information, see Client TLS certificates.
Set custom SNI values in Repeater:
You can now set custom SNI values in Repeater. This enables you to reproduce external service interaction issues detected by Scanner using Collaborator payloads within the SNI. For more information, see HTTP Repeater tab.
Project-level scan crawl paths:
All scans in a project can now share crawl path information. This improves scan efficiency, enabling Burp Scanner to build on the paths it has already discovered as new scans are run.
As a result of this, we have added a new Crawl paths tab to the Target tool. This tab displays path information in the same way as the existing scan results Crawl path tab, but is populated by all scans rather than one individual scan. Any new scans that you run can draw on and add to the information displayed in this tab.
Isolated scans:
As part of the global crawl path work, we have added a Run isolated scan option to the scan launcher. Results from isolated scans do not appear in the Target > Site map or Target > Crawl paths tabs. This feature is useful if you want to test settings without impacting "live" scan results, for example.
You can view site map and crawl path information for isolated scans from the Tasks > View details > Target tab. The information displayed on this tab applies to the selected scan task only.
GraphQL introspection:
Burp Scanner can now run introspection queries on GraphQL endpoints to gain information on available queries and mutations. If the introspection query is successful, Burp Scanner sends further requests to each query and mutation discovered in an attempt to discover as much attack surface as possible. To enable GraphQL introspection, select the new Perform GraphQL introspection setting in the Miscellaneous section of the scan configuration.
If it does not find any GraphQL endpoints in the crawl, Burp Scanner can also now attempt to guess GraphQL endpoints using a list of common endpoint suffixes. To enable GraphQL endpoint guessing, select the new Test common GraphQL endpoints setting in the Miscellaneous section of the scan configuration.
Automatic scan throttling:
We have added a new Automatic throttling setting to the Resource pool section of the scan launcher. You can now configure which HTTP response codes should cause Burp Scanner to introduce a short delay between requests. Previously, Burp Scanner could only throttle requests when the server responded with a HTTP 429 code.
Other Burp Scanner improvements:
We have improved crawl optimization to reduce the chance of interesting content being missed. Specifically, Burp Scanner now treats clickables that are using the same event listener with different visible text as separate entities, and visits them all.
Bug fixes:
We've fixed a number of minor bugs, including:
We've fixed an issue that was causing the Proxy response panel to freeze when inspecting a 200 response after inspecting a 302/400 response.
We've improved the reliability of the Send to Organizer function.
We've fixed an issue where requests / responses generated by Intruder in some older versions of Burp could not be seen in newer versions.
We have fixed a bug whereby the crawler was not always waiting for slow asynchronous queries that cause a DOM mutation to return. This was resulting in slow page loads and missing elements in certain circumstances.
We have fixed a bug whereby Burp Organizer items weren't retained when Burp was upgraded to the latest version.

New in Burp Suite 2023.7.3 (Aug 4, 2023)

New in Burp Suite 2023.7.1 (Jul 26, 2023)

Customizing Burp's layout:
You can now customize the layout of Burp's top-level tabs. This enables you to tweak Burp's user interface to better suit your preferences. For example, you can now:
Change the order of tabs.
Detach tabs. This enables you to open a tab, or groups of tabs, in a new window. You can open and arrange windows to suit your work style.
Hide tabs. This enables you to limit the number of tabs that you can view, to focus on particular tools and extensions that you use more frequently.
Burp remembers these preferences, so you won’t need to reorder your tabs every time you start Burp.
For more information on how you can customize Burp's layout, see our reference documentation.
Scanner improvements:
We've made some improvements to Burp Scanner, including:
We have added a Status column to the Crawl Paths > Outlinks tab, giving more information on the actions that Burp Scanner took to discover each location in the crawl.
You can now replay recorded login sequences that contain shadow DOM elements.
Other improvements:
We have some additional improvements, including:
We've added a setting that switches off the confirmation dialog that appears when you close Burp Suite. Find this in Settings > Suite > Burp's closing behavior.
We've configured Burp Intruder to populate number fields by default when you select a Numbers payload type.
We've standardized Burp Intruder's payload placeholders, making it simpler for you to configure payloads.
Bug fixes:
We have fixed a number of minor bugs, including:
Content in extension-generated editor tabs now updates correctly.
Burp’s browser no longer erroneously sends HTTPS requests for HTTP URLs.
Burp Scanner no longer erroneously reports a Content Type Incorrectly Stated issue when scanning font files, or content types that Burp does not recognize.
Live passive audits now run any passive BChecks that have been marked as enabled.
Browser upgrade:
We have upgraded Burp's built-in browser to Chromium 115.0.5790.102 for Windows, Linux and Mac.

New in Burp Suite 2023.6.2 (Jun 29, 2023)

Custom scan checks:
This release introduces BChecks, which are scan checks that you can create and import. Burp Scanner runs these checks in addition to its built-in scanning routine. This enables you to fine-tune your scans and make your testing workflow as efficient as possible.
You can use our custom definition language to easily create BChecks. Burp includes a range of templates to get you started. To test your BChecks, you can use the built-in scan configuration Audit checks - BChecks only. If you use this configuration, Burp Scanner only uses BChecks when scanning.
We have also created a BChecks GitHub repository. This includes example BChecks from PortSwigger, as well as BChecks developed by the Burp Suite community. We look forward to accepting pull requests and celebrating your awesome work!
In the future, we're planning to improve the BCheck language and testing experience. We'd love your feedback. Contact our support team at [email protected].
For more information on how to create and manage your BChecks, see Adding custom scan checks and BCheck definitions.
Live crawl paths view improvements
We have made a number of improvements to Burp Scanner's live crawl paths view:
You can now view details of all the possible navigation actions that the crawler was able to take from a given location on the crawl path. This enables you to better understand the structure of your site. To view these details, go to the Crawl paths > Outlinks tab of the scan task details window.
You can now view a screenshot of Burp's browser at any crawl location. Go to the Crawl paths tab of the scan task details window and click Show screenshot.
The shortest crawl path tree is now retained when you reopen a project file.
GraphQL scan checks:
We have introduced a number of GraphQL scan checks. The new scan checks enable you to:
Identify if introspection queries are enabled.
Find out if GraphQL suggestions are enabled.
Test for CSRF vulnerabilities in all discovered GraphQL endpoints.
Montoya API:
We have updated the Montoya API, to enable you to create extensions with additional functionality. You can now:
Convert ByteArray data to different integer bases. This means you no longer need to use additional libraries to complete this task.
Log exceptions to the error output. This means that you don't need to format and convert exceptions manually.
Other improvements:
We have made a number of additional improvements, including:
You can now quickly switch to the Organizer tab using the hotkey Ctrl + Shift + O.
In the Issue activity table on the Dashboard, you can now filter issues by your target scope.
We have changed the way we launch Burp's browser. It now works with accounts for sites that fingerprint the presence of the DevTools listener, such as Google accounts.
Bug fixes:
We fixed a number of minor bugs:
If you change the highlight in the Organizer table, it no longer deselects the current row.
For Burp Suite Community Edition, filters are now correctly applied to Intruder attack results.
Burp Collaborator DNS interactions are now correctly reported by BCheck scan checks.
Browser upgrade:
We have upgraded Burp's built-in browser to 114.0.5735.198 for Mac and Linux and 114.0.5735.198/199 for Windows. This update contains multiple security fixes.

New in Burp Suite 2023.5.4 (Jun 19, 2023)

New in Burp Suite 2023.5.3 (Jun 7, 2023)

New in Burp Suite 2023.5.2 (Jun 2, 2023)

This release introduces the new Burp Organizer tool, a live crawl paths view, upgrades for the Montoya API, and a number of minor improvements.
Burp Organizer:
This release introduces Burp Organizer, which enables you to store copies of HTTP messages that you want to come back to later. Use Organizer to better manage your penetration testing workflow. For example, you can:
Store messages that you want to investigate later.
Save messages that you've already identified as interesting.
Save messages that you want to add to a report later.
Live crawl paths view:
We have added a new Crawl paths tab to the Task details dialog. This tab gives you real-time updates on crawls, displaying all the locations found in the target site and the actions taken by Burp Scanner to reach each of those locations.
For audit scans, the Crawl paths tab also shows details of any issues discovered in each location.
Please note that the Crawl paths tab is still under active development, and the contents of the tab are not currently saved to Burp Suite project files. As such, if you close and re-open the project the tab does not display any information for previously-run scans.
To learn more about the crawl paths view, see our documentation.
Recorded login improvements:
We have made the following minor changes to the Burp Suite Navigation Recorder browser extension:
When the login sequence that you're recording uses a type of platform authentication that is not supported by the extension, such as an NTLM-based mechanism, we now warn you of this during the recording.
When recording a login sequence, you no longer need to use the browser's incognito mode. However, we strongly recommend using incognito mode whenever possible to avoid issues with stateful behavior. We implemented this change to support users who would otherwise be unable to use the extension at all due to restrictions imposed by their organization.
Montoya API:
We have updated the Montoya API, to enable you to create extensions with additional functionality. You can now:
Access font information for the message editor and display.
Access the insertion points that are automatically detected by Burp Intruder.
Update and add headers or parameters. Burp adds the header or parameter if it isn't already present in a request.
Create Collaborator payloads so that any resulting interactions appear in the Collaborator tab.
Retrieve the details of any Collaborator interactions from issues identified by Burp Scanner in an audit.
We have fixed a bug so that extension settings from earlier versions of Burp now carry over to the Montoya API versions of Burp.
Minor improvements:
We have added a number of minor improvements, including:
You can now choose to apply enabled match and replace rules to in-scope items only.
You can now generate a project file that includes high, medium, low, and informational issues, but doesn't include false positives.
Burp Scanner now audits requests issued by iframes.
You can now use wildcard domains when you set a simple scope for Burp Scanner under Detailed scope configuration in the New scan dialog. This enables you to quickly and easily add all subdomains of a target domain to scope. For more information, see Setting the scan scope - Wildcards.
The Click all clickable elements setting has been moved into the Miscellaneous section in the crawler scan configuration options. It has also been enabled by default. You should see an increase in scanning coverage for single-page applications that use non-traditional navigational elements.
Bug fixes:
We have fixed an issue with DOM Invader that prevented it from working properly with newer versions of Chromium.
Previously, the crawler could erroneously consolidate separate locations into one under certain circumstances. The fix for this issue may result in you seeing an increase in locations discovered by the crawler.
We have fixed a bug that sometimes prevented applications from reaching a logged-in state when crawling sites with input elements that are not enclosed within a tag.
When checking for SQL and XPath vulnerabilities, issues are now correctly linked to the first response in a redirection chain that includes the error string. Previously, issues continued to be reported for each response with the error string.
Browser upgrade:
We have upgraded Burp's built-in browser to 114.0.5735.91 for Windows and 114.0.5735.90 for Mac and Linux.

New in Burp Suite 2023.4.5 (May 26, 2023)

New in Burp Suite 2023.4.4 (May 19, 2023)

New in Burp Suite 2023.4.3 (May 15, 2023)

This release introduces improvements to Burp Intruder and Burp Scanner, ARM64 support for Linux, and a number of minor improvements and bug fixes.
Improvements to Burp Scanner:
We have made a number of improvements to Burp Scanner:
You can now scan YAML API definitions.
You can now scan floating input fields, which enables Burp Scanner to better handle single-page applications (SPAs).
We have reduced the amount of noise in the event log that recorded logins produce when pop-ups close.
Improvements to Burp Intruder:
We have made a number of improvements to Burp Intruder:
Payload positions are no longer predefined when you send a request to Intruder. This means that you no longer need to clear payload positions before you start to configure your attack. You can still set the automatic payload positions if required - click Auto § in the Intruder > Positions tab.
You can now preset a payload position before you send a request to Intruder, to streamline your workflow. To do this, highlight the part of the request that you want to set as a payload position, then send the request to Intruder.
We have added the ability to control whether Intruder uses HTTP/1 or HTTP/2 for a specific attack.
ARM64 on Linux:
We have introduced support for ARM64 on Linux. Note that Burp's browser will only work with the installer build, not the plain JAR file.
Montoya API:
We have continued to update the Montoya API, which enables you to create extensions with additional functionality:
You can now pause and resume the task execution engine.
You can now load and export user settings in JSON. This gives you more control over Burp’s configuration.
You can now add custom tabs to WebSocket message editors.
Display scaling:
We have added a Scaling setting to the Settings dialog. This enables you to view Burp correctly when you use a high resolution display with custom scaling.
Bugs
We have fixed a number of minor bugs:
When you add further items to a finished task, it is now correctly relabelled as Running.
When you reopen a project file that contains completed scan tasks, they now remain completed with no further scanning actions taken.
We have fixed a bug whereby you received an error message when you loaded an extension to a temporary file with a path that contains spaces.
We have fixed a bug whereby extension popups displayed incorrectly when Burp was set to automatically recognize character sets.
We have fixed a bug in Burp Scanner that caused issues when crawling some API definitions.
We have fixed a bug that was preventing Burp Intruder tasks from loading properly in some cases.
We have fixed a bug that sometimes prevented applications from reaching a logged-in state when crawling sites with input elements that are not enclosed within a tag.
We found a bug in our Copy as curl command function which could result in unexpected behavior when pasted into a Windows shell. As a result, we have changed the label for this command to Copy as curl command (bash).
Chromium upgrade:
We have upgraded Burp's built-in browser to 113.0.5672.92/.93 for Windows and 113.0.5672.92 for Mac and Linux.
Note:
We have also updated Burp so that all feedback is now attributable to a Burp license. We will use this information to continue to improve your Burp experience and provide you with more targeted support. No sensitive information is transmitted in your feedback, and you can still choose to opt out of feedback at any time.

New in Burp Suite 2023.3.5 (Apr 21, 2023)

New in Burp Suite 2023.3.4 (Apr 19, 2023)

New in Burp Suite 2023.3.2 (Apr 9, 2023)

New in Burp Suite 2023.2.4 (Mar 24, 2023)

New in Burp Suite 2023.2.3 (Mar 10, 2023)

New in Burp Suite 2023.1.3 (Mar 2, 2023)

New in Burp Suite 2023.1.2 (Feb 9, 2023)

Settings restructure:
We have moved more settings into Burp’s Settings dialog. In particular, we have added:
All settings related to the following Burp tools into the Tools section:
Proxy.
Repeater.
Sequencer.
Intruder - User settings only. Intruder attack configuration settings remain in the Intruder attack tab.
A new page for extensions.
A new page for the configuration library.
Target scope settings into the Scope section.
Resource pools and task auto-start settings into the Tasks section.
As part of this restructuring, we have also:
Added the Repeater Default tab group setting. This enables you to configure the tab group that requests are added to by default when sent to Repeater.
Updated the viewing panel for the Hotkeys settings. This enables you to edit hotkeys from this panel directly.
Moved Inspector settings into the Message editor page.
Montoya API persistence:
We have upgraded the Montoya API to version 1.0.0, which enables Burp extensions to store and manage data in project files. Any BApps that you develop with version 1.0.0 will be compatible with future versions of Burp, as all future changes to the API will be backwards compatible.
You can now use the Montoya API to:
Store extension settings and data in the current Burp project. The API can store data both to project files that were created on startup and to temporary projects that you subsequently save to a project file. Each extension can only access its own data.
Select whether or not extension data is saved when you save a copy of the current project.
Import extension data from another project file.
The Montoya API offers support for the following data types:
Primitives.
Strings.
Booleans.
Requests.
Responses.
Byte arrays.
Lists.
Hierarchies.
Note that this functionality is not available in Burp's old Wiener API. You can only write extensions that support data storage and retrieval using the Montoya API from version 1.0.0 onwards.
Macro updates:
You can now define a prefix and suffix for a custom macro parameter. This can be useful, for example, to support Authorization headers, which require a static prefix followed by a dynamic value.
In addition, you can now set headers using macro parameters. When a parameter matches a request header, then Burp replaces the header value with the macro parameter value. This enables you to test APIs without configuring a Burp Extension.
Improvements to Burp Scanner:
This release includes several minor improvements to authenticated crawling with popup-based login mechanisms:
We have added a wait after the final event in a recorded sequence. This means that the sequence now captures links that are added by the final page after a delay.
When you login after receiving a temporary failure status code, Burp now authenticates subsequent requests for the same resource.
When you change the Await navigation timeout in a crawler configuration, it now automatically updates in the recorded login sequence replayer. It is also stored in the crawler tuning.
Bug fixes:
We have fixed a bug whereby Burp Repeater tabs were not functioning correctly when a request was sent to portswigger.net and the path was then changed to an absolute URL.
We have also released a couple of bug fixes related to the Montoya API:
Previously, the Javadoc incorrectly stated that the passiveAudit() method of the ScanCheck interface returns null if no issues are identified. The method in fact returns an empty AuditResult object if no issues are identified. We have updated the Javadoc.
We have fixed a bug whereby the copyToTempFile method in HttpRequestResponseImpl was causing null pointer exceptions.
Browser update:
This release upgrades Burp's browser to Chromium 110.0.5481.77/.78.

New in Burp Suite 2022.12.7 (Jan 26, 2023)

New in Burp Suite 2022.12.6 (Jan 12, 2023)

New in Burp Suite 2022.12.5 (Dec 21, 2022)

New in Burp Suite 2022.12.4 (Dec 15, 2022)

This release introduces support for popup windows when recording logins and a new live crawl view for Burp Scanner. We have also added several new features to DOM Invader, including the ability to detect DOM clobbering vulnerabilities, and various minor improvements and bug fixes for Burp Suite. It also upgrades Burp's browser to a later version of Chromium.
Authenticated crawling of applications with popup-based login mechanisms:
Burp Scanner can now replay recorded login sequences that open new windows or tabs. This enables you to run authenticated scans on websites with login mechanisms that require you to interact with popups, such as Google and Amazon's SSO services.
Live crawl view for Burp Scanner:
We have added a new Live crawl view tab to the Scan details dialog. This tab enables you to watch Burp Scanner render web pages in real time, helping you to diagnose unusual crawl activity or simply get a better understanding of Burp Scanner's behaviors when scanning a particular target.
Major improvements to Burp Scanner:
This release significantly improves Burp Scanner's resilience and provides increased support for a wider range of applications, especially SPAs.
Most importantly, we've fundamentally changed the way Burp Scanner navigates using its built-in browser. As a result, you may now be able to successfully scan a number of sites that were previously incompatible with automated vulnerability scans. In particular, you should see much better results on sites that rely heavily on navigation initiated by client-side JavaScript.
We've also dramatically improved our browser process management, resulting in much lower memory usage during scans.
DOM Invader enhancements:
This release adds a number of new features to DOM Invader, as well as some usability improvements.
Detect DOM clobbering vulnerabilities - DOM Invader can now scan for DOM clobbering vulnerabilities as you browse. This feature is disabled by default as it can potentially interfere with your other testing activities. You can enable it from the DOM Invader settings menu.
Detect injectable service workers - DOM Invader now attempts to inject the canary into service workers during registration and flags any controllable properties. You can then manually investigate whether the service worker uses these properties in an unsafe way.
Improved URL injection - We've removed the Inject URL button, which injected a test string into every URL parameter at once. In most cases, this wasn't very useful as it just prevented the site from working properly. Instead, you can now click Inject URL params to inject the canary into each URL parameter separately in individual windows. This is far more practical and yields significantly better results.
Restrict the parameters used for auto-injection - When using the Inject into all sources option, you can now define a custom list of parameters that DOM Invader uses to inject the canary. This makes this feature more useful as injecting all parameters at once typically just prevents the site from working at all.
We have also divided the main settings menu into collapsible categories to make it easier to use.
Rolling licenses:
We have added support for rolling licenses in Burp Suite. If your Burp license key has expired but you have a new, valid license associated with your account, then Burp Suite automatically applies your new license key the next time it starts up.
Change to Java requirements:
Burp Suite now requires Java 17 or later to run. This change should not impact you unless you launch Burp Suite from the command line, as the installer includes a bundled private Java Runtime Environment so that you don't need to worry about installing or updating Java.
Minor improvements:
This release includes several minor improvements, including:
The Collaborator client now shows the source port in the interaction details panel. This can help you to gauge how vulnerable a particular server is to certain attacks.
In Repeater, you can now drag and drop a tab into a collapsed group. The dragged tab is added to the end of the group.
We have changed the way in which Intruder attack results are stored in order to minimize the impact on project file size.
Bug fixes:
We have fixed the following bugs:
Previously, Burp was stripping out manually-modified Connection headers when using NTLM authentication. This has now been fixed.
We have fixed a request time discrepancy between Intruder and Logger, in which Intruder was incorrectly reporting that requests were sent to the server a few seconds before the request was actually sent.
We have fixed a bug whereby reports were not saving correctly on Windows machines. Burp was displaying a "Failed to open file" error at the point the report was saved.
We have fixed a bug whereby Burp's browser was unable to register service workers, causing issues with recorded login sequences and manual testing.
We have fixed a bug whereby if you attempted to cancel while loading a user configuration file, then Burp was displaying a "Configuration File" error.
Browser upgrade:
This release upgrades Burp's browser to Chromium 108.0.5359.124/.125.

New in Burp Suite 2022.11.4 (Dec 5, 2022)

New in Burp Suite 2022.11.3 (Dec 2, 2022)

New in Burp Suite 2022.11.2 (Nov 29, 2022)

In this release, we have significantly improved the usability of Burp's user and project options. We have also added new functionality to DOM Invader and the Montoya API.
User and project options refactor:
We have moved all of the options in the User options and Project options tabs to a new Settings dialog, accessible from a button on the main toolbar or by a configurable hotkey.
This new dialog improves the layout and navigation of Burp's options in several ways:
You can now access all user and project settings in one window.
You can now use search and filter commands to find the settings you need.
Following extensive UX research, we have rearranged the available settings into a more logical structure.
Each setting in the dialog has a marker indicating whether it is a user-level or project-level setting. For settings that can apply at either level, there is an Override options for this project only toggle that enables you to select the level at which the setting should apply.
DOM Invader: Detect cross-origin data leaks via web messages:
DOM Invader can now detect when the current page sends a web message containing data from the URL to a different target origin. In this case, an attacker can potentially steal sensitive data, such as OAuth tokens, by embedding the affected page in an iframe, along with an event listener that extracts the data.
Testing for these vulnerabilities manually is a laborious task, but DOM Invader can automate most of this process for you. Just enable the Detect cross-domain leaks option from DOM Invader's web message settings.
DOM Invader: Remove Permissions-Policy header:
You can now configure DOM Invader to strip the Permissions-Policy header from responses.
Some websites set directives via the Permissions-Policy header that block features that are essential to DOM Invader's functionality, such as synchronous XHR. In this case, DOM Invader informs you via the console and prompts you to enable the Remove permissions policy header option from the settings menu.
Proxy WebSocket listener support for Montoya API:
You can now use the Montoya API to intercept and modify proxied WebSocket messages.
Minor improvements:
This release includes several minor improvements to Burp Suite's tools, including:
You can now scan a selected insertion point only, without the need to run a full scan.
You can now load or unload multiple extensions at once via a new context menu option on the Extensions table.
We have added a search text field to the Edit hotkeys dialog, enabling you to filter the table of hotkeys.
Browser upgrade:
We have upgraded Burp's browser to Chromium 107.0.5304.110, which fixes a number of high-severity security issues.
Bug fix:
We have fixed a bug whereby requests were sometimes not rendering correctly in the message editor.

New in Burp Suite 2022.9.6 (Nov 10, 2022)

New in Burp Suite 2022.9.5 (Oct 28, 2022)

This release introduces the Montoya API, an all-new replacement for the Extender API. It also includes improvements to the Burp Collaborator client and adaptive request throttling for Burp Scanner.
Montoya API:
We have released the Montoya API, an all-new API that enables you to develop extensions for Burp Suite. The new API offers a more modern design than the existing Extender API, making it easier to use and enabling us to add future features that we could not have supported with the old API.
This change will not affect any current BApps, and the existing Extender API will continue to work as normal for the immediate future. However, we strongly recommend that you write any new extensions using the new Montoya API, as we will eventually end support for the Extender API.
The Montoya API offers all of the same features as the existing version. It also includes several new features, such as:
New methods to create, modify, and delete request / response headers.
The ability for an extension to query which edition of Burp (that is, Professional, Community Edition, or Enterprise Edition) it is currently running in.
The ability to generate Collaborator payloads from your own custom data.
The ability to export the secret key that the Collaborator uses for extensions and restore a previous Collaborator client session from it.
New utilities to generate random sequences and manipulate byte arrays.
Collaborator client improvements:
This release introduces various usability improvements for the Burp Collaborator client, including:
We have moved the client from the Burp menu to its own top-level tab.
You can now open multiple Collaborator client tabs, enabling you to track interactions from multiple payloads in separate tables.
Collaborator interactions are now persisted in the project file, meaning that any interactions in the table are retained if you close and reopen your project. You can also now save Collaborator interaction data directly to your project file.
You can now insert a Collaborator payload in the message editor by selecting Insert Collaborator payload from the context menu. This pastes in a new ID from the most recently-created Collaborator client tab.
The interaction table now displays interaction timings in milliseconds and the source IP of the interaction.
Automatic license key updates:
Renewed license keys now update automatically. If your existing license is expiring or has expired altogether, Burp Suite automatically checks your account for a renewed license key. If you have a renewed key associated with your account, then the system retrieves and activates that key.
Please note that you will need to allow network access to https://portswigger.net for this process to work.
Adaptive request throttling for Burp Scanner:
When Burp Scanner receives a 429 response due to sending too many requests in quick succession, it now incrementally adds a short delay between requests until it complies with the server's rate limit. This enables the scan to continue as normal, albeit with an increased duration.
If you prefer, you can disable this behavior using a custom scan configuration - just go to Request throttling configuration and deselect Adaptive request throttling.
Security patch:
We have fixed an HTML injection vulnerability that could be triggered by attackers with direct access to the proxy listener. Note that the proxy listener only accepts connections from localhost by default. This issue was privately reported via our bug bounty program.
Browser upgrade:
We have upgraded Burp's browser to Chromium 107.0.5304.62, which fixes a number of high-severity security issues.
Bug fixes:
We have also fixed some minor bugs, including:
Previously, you could still use the Collaborator client to generate payloads and poll manually even if the Collaborator was disabled in the project options. We have now amended this so that disabling the Collaborator disables all of the Collaborator client's functions.
We have fixed a bug whereby disabling the Collaborator did not stop the Collaborator client from polling for payloads that had already been created.
We have fixed a bug whereby the Learn More link on the Collaborator client tab was pointing to an invalid URL.
We have fixed a bug that prevented the crawler from handling links that are added to a page by JavaScript following a delay.
We have fixed a bug whereby Burp Scanner was failing to find CSRF vulnerabilities on sites that return a 302 response when CSRF is exploited.
We have fixed a bug whereby Repeater was not identifying streaming responses correctly, meaning that the affected responses would never complete.
We have fixed a UI issue whereby checkboxes and radio buttons were not displaying correctly on the Extensions tab when using the Light display theme.

New in Burp Suite 2022.8.5 (Sep 29, 2022)

New in Burp Suite 2022.8.4 (Sep 5, 2022)

This release introduces an all-new Extender API. It also includes improvements to the Burp Collaborator client and active request throttling for Burp Scanner.
New Extender API:
We have released an entirely new Extender API. The new API offers a more modern design than the existing version, making it easier to use and enabling us to add future features that we could not have supported with the old API.
The new API offers all of the same features as the existing version. For reference information, see the API Javadoc.
Collaborator client improvements:
This release introduces various usability improvements for the Burp Collaborator client, including:
We have moved the client from the Burp menu to its own top-level tab.
You can now open multiple Collaborator client tabs, enabling you to track interactions from multiple payloads in separate tables.
Collaborator interactions are now persisted in the project file, meaning that any interactions in the table are retained if you close and reopen your project. You can also now save Collaborator interaction data directly to your project file.
You can now insert a Collaborator payload in the message editor by selecting Insert Collaborator payload from the context menu. This pastes in a new ID from the most recently-opened Collaborator client tab.
The interaction table now displays interaction timings in milliseconds and the source IP of the interaction.
Automatic license key updates:
Renewed license keys now update automatically. If your existing license is expiring or has expired altogether, Burp Suite automatically checks your account for a renewed license key. If you have a renewed key associated with your account, then the system retrieves and activates that key.
Please note that you will need to allow network access to https://portswigger.net for this process to work.
Adaptive request throttling for Burp Scanner:
When Burp Scanner receives a 429 response due to sending too many requests in quick succession, it now incrementally adds a short delay between requests until it complies with the server's rate limit. This enables the scan to continue as normal, albeit with an increased duration.
If you prefer, you can disable this behavior using a custom scan configuration - just go to Request throttling configuration and deselect Adaptive request throttling.

New in Burp Suite 2022.8.3 (Sep 2, 2022)

New in Burp Suite 2022.8.2 (Aug 23, 2022)

New in Burp Suite 2022.8.1 (Aug 11, 2022)

This release provides new scan checks based on James Kettle's Browser-Powered Desync Attacks, first presented at Black Hat USA 2022. It also introduces the new capabilities for Burp Repeater that enable you test for these vulnerabilities manually.
New scan checks for client-side desync and CL.0 request smuggling:
Burp Scanner now reports client-side desync vulnerabilities. We've also upgraded our existing HTTP request smuggling checks to detect CL.0 vulnerabilities.
For more details on both of these issues, check out James's whitepaper and the new Web Security Academy content.
Send a sequence of requests in Burp Repeater:
You can now send the requests from a group of Repeater tabs as an automated sequence. When viewing a tab that belongs to a group, there is now a drop-down menu next to the Send button that lets you choose how your request sequence is sent. You can either send all of the requests over a single connection or use a separate connection for each request.
Sending requests over a single connection enables you to test for client-side desync vulnerabilities. For more information about how to do this, as well as some deliberately vulnerable labs for you to practice on, check out the new content on the Web Security Academy.
Sending over a single connection is also useful for timing-based attacks that rely on being able to compare responses with very small differences in timings as it reduces the "jitter" that can occur when establishing TCP connections.
Sending requests over separate connections is primarily useful when testing for vulnerabilities that require a multi-step process.
Adjusted issue severity - External service interaction (DNS):
Burp Scanner uses OAST techniques to identify critical vulnerabilities via DNS pingbacks to Burp Collaborator. Both the DNS interaction itself and the identified vulnerability are reported as separate issues. In some cases, such as when testing for SSRF, we may induce the application to perform a DNS lookup without this leading to the discovery of any further vulnerability. To better reflect this latter scenario, we have adjusted the severity of the External service interaction (DNS) issue.
We previously classed this as a high-severity issue on the assumption that a corresponding HTTP request was probably sent by the server, but subsequently blocked by a firewall's egress filters. Although we can't detect this externally, it could still provide a vector for pivoting attacks against the internal network.
However, we've increasingly encountered cases where systems perform a DNS lookup with no intention of ever connecting to the remote host, meaning that no HTTP request ever existed. For example, this could be triggered simply by adding a URL as the key of a Java Map.
This behavior can still indicate a serious vulnerability, and is worthy of further investigation, but we have reduced the reported severity to reflect the typical impact.
Handling changes for Unknown Host errors:
Previously, Burp Scanner automatically terminated audits if it encountered Unknown Host errors, even if the scan scope also included separate, valid domains. Unknown host errors are now treated in the same way as other scanner errors, and the audit does not automatically terminate if one is encountered.
Browser upgrade:
We have upgraded Burp's browser to Chromium 104.0.5112.79.
Bug fixes:
This release also provides some minor bug fixes, including:
You can now use shift-click to select any tabs on the Create new group dialog. Previously, this functionality did not work with preselected tabs.
We have fixed an issue whereby tab groupings were being lost if you selected Save in-scope items only on projects with groups where some of the group's tabs were in-scope and some were not.
We have fixed a bug whereby under certain circumstances Burp Scanner was not detecting a multiple content type issue for responses with multiple Content-Type headers.
We have fixed a bug whereby scans were hanging during the crawl phase if they could not find any reachable destinations to scan.

New in Burp Suite 2022.7.1 (Jul 22, 2022)

New in Burp Suite 2022.5.2 (Jun 23, 2022)

New in Burp Suite 2022.5.1 (Jun 20, 2022)

This release adds a number of enhancements to Burp Scanner, including several new JWT-based scan checks and an option to skip unauthenticated crawling when you've provided application logins. The BApp Store now also provides in-app feedback on how much load BApps are placing on your system.
JWT scan checks:
JWT implementations often contain serious vulnerabilities, but these can be tricky to thoroughly audit. Burp Scanner can now detect 8 common JWT-based vulnerabilities - saving you time, and making it easier to secure sites that use JWTs.
For more details, please see the individual issue definitions in Burp on the Target > Issue definitions tab.
Feedback on BApp performance impact:
On the Extender > BApp store tab, we now display an indication of how much load we estimate that each BApp places on your system.
The estimated system impact is divided into the following categories:
Memory shows what impact the BApp is likely to have on Burp Suite's memory usage.
CPU shows an estimate of how much additional load the BApp places on your CPU.
Time shows the BApp's impact on the speed of Burp Suite. This includes the responsiveness of the interface and how long tools take to complete tasks.
Scanner shows the likely impact on how long scans take to complete.
Overall shows the highest impact rating across all of these categories.
If you think that Burp is performing slower than it should be, we recommend checking these estimates for any BApps that you have loaded and removing those that you're not actively using. This should help you to extend Burp's capabilities without impairing performance.
Using multiple extensions at the same time has a cumulative effect on performance. The bar at the top of the screen shows the cumulative impact of all of the BApps that are currently loaded.
Skip unauthenticated crawling during scans:
You can now choose to skip unauthenticated crawling in cases where you have provided application logins for Burp Scanner to use. This helps to reduce the crawl time.
To enable this option, go to the Crawl Optimization settings in your scan configuration and select Crawl using my provided logins only. Note that if you do not provide any application logins, the crawler automatically reverts to performing an unauthenticated crawl instead.
Set headers in session handling options:
You can now use Burp Suite's session handling options to add headers and values to requests. When you create a session handling rule using the new Set a specific header value action, the header and value pair you provide are added to any requests that are within the rule's scope.
Verify upstream TLS:
Burp Suite has always used fully verified TLS to connect to known services, such as portswigger.net and the public Burp Collaborator server. However, when communicating with arbitrary websites, it does not verify upstream TLS certificates and supports weak ciphers by default. This maximizes compatibility at the expense of protection against active man-in-the-middle (MITM) attacks.
If you're concerned about the possibility of an active MITM attack on your communication with the site that you're testing, you can now configure Burp to verify upstream TLS certificates. To do this, go to Project settings > TLS and select the Verify upstream TLS checkbox.
In this scenario, we recommend also selecting the Use default protocols and ciphers of your Java installation option to prevent Burp from using weak ciphers.
Please note that additional hardening is planned for this feature in the future.
Improved Repeater tab behavior:
We have made several minor tweaks to the appearance and behavior of tabs in Burp Repeater. These will pave the way for some additional features in the future.
When Repeater tabs overflow onto a new row, these now stay the same size rather than stretching to fill the entire row. This makes it easier to keep track of where tabs are.
From the context menu, you now have options for renaming tabs and deleting all tabs to the left or right of the current tab.
There is a new actions menu (3 dots) in the upper-right corner of the screen. At the moment, this provides a limited range of options, but we'll continue to add to this in the future.
Browser upgrade:
We have upgraded Burp's browser to Chromium 102.0.5005.61
Other improvements:
We have added a range of common Google Analytics cookies to the list of ignored insertion points for scans.
We have improved the performance of Burp Scanner by tweaking the way we identify locations to audit after the crawl is completed.
In your scan configuration, you can now define separate timeout settings for the crawl and audit phases of a scan, overriding the global project setting.
Changes to Java requirements:
Burp Suite now requires Java 11 or later to run. This change should not impact you unless you installed Burp Suite as a .jar file, as the installer includes a bundled private Java Runtime Environment so that you don't need to worry about installing or updating Java. However, any extensions written in a version of Java earlier than 11 may not run correctly from this release onward.
Bug fixes:
We have resolved some performance issues that some users faced when using Intruder with large resource pools.
We have fixed an issue whereby Intruder's Copy attack config menu item was sometimes unresponsive.
We have fixed an issue with scan configurations whereby the Crawl using my provided logins only setting was not displaying correctly on the edit configuration menu. This setting was showing as unselected even for configurations where it had been selected during the initial setup process.
We have fixed an issue whereby the live passive crawl task was not automatically processing responses pushed from Repeater.

New in Burp Suite 2022.3.9 (May 27, 2022)

New in Burp Suite 2022.3.8 (May 20, 2022)

New in Burp Suite 2022.3.7 (May 11, 2022)

New in Burp Suite 2022.3.6 (Apr 29, 2022)

Customizable message editor tabs:
In addition to the existing Pretty, Raw, Hex, and Render tabs, you can now add the following tabs to the message editor:
Headers
Query params
Body params
Cookies
Attributes
Some of these tabs were available in older versions of Burp Suite, but have now been reintroduced and enhanced with the same powerful features for working with HTTP messages as the Inspector. This is a great alternative if you want to take advantage of the Inspector's functionality, but don't have room on your screen for the side panel.
To control which tabs are displayed, and in which order, click the settings icon in the upper-right corner of the message editor (above the Inspector panel), then select Message editor.
New domain name for the public Burp Collaborator server:
We've added a new domain name for the public Burp Collaborator server. Unless you have configured Burp to use a private Collaborator server, Burp Scanner and the Burp Collaborator client will now use oastify.com for their Collaborator payloads instead of burpcollaborator.net. This will help to reduce false negatives, enabling you to identify out-of-band vulnerabilities that were previously hidden due to widespread blocking of the old domain name.
The old domain name will remain active, so you'll still be able to see interactions with any of your existing burpcollaborator.net payloads.
Please note that if you're running Burp within a closed network and previously had to allow connections to burpcollaborator.net on port 443 in order to poll for interactions, you may need to do the same for oastify.com.
Detect DOM-based vulnerabilities that rely on API calls:
Burp Scanner's dynamic JavaScript analysis can now fetch data from out-of-scope API endpoints if required to load the page correctly. This enables it to detect DOM-based vulnerabilities where malicious input is only passed to a sink if an API call is made.
Note that although Burp Scanner fetches external resources and data when required, it will not perform any additional crawl or audit of out-of-scope URLs.
Rows of tabs no longer switch places when selected
In previous versions of Burp, when you had multiple rows of tabs, the selected row would automatically shift to the bottom. This could make it difficult to keep track of the order of tabs, which was particularly inconvenient in Burp Repeater.
We've now disabled this behavior, so tabs no longer move when selected.
Browser upgrade:
This release upgrades Burp's browser to Chromium 101.0.4951.41.
Bug fixes:
Burp Scanner no longer has issues when redirects are triggered by onload event handlers in the HTML tag.
We have fixed a bug that prevented you from reading or editing long lines of JSON in some of the message editor panels.
We have fixed a syntax error on the splash screen that appears when launching Burp.
When manually following redirections, you no longer get stuck in an infinite redirect loop.
The cursor in the message editor no longer jumps to the beginning of the request after you send it.
We have resolved an issue where the Proxy's HTTP history tab was not displaying responses on MacOS.
We have fixed a bug that was causing performance issues when testing recorded login sequences.

New in Burp Suite 2022.2.5 (Apr 20, 2022)

New in Burp Suite 2022.2.4 (Mar 17, 2022)

New in Burp Suite 2022.2.3 (Mar 14, 2022)

Ultra-fast crawling of static content:
Burp Scanner's Fastest crawl strategy is now optimized for crawling static sites as quickly as possible. We have achieved this by disabling features that are irrelevant for static content, such as automated session handling and state recovery.
To give you a rough idea of the savings, these changes reduce the time taken to crawl our static documentation site from around 45 minutes to well under 10 minutes.
For the long-time Burp users out there, this strategy is effectively an improved version of the Spider tool from Burp Suite 1.7, emulated using the new crawling engine.
Improved scanning of single-page applications:
This release greatly enhances Burp Scanner's ability to handle single-page applications (SPAs) built on frameworks like React.
The crawler can now recognize when a website uses URL fragments for client-side routing and adjust its behavior accordingly. This enables it to successfully scan content that is reached without sending additional requests to the server.
The crawler can now identify API calls triggered when the browser renders components on the page and send them for audit if necessary.
Security fix:
Several months ago, we fixed an HTML injection vulnerability that could result in Burp Suite sending requests that did not respect its upstream proxy configuration. This could leak NetNTLM hashes on Windows systems that failed to block outbound SMB. This issue was caused by Swing GUI components that were insecurely configured to render HTML.
This release provides additional mitigation that prevents BApps from introducing this vulnerability even if they contain Swing components that allow HTML rendering.
This issue was reported via our bug bounty program.
Browser upgrade:
We have upgraded Burp's browser to Chromium 99.0.4844.51.
Bug fixes:
We have also fixed several minor bugs. Most notably, we have:
Resolved an issue that caused some Windows users to see a "No JVM found on your system" error when restarting Burp after an update.
Fixed an issue that meant recorded login sequences were sometimes cut short when testing them.

New in Burp Suite 2022.1.1 (Feb 9, 2022)

New in Burp Suite 2021.12.1 (Jan 25, 2022)

This release enables you to configure Intruder attacks against multiple hosts and adds several new options for customizing the Inspector. These include docking the panel to the left or right of the screen and toggling line wrapping within each widget. As of this release, there is also a dedicated installer for Mac machines with the M1 chip.
Multi-host Intruder attacks:
You can now add payload positions to the target host field in Burp Intruder, enabling you to target multiple hosts from a single attack. This is useful in situations where you want to test for issues across many web applications simultaneously.
As part of this change, the settings previously included in Intruder's Target tab have been incorporated into its Positions tab.
New Inspector panel options:
We have added a toolbar at the top of the Inspector panel. This contains buttons that let you:
Toggle whether the Inspector is docked to the left or right of the screen.
Collapse all widgets.
Expand all widgets that contain data.
You can also toggle line wrapping by clicking the icon in the upper-right corner of each table.
Support for Mac M1(Arm64) chips:
Burp Suite now supports the latest Apple Mac models equipped with M1 (Arm64) processors. We now provide a dedicated installer for these machines.
If you're not sure which installer you need, please refer to the documentation for details.
Proxy Intercept is now off by default (new installations only):
Due to overwhelming customer demand, Burp Proxy's Intercept feature is now off by default on new installations of Burp Suite. This removes the common problem of users forgetting to disable it before attempting to use the browser.
Please note that if you have upgraded an existing installation, you are not affected by this change. However, you can adjust this setting manually under User options > Misc > Proxy Interception.
Embedded browser upgrade:
We have upgraded Burp's browser to Chromium 97.0.4692.71.
Bug fixes:
We have also fixed a number of minor bugs. Most notably, we have fixed a bug that prevented Burp from completing the TLS handshake with servers whose certificate chain was longer than 10 but less than 30.

New in Burp Suite 2021.10.3 (Dec 3, 2021)

New in Burp Suite 2021.10.2 (Dec 3, 2021)

New in Burp Suite 2021.10 (Nov 21, 2021)

New in Burp Suite 2021.9.1 (Oct 27, 2021)

Manually test hidden HTTP/2 attack surface in Burp Repeater:
You can now send HTTP/2 requests from Burp Repeater even if the server doesn't explicitly advertise HTTP/2 support via ALPN. This allows you to manually explore additional "hidden" HTTP/2 attack surface.
To enable this behavior, first select the Allow HTTP/2 ALPN override option from the Repeater menu, then switch the protocol to HTTP/2 from the Inspector panel.
Burp Intruder improvements:
We have made the following improvements to Burp Intruder:
When configuring a list of payloads to send during your attack, you can now click the Deduplicate button to remove any duplicate entries. This helps to increase the efficiency of your attacks as you can avoid sending redundant, duplicate requests when combining multiple wordlists for example.
When using the Grep - Match or Grep - Payloads options, the results table now contains a column displaying the number of matches found in the response rather than just a checkbox.
In the resource pool configuration, there is now an option for setting the delay between requests to an incremental value. This enables you to study how the target application's behavior changes as requests become more spread out. You can use this to determine how long a session is kept alive between requests for example.
You can now select multiple rows and perform bulk operations on some of the tables in the Intruder configuration settings.
Improved scan check for server-side template injection:
We have added payloads to the server-side template injection (SSTI) scan check to detect vulnerabilities in the following Java-based template engines:
SpEl
JSF
Freemarker
Thymeleaf
Velocity
JSTL
We have also integrated additional out-of-band detection methods using Burp Collaborator.
Audit asynchronous traffic in Burp Scanner:
API calls that are triggered by the crawler interacting with elements on the page will now be sent for audit.
We have also improved the way the crawler interacts with forms on a page to better support modern single-page applications.
Improved handling of XML and JSON insertion points in Burp Scanner:
We have made the following changes to improve the handling of XML and JSON :insertion points during scans:
Payloads injected into unquoted JSON contexts are now automatically wrapped with quotation marks to ensure that Burp Scanner always generates valid JSON documents.
Insertion points in standard XML attributes such as xml:lang and xmlns:* are now ignored by default. If you prefer, you can override this setting in your scan configuration under Audit options > Ignored insertion points.
When appending payloads to insertion points within XML CDATA sections, Burp Scanner now removes the CDATA block and correctly entity-encodes the payloads.
Recorded login improvements:
Burp Scanner can now handle iframes, multi-selects, scrolling elements, and SVG elements in recorded login sequences. We have also improved reliability of recorded logins by changing the way we locate and interact with elements on the page.
Other improvements:
On the Logger tab, we have added an option to the context menu for exporting the log as a CSV file.
On the Dashboard tab, you can now rename tasks to help you identify them more easily. You can now also search for tasks by their name or other details.
You can now set a default preference for whether tasks are resumed or paused when you launch Burp. To change the default setting, go to User options > Misc > Tasks.
Security fix:
We have updated Burp's embedded browser to Chromium version 95.0.4638.54, which fixes a number of high-severity bugs.
Bug Fixes:
This release also provides a number of bug fixes, most notably for a bug when highlighting or selecting text in Burp Repeater.

New in Burp Suite 2021.8.4 (Oct 3, 2021)

New in Burp Suite 2021.8.3 (Sep 15, 2021)

New in Burp Suite 2021.8.2 (Aug 26, 2021)

New in Burp Suite 2021.8.1 (Aug 13, 2021)

New in Burp Suite 2021.8 (Aug 13, 2021)

This release provides a range of powerful new enhancements to Burp's HTTP/2 support. This enables you to identify and exploit a number of HTTP/2-exclusive vulnerabilities, including those presented by James Kettle at Black Hat USA 2021. It also implements a security fix for the embedded browser and some minor bug fixes for recorded login sequences.
Control the protocol for individual requests:
In Burp Repeater and Proxy Intercept, you can now choose whether to send each request using HTTP/1 or HTTP/2. When you switch protocols, Burp will automatically perform the necessary transformations behind the scenes to generate an equivalent request suitable for the new protocol. For example, the HTTP/1 request line is mapped to HTTP/2's :method and :path pseudo-headers.
This enables you to easily upgrade and downgrade requests to experiment with protocol-specific vulnerabilities.
Test for HTTP/2-exclusive vulnerabilities:
We are excited to announce that Burp Suite Professional and Community Edition now provide native support for viewing and manipulating HTTP/2 requests.
In addition to the HTTP/1-style representation of the request that you can see in the message editor, the Inspector now lets you work with HTTP/2 headers and pseudo-headers in a way that more closely resembles what will be sent to the server. As this view doesn't rely on HTTP/1 syntax, you're able to construct attacks using a number of HTTP/2-exclusive vectors that are impossible to reproduce in HTTP/1. This gives you the opportunity to explore a whole new attack surface that has barely been audited due to the complete lack of any suitable tooling until now.
For some real-world examples of what's possible, check out the whitepaper for James Kettle's latest research, HTTP/2: The Sequel Is Always Worse, which he recently presented at Black Hat USA 2021.
Burp's message editor still lets you work with an HTTP/1-style representation of the request and converts this to an equivalent HTTP/2 request under the hood. This is great for performing general testing where the protocol you're using isn't important.
For more information about these features, the configuration options, and a breakdown of some HTTP/2 fundamentals, please refer to the accompanying documentation
New HTTP/2 scan checks:
In addition to the new manual HTTP/2 tooling, this release adds some HTTP/2-specific improvements to Burp Scanner:
Two new HTTP/2-exclusive methods of obfuscating the transfer-encoding header for HTTP request smuggling.
A new detection method for HTTP/2 request tunnelling.
A new scan check for "hidden" HTTP/2 support. Scanner can now detect when a server supports HTTP/2 but doesn't advertise this in the ALPN during the TLS handshake.
We've also improved the issue details for HTTP request smuggling to flag when server-side countermeasures have limited the impact to request tunnelling.
These enhancements are also based on James's research.
Embedded browser security fix:
We have updated Burp Suite's embedded browser to fix a clickjacking-based remote code execution bug in Burp Suite, as reported to our bug bounty program by @mattaustin and @DanAmodio. We have updated to Chromium 92.0.4515.131, which fixes several bugs that Google has classified as high
Bug fixes:
This release fixes several bugs that should improve the reliability of recorded login playback.

New in Burp Suite 2021.6.2 (Jun 18, 2021)

New in Burp Suite 2021.5.3 (Jun 14, 2021)

New in Burp Suite 2021.5.2 (Jun 2, 2021)

New in Burp Suite 2021.5.1 (May 14, 2021)

New in Burp Suite 2021.5 (Apr 29, 2021)

New in Burp Suite 2021.4.2 (Apr 22, 2021)

This release provides a native logging tool to Burp Suite, which allows for logging global and individual task traffic. It also strengthens support for HTTP/2, allows saving settings for Burp's embedded browser and message editor's search bar, and allows you to turn off Repeater's line ending normalization. The release provides some minor improvements, an update to Burp Suite's embedded browser, and fixes several bugs.
Logger:
Burp Suite now has a native logging tool called Logger, which is available from the main row of tool tabs. Some highlights of Logger are:
You can view traffic made by all Burp tools, analyze messages, and send them to other Burp tools.
You can configure separate capture and view filters to focus on the messages that you are interested in.
Logger is optimised for performance and limits the amount of memory that is used. The default limit is 50MB (or 100MB if you give Burp Suite at least 1GB of memory), but you can change this. Once the memory limit has been reached, Logger will keep a rolling log of entries.
You can turn off Logger if you prefer.
Task logger:
You can also view log traffic for individual tasks (such as scans). This allows you to analyze what's happening if one of your tasks shows unexpected behavior, or to monitor a task's progress.
To see the log for a task, click on the task's "View details" icon and then select the "Logger" tab. Logging for each task has its own memory limit, separate from the main Logger.
HTTP/2 support:
We have strengthened support for HTTP/2 within Burp Suite. HTTP/2 support is now turned on by default and is no longer considered experimental. Burp will interact with targets via HTTP/2 when a target supports it.
HTTP/2 support brings a significant performance improvement to the network layer, benefiting Scanner and Intruder speed. It also provides future compatibility with any site that no longer supports HTTP/1.1.
If you prefer not to use HTTP/2, you can disable its use under Project Options / HTTP.
Message editor search settings:
You can now configure the default settings of the message editor's search bar. Change the defaults by going to User options > Misc and selecting the check boxes under "Message search".
Normalized line endings in Repeater:
Repeater usually normalizes the line endings of requests. However, this behaviour may not always be useful, especially when you are testing request smuggling. You can now turn off normalizing line endings by going to the Repeater menu and unchecking "Normalize line endings".
Improved DNS records in Burp Collaborator:
We have added support for single custom CNAME and multiple custom TXT DNS records within Burp Collaborator, which can optionally contain specific TTL values.
Embedded browser settings:
When using Burp's embedded Chromium browser, your history and any changes you make to the browser settings are now saved even after you close Chromium. This means you no longer need to reconfigure your preferences each time you use the browser and can even keep any extensions that you install.
By default, your settings and history will be persisted. If you'd prefer to disable this behavior, go to User options > Misc and deselect the corresponding checkbox in the "Embedded browser" section.
Embedded browser update:
This release includes an update of Burp Suite's embedded browser to Chromium 90.0.4430.85, which fixes several security issues that Google have classified as high.
Minor improvements:
This release provides several minor improvements, including:
We have improved the heuristics of the crawler to better fill out text fields in forms.
Custom menu items added by extensions are now shown in a sub-menu of the context menu, to avoid cluttering.
The hash algorithm list within Burp Decoder is now sorted alphanumerically.
The resource pool button is now disabled when configuring a live passive crawl, as this crawl does not make requests.
We have added "Clear all payload markers", for Intruder, to the list of actions that you can assign a hotkey to.
Bug fixes:
This release provides several bug fixes, including:
Filter dialogs now work correctly when you use the settings button to restore defaults or load a configuration.
The crawler now correctly clears session data held in local storage when it is no longer needed.
The crawler no longer produces an error when it encounters request bodies that contain JSON literals when it is crawling OpenAPI definitions.
Burp Suite now shuts down correctly on macOS.
The number of characters selected now shows in the message inspector when selecting non-editable messages.
The automatic backup progress dialog box no longer appears if Burp Suite is minimized.
Message inspector buttons now work correctly when you paste content into a "Decoded from" panel.
Burp Collaborator server now responds to CAA queries with a NOERROR rather than a SERVFAIL response code.
Burp Suite is not entirely compatible with Java 16. It will now warn you if you try to launch it with Java 16, and provide a workaround to enable you to use both together.
Requests to restore Proxy default settings no longer fail to restore Proxy filter configuration defaults.
When you load an existing project, the Proxy filter settings now are correctly honored.
You can now cancel Proxy filters.
The message inspector no longer sends spurious HTTP messages.

New in Burp Suite 2021.4.1 (Apr 13, 2021)

New in Burp Suite 2021.4 (Apr 13, 2021)

New in Burp Suite 2021.3.2 (Mar 18, 2021)

New in Burp Suite 2021.3.1 (Mar 17, 2021)

New in Burp Suite 2021.2.1 (Feb 17, 2021)

New in Burp Suite 2021.2 (Feb 17, 2021)

New vulnerability definition: vulnerable JavaScript dependencies:
Burp Scanner will now detect when a target application imports a JavaScript dependency that has a known vulnerability, such as when a library is dangerously out of date or has other issues.
Non-printing characters improvement:
When viewing non-printing characters in the text editor, characters with a hexadecimal code point below 20 are displayed as "lozenges" with their hex code. Now, characters with a code point from 7F to FF are also displayed in the same way.
Per-host controls for platform authentication:
Platform authentication (under "User options" and the "Connections" tab) can now be turned on or off on a per-host basis.
Message inspector improvements:
There have been significant performance improvements in the message inspector. Also, users can now resize the message inspector horizontally and select multiple entries at once.
Embedded browser improvements:
HTTP requests initiated by the embedded Chromium browser itself, rather than the user, are no longer sent. Also, Burp's embedded browser has been upgraded to Chromium 88.0.4324.150.
Bug fixes and minor improvements:
This release also provides the following bug fixes and minor improvements:
The HTTP history message filter no longer incorrectly opens a new window when in fullscreen mode on macOS.
Streaming responses now show correctly in Burp Repeater.
Regex-based session validation no longer fails after opening an existing project file.
Activating a .burp file now opens Burp and loads the file rather than starting the Burp start-up wizard.
The "Delete bytes" context menu option has been restored to Burp Decoder.
The message editor now correctly highlights text in double quotation marks.
The colour of the "Intercept is off" button now matches nearby buttons.
Marks in check boxes are now displaying correctly in Burp extensions.
Deselecting "URL-encode these characters" is now respected for Payload Processing rules and multiple payload sets when using Cluster bomb attacks in Burp Intruder.
Burp Suite now makes use of the maximum size of messages that can be sent to Chromium DevTools, which is 100MB. This means that larger page resources can be loaded.
Burp Suite's MIME-type analysis now matches Chromium's behavior. Where multiple Content-Type headers are present in a response, Burp chooses the last one. Where there are Content-Type headers and a tag, Burp chooses the Content-Type headers. This change affects MIME-type filters in the Proxy and Target tabs, and the Render tab in the response viewer.
The icon for vulnerabilities with a severity of False Positive has changed from blue to green.

New in Burp Suite 2020.12.1 (Dec 20, 2020)

New in Burp Suite 2020.12 (Dec 20, 2020)

New in Burp Suite 2020.11.3 (Dec 2, 2020)

New in Burp Suite 2020.11.2 (Nov 28, 2020)

New in Burp Suite 2020.11.1 (Nov 21, 2020)

New in Burp Suite 1.7.36 (Jul 30, 2018)

New in Burp Suite 1.7.35 (Jun 29, 2018)

New in Burp Suite 1.7.34 (Jun 14, 2018)

A number of bugs have been fixed:
A bug that prevented Burp from validating the common name of the Collaborator server certificate when polling over HTTPS. The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)
A bug that could cause HTTP Basic authentication credentials to leak to another domain when following redirections. The impact of this bug is that if a user configures HTTP Basic authentication for domain A, performs a scan of domain A, domain A redirects to domain B, and the user has included domain B within their target scope, then the credentials would be leaked. The same leakage could occur when working manually if a user manually follows a redirection to a malicious domain using Burp Repeater.
A bug that could allow an active MITM attacker to spoof textual content within the BApp Store tab and updates dialogs. Note that code signing prevents a MITM attacker from manipulating the actual installation of BApps or updates.
Some bugs in Burp's project repair function that caused some actually recoverable data to be lost.
A bug that prevented autocomplete popups from closing on some Linux window managers.
A bug that prevented temporary projects from being saved as a disk-based project more than once within the same Burp session.
A bug that prevented MacOS app nap from being disabled, with the result that automatic activity is slowed when Burp runs in the background.
A bug that prevented the Proxy from correctly handing requests that use a literal IPv6 address in the domain name of the requested URL.
The following enhancements have been made:
Burp ClickBandit has been updated to support sandboxed iframes.
A fix has been applied following a change in JRuby 9.2.0.0 that prevented Burp extensions written in Ruby from running.

New in Burp Suite 1.7.33 (Mar 29, 2018)

New in Burp Suite 1.7.32 (Feb 2, 2018)

This release adds a new automatic project file backup function. If you are using a disk-based project, this function automatically saves a backup copy of your project file periodically in the background. The options for the new function can be found at User options / Misc / Automatic Project Backup.
The new function is superior to the older function that saved a state file backup in several respects:
Project file backups are considerably faster. Project files of 1Gb in size are typically backed up in a few seconds.
You can optionally include in-scope items only, to reduce the size of the backup file.
Available disk space is checked before performing a backup. If insufficient space is available, the backup is skipped and an alert is shown.
A single backup file is saved alongside the main project file. On successful completion of a new backup, the previous backup file is deleted.
On attempting to open a corrupted project file, Burp checks if a backup is available, and if so offers to open that as an alternative to repairing the original.
By default, the backup file is deleted on clean shutdown of Burp. Since the main project file is saved incrementally in real time, and project file corruption is typically caused by abnormal termination of the OS, it is not normally necessary to retain backup files following a clean shutdown. You can choose to retain the backup file on shutdown in the automatic project backup options.
You can optionally disable the progress dialog that is shown when a backup is performed, so you can continue working without interruption.
Backups are enabled by default with no configuration required. If you don't want to use the feature, you can quickly turn it off using the option that is shown in the progress dialog.
Other enhancements include:
Installed BApps are now updated automatically on startup. We issue frequent updates to BApps and it is highly recommended to be using the latest versions. You can disable automatic BApp updates in Extender options.
A bug in the import project function, which omitted to import the Scanner issue activity log, has been fixed.
Requests made by extensions during custom scan checks are now correctly reflected in the scan queue request counts, and are correctly subjected to configured request throttling.

New in Burp Suite 1.7.30 (Dec 13, 2017)

New in Burp Suite 1.7.29 (Nov 20, 2017)

New in Burp Suite 1.7.28 (Nov 15, 2017)

This release introduces simplified scope control.
Burp's existing scope mode employs complex rules allowing you to specify each component of the URL individually (protocol, host, port, and path). You can specify each component using simple expressions, wildcards, and regular expressions. These rules are sometimes complex to create and interpret, and are computationally expensive to apply.
The new scope mode uses simple URL prefixes to define what is in and out of scope. Wildcard expressions are not supported. However, you can omit the URL protocol to match both HTTP and HTTPS.
The new simplified scope control is flexible enough for most purposes, and is enabled by default. You can still enable advanced scope control if you require the power of the old-style scope rules.
State files no longer support saving and reloading of project options. Only project state (site map, Proxy history, etc.) is now included. You can save and reload project options via project configuration files. State files in general are deprecated, and Burp project files should be used instead.
Burp's colors and graphics have been updated in line with our website. Additionally, the free edition of Burp has been renamed to Burp Suite Community Edition. We are planning some brand new editions of Burp in the future, and the new name will sit better alongside those. It will, of course, remain free of charge.
A number of bugfixes and enhancements have been made:
A false positive for external service interaction, from certain Collaborator payloads placed into the URL request line when using an upstream proxy, has been fixed.
Burp now includes the SNI extension in SSL negotiations even when the hostname doesn't contain a dot.
Burp Clickbandit has been updated to fix some issues on Chrome and Edge.
The BApp Store tab now shows the popularity, date of last update, and link to source code on Github, for each BApp.
A bug in the sessions rules UI, where session rules' references to macros were not reflected after reloading settings, has been fixed.
A bug in the filter UI, where a entering a long search string caused the text field to outgrow the window, has been fixed.

New in Burp Suite 1.7.27 (Sep 1, 2017)

Adds various minor enhancements:
There is a new hotkey for adding an Intruder payload position marker. This is not mapped to any keystroke by default, but this can be done at User options / Misc / Hotkeys.
There is a new option on startup to disable extensions. This can help resolve situations where a misbehaving extension causes problems during startup.
Burp Collaborator server now responds to DNS lookups containing the subdomain "spoofed" with the IP address 127.0.0.1. This is to prevent the Collaborator being wrongly incriminated when a server being scanned is vulnerable to client IP spoofing, as happened here.
The option to strip the "Accept-Encoding" header in incoming requests to the Proxy has been modified so that it normalizes the header to a default value rather than stripping it altogether. The previous behavior caused problems with some WAFs configured to drop requests without this header.
The default max heap size requested by the platform installer has been reduced from 75% to 50% of total physical memory, in order to prevent OS performance issues on some platforms. This can be modified after installation by editing the vmoptions file in the installation directory.
MacOS App Nap has been disabled as this can cause Burp's automated activity (like scanning) to be suspended when the Burp window is in the background.
Additionally, a number of bugs have been fixed:
A bug that caused temporary data saved by Burp extensions and the sessions tracer to actually get stored in project files.
A bug that caused the Spider not to honor the "Maximum parameterized requests per URL" setting.
A bug that caused some lightweight popups to have full window decoration on some Linux desktop managers.
A bug that incorrectly handled loading of IP addresses from file into the scope configuration UI.
A bug that prevented upstream SNI from working when proxying traffic through Burp from an Android emulator.
A bug that caused report generation to fail altogether when it encountered an incomplete issue due to project file corruption.

New in Burp Suite 1.7.26 (Aug 4, 2017)

New in Burp Suite 1.7.25 (Aug 4, 2017)

New in Burp Suite 1.7.24 (Jul 19, 2017)

New in Burp Suite 1.7.23 (May 23, 2017)

New in Burp Suite 1.7.22 (Apr 29, 2017)

New in Burp Suite 1.7.21 (Apr 8, 2017)

New in Burp Suite 1.7.20 (Apr 7, 2017)

This release considerably enhances the detection of blind injection vulnerabilities based on response diffing. Various Burp Scanner checks involve sending pairs of payloads (such as or 1=1 and or 1=2) and looking for a systematic difference in the resulting responses. Previously, Burp used a fuzzy diffing algorithm that analyzed the whole content of responses. This approach has various limitations that can lead to false negatives, such as:
Small variations that are insignificant in the context of the whole response content are liable not to trigger the fuzzy diffing threshold, despite being highly significant when their precise syntactic context is taken into account.
Situations where application responses vary due to non-deterministic or unrelated factors can lead to large variations that trigger the fuzzy diffing threshold for all payloads, thereby masking other variations that depend systematically on the supplied payload.
Burp now uses a more granular diffing logic that takes into account all of the response attributes that were previously exposed in the analyzeResponseVariations API and used in our backslash powered scanning research. Variations are separately analyzed for attributes such as tag names, HTTP status code, line count, HTML comments, and many others. This granularity avoids the limitations described above and dramatically improves the accuracy of blind scan checks in many cases.
Additionally, several of the payloads used in diff-based scan checks have been enhanced to ensure that observed differences are indeed the result of injecting into the intended technology, rather than other input-dependent logic. For example, some web application firewalls (lamely) filter input that matches or N=N and cause a different response than is observed for or N=M. Burp's payloads are now intelligent enough to avoid false positives in situations like this.
The scan checks whose logic has improved include: SQL injection, LDAP injection, XPath injection, file path manipulation, User-agent-dependent response, X-forwarded-for-dependent response, and Referer-dependent-response.
We welcome feedback about the real-world performance of the new scanning logic, particularly in relation to false negatives or positives for diff-based injection issues.
Burp Proxy's generated per-host SSL certificates now include the site's commonName in the subjectAlternativeName extension. Apparently fallback to the commonName was deprecated by RFC2818 (in 2000), and browsers have recently decided to implement this.
Burp Collaborator server now has a configurable logging function that can be used for diagnostic purposes. See the Collaborator configuration file documentation for more details.
Various other minor fixes and enhancements have been made.

New in Burp Suite 1.7.19 (Mar 2, 2017)

New in Burp Suite 1.7.18 (Mar 1, 2017)

New in Burp Suite 1.7.17 (Feb 1, 2017)

New in Burp Suite 1.7.16 (Jan 17, 2017)

New in Burp Suite 1.7.15 (Dec 22, 2016)

New in Burp Suite 1.7.13 (Nov 30, 2016)

This release adds various enhancements and bugfixes.
Burp Infiltrator has been enhanced with a large number of new API sink definitions, for both the Java and .NET platforms. This dramatically increases the coverage of existing vulnerabilities, such as OS command injection and file path traversal.
You can export the updated Infiltrator installers from the "Burp" menu in Burp Suite Professional. If you have already installed an earlier version of Infiltrator in an application, you can just run the new installer to update the instrumentation with the new API sink definitions.
The BurpInfiltrator.dll .NET assembly is now signed, and all instrumented assemblies refer to it by its strong name. This change will address some issues that can arise with usage of signed assemblies.
The manual Burp Collaborator client has been enhanced to give full details of Infiltrator interactions. This can greatly assist manual testing and exploitation of vulnerabilities, for example by showing the full SQL query that is executed when some particular input is submitted. Also, the Collaborator client UI now shows the Collaborator payload in the table of interactions, and supports user comments and highlights
The IBurpCollaboratorClientContext API now supports separate retrieval of regular Collaborator interactions and Infiltrator-driven interactions.
The following bugs have been fixed:
A bug in the "copy as curl command" function which could enable a malicious website to generate an HTTP request which, if the Burp user uses the "copy as curl command" function and executes the output in a shell context, will cause arbitrary commands to be executed. There is no exposure to users who do not use the "copy as curl command" function, but it is recommended that all users upgrade to the latest version. This issue was discovered through an internal security review, rather than a user report.
A bug in the Burp Collaborator health check which caused SMTP/S connections made by the health check not to honor the configured SOCKS proxy settings.
A bug which caused Proxy match/replace rules to display as type "regex" even if they are not.
A bug where use of a partial/incomplete configuration file at project startup caused any undefined configuration options to have blank values. Now, any undefined options are assigned their default values.
A bug which caused Burp to leave temporary files on disk if the user cancels out of the project startup wizard.
A bug which caused items in the active scan queue in the "waiting to cancel" state to display in that state indefinitely if the project is closed and reopened.

New in Burp Suite 1.7.10 (Nov 3, 2016)

Adds some new APIs that extensions can use to easily implement powerful scan checks and other logic that involves response diffing.
Two new APIs have been added to IExtensionHelpers. The method:
IResponseVariations analyzeResponseVariations(byte[]... responses)
analyzes a collection of responses to identify variations in a range of attributes. The IResponseVariations object that is returned can be queried to determine the invariant or variant attributes, and the "value" of each attribute for each response:
List getVariantAttributes();
List getInvariantAttributes();
int getAttributeValue(String attributeName, int responseIndex);
The attributes that are currently supported are as follows:
anchor_labels
button_submit_labels
canonical_link
comments
content_length
content_type
css_classes
div_ids
etag_header
first_header_tag
header_tags
initial_body_content
input_image_labels
input_submit_labels
last_modified_header
limited_body_content
line_count
outbound_edge_count
outbound_edge_tag_names
page_title
set_cookie_names
status_code
tag_ids
tag_names
visible_text
visible_word_count
whole_body_content
word_count
Note that all values are represented as integer numbers, and the values of some attributes are intrinsically meaningful (e.g. word count) while the values of others are less so (e.g. checksum of HTML tag names).
The method:
IResponseKeywords analyzeResponseKeywords(List keywords, byte[]... responses)
analyzes a collection of responses to identify the number of occurrences of the specified keywords. The IResponseKeywords object that is returned can be queried to determine the keywords whose counts vary or do not vary, and the number of occurrences of each keyword for each response:
List getVariantKeywords();
List getInvariantKeywords();
int getKeywordCount(String keyword, int responseIndex);
The new APIs allow your extensions to let Burp handle the messy work of analyzing responses to determine if they are the same or different, and you can easily create powerful scan checks with some simple logic:
Send novel payload.
Ask Burp whether the response changed in some interesting respect.
If so, report an issue.

New in Burp Suite 1.7.06 (Sep 9, 2016)

New in Burp Suite 1.7.05 (Aug 23, 2016)

New in Burp Suite 1.7.04 (Aug 23, 2016)

New in Burp Suite 1.7.03 (May 12, 2016)

New in Burp Suite 1.7.02 Beta (May 12, 2016)

New in Burp Suite 1.7.01 Beta (Apr 18, 2016)

New in Burp Suite 1.7 Beta (Apr 13, 2016)

New in Burp Suite 1.6.20 (Jun 23, 2015)

New in Burp Suite 1.6.19 (Jun 19, 2015)

New in Burp Suite 1.6.18 (May 7, 2015)

New in Burp Suite 1.6.17 (Apr 25, 2015)

This release contains a number of minor enhancements and bugfixes:
The Proxy now uses SHA256 to generate its CA and per-host certificates if this algorithm is available, otherwise it fails over to using SHA1. Updating to a SHA256-based CA certificate removes SSL warnings in some browsers.
There is a new button at Proxy / Options / Proxy Listeners to force Burp to regenerate its CA certificate. You will need to restart Burp for the change to take effect, and then install the new certificate in your browser. You can use this function to help switch to using a SHA256-based CA certificate.
A bug in the "Paste from file" function which caused Burp to sometimes retain a lock on the selected file has been fixed.
A bug in the Intruder "extract grep" function, which sometimes caused extracted HTML content to be rendered as HTML in the results table, has been fixed.
The Proxy now by default strips any Proxy-* headers received in client requests. Browsers sometimes send request headers containing information intended for the proxy server that is being used. Some attacks exist whereby a malicious web site may attempt to induce a browser to include sensitive data within these headers. There is a new option at Proxy / Options / Misc allowing you to configure Burp to leave these headers unmodified if desired.
A bug in the Collaborator server configuration settings, in which Burp would wrongly add the prefix "polling." to the configured location of a private polling server, has been fixed. The documentation on deploying a private Collaborator server has been updated to clarify the use of the "polling" subdomain in some Collaborator server configurations.
A bug which caused the use of the request throttle option in Sequencer live capture to delay the initial rendering of the live capture UI has been fixed.
A bug in the issue selection step of the Scanner reporting wizard, which caused all extension-generated issues to be shown using the name of the first extension-generated issue, has been fixed. Extension-generated issues are now always labelled as "Extension-generated" in this panel.
A bug in the following of cross-domain redirections, which caused Burp to include cookies from the original request in the redirected request, has been fixed. In some situations, the bug presents a security risk because sensitive data in cookies could be leaked to a different and potentially untrusted domain. As always, users are encouraged to update to the latest Burp release to resolve this issue.
The Spider now ignores Burp Collaborator URLs when attempting to extract links from within response text. Some applications contain functionality to store and retrieve textual inputs. When these applications are scanned using Burp, they are prone to store some or all of the payloads that Burp sends during scanning, and return these in later responses. It is preferable for Burp not to add any returned Collaborator URLs to the site map when spidering.

New in Burp Suite 1.6.16 (Apr 18, 2015)

New in Burp Suite 1.6.15 (Apr 16, 2015)

New in Burp Suite 1.6.14 (Apr 2, 2015)

New in Burp Suite 1.6.13 (Apr 1, 2015)

This release contains various bugfixes and minor enhancements:
The previous release introduced some bugs into the Target site map, causing scope-based view filters to be sometimes misapplied, and orphaned tree nodes to occasionally appear. These have now been fixed. In recent months, we have been extensively reworking the site map to support a number of planned new features, and we apologize that these bugs slipped through into the public release. We welcome further feedback about any site map problems and will aim to resolve these quickly.
Some Scanner issues that are reported on a per-host basis (for example, Flash cross-domain policy) were previously reported on the root host node of the Scanner results tree. These are now correctly reported at the node for a specific URL where applicable (e.g. /crossdomain.xml).
Relatedly, where a Scanner issue is created at a URL file node that does not exist in the Target site map, the corresponding item is added to the site map, including the actual request and response for that item. This change is useful in its own right, because the site map now contains more content that Burp has obtained from the target. It also paves the way for a planned enhancement to the site map, in which it will become a unified dashboard of both discovered content and Scanner issues. In the meantime, one behavioral quirk which arises is that if you restore a state file and select only to import Scanner issues, some new content corresponding to these issues may also be added to the site map. We believe that this interim behavioral change is relatively harmless, and will become fully desired behavior once the transition to the new site map is completed.
Some users have reported problems with certain extensions that cause a deadlock in the Burp UI when they are reloaded on startup. Burp now tries to detect this situation, and on the subsequent startup will skip the automatic reload of extensions. (Note that a further, existing, workaround for this problem is to add "usedefaults" to the Burp command line, to prevent reloading of any saved settings.)
When Burp fails to delete its temporary files on shutdown, because the OS does not release locks on those files, Burp now remembers the affected items and automatically deletes them on the subsequent startup, without the need to prompt the user. The old prompt will still be shown if unexpected temporary files are detected on startup.
A bug which prevented column resizing in the Intruder results table has been fixed.
A bug which made certain configured options cause problems when saving state files has been fixed.
A bug where multiple Proxy history views shared the same underlying view filter, preventing the use of different filters on each view, has been fixed.

New in Burp Suite 1.6.12 (Mar 13, 2015)

New in Burp Suite 1.6.11 (Feb 18, 2015)

New in Burp Suite 1.6.10 (Feb 6, 2015)

New in Burp Suite 1.6.09 (Nov 28, 2014)

New in Burp Suite 1.6.08 (Nov 19, 2014)

This release contains various new features and enhancements:
The Scanner has been updated with the ability to detect cross-site request forgery (CSRF) vulnerabilities. We have held off reporting CSRF for a long time, because in our experience many scanners that attempt to automate this end up generating more heat than light. If a scanner generates too many false positives, then users lose faith in its output and start to ignore all of the issues it reports of that type. Because of this, we've worked hard to make our CSRF detection actually provide value to Burp users. We have deliberately erred on the side of reducing the number of false positives. The CSRF issues that Burp does report should all be worthy of manual investigation to determine whether the affected application functionality should be protected against CSRF attacks. We welcome real-world feedback about the performance of the new check, and we will aim to refine this further in future.
The Scanner logic for the detection of XSS and SQL injection vulnerabilities has been further enhanced.
Burp's use of temporary files has been updated to use a small number of large temporary files, rather than an individual file for each saved HTTP request and response. This change should resolve problems that some users have experienced with the operating system running out of open file handles, or even running out of file nodes within the temporary directory.
In the previous release, the Extender tool was modified so that its own configuration was not modified when an extension initiated a restore of a Burp state file. In this release, the same change has been made for the case where an extension initiates an update to Burp's configuration.
The maximum number of threads that can be configured for the Spider tool, and for an Intruder attack, has been increased to 999.
A hotkeyable action has been added to start the current Intruder attack. By default, no hotkey is assigned to this action, but one can be configured at Options / Misc / Hotkeys / Edit hotkeys.

New in Burp Suite 1.6.07 (Nov 4, 2014)

New in Burp Suite 1.6.05 (Aug 20, 2014)

New in Burp Suite 1.6.04 (Aug 14, 2014)

New in Burp Suite 1.6.03 (Aug 14, 2014)

New in Burp Suite 1.6.02 (Aug 14, 2014)

New in Burp Suite 1.6.01 (Aug 14, 2014)

New in Burp Suite 1.6.0 (Apr 17, 2014)

New in Burp Suite 1.5.21 (Feb 1, 2014)

New in Burp Suite 1.5.20 (Dec 2, 2013)

New in Burp Suite 1.5.19 (Nov 27, 2013)

New in Burp Suite 1.5.17 (Oct 29, 2013)

Bugfixes:
There is a new "copy as curl command" function on context menus. This function constructs a curl command that generates the selected request, and copies the command to the clipboard.
The Extender tool has a new option to specify a folder from which Burp will load library JAR files for use by Java extensions.
The IBurpExtenderCallbacks interface has several new methods:
Methods to list and remove extension-provided resources such as event listeners, resource factories, etc.
Methods to print a line of output to the extension's stdout or stderr streams.
The numbers payload generator in Intruder has been enhanced to cope with numbers of arbitrary size and precision, and is no longer subject to the constraints of Java's native integer or floating point arithmetic. It is possible configure and launch attacks that will result in arbitrarily many payloads. If the number of payloads exceeds 2^31 then Burp will report the number as "unknown" but the attack will still proceed in the expected way (even though actually completing the attack is not feasible).
There is a new hotkeyable action to forward the request currently showing in the Proxy intercept view and force interception of the response. This action is not assigned a hotkey by default.
The save and restore state functions can now include the configuration options for the Extender tool.
The extensibility API to retrieve the contents of the site map now auto-generates GET requests for items in the site map that have not yet been requested.
A bug in the session handling action to update the value of a named parameter, where multiple parameters with the same name were not updated, has been fixed.
A bug in Intruder that caused some valid custom iterator configurations to fail has been fixed.
A bug in the invocation of extension-provided custom Scanner checks, where an exception thrown by an extension could cause Burp's scanning thread to die, has been fixed.
A bug in the CSRF PoC generator where pure GET requests are not properly handled has been fixed. (Of course, a pure GET request is itself deliverable cross-domain using only its own URL, but Burp now gives the option of delivering the request via a form submission if required.)