Burp Suite, the leading toolkit for web application security testing

Burp Suite Professional - Release Notes

Friday, September 23, 2016


This release contains fixes for some bugs affecting a number of users, most notably:
  • A fix for a bug that caused excessive CPU consumption during active scanning in some situations.
  • A workaround for an OpenJDK bug that caused the JVM to crash when working with Burp project files on some Linux platforms.
MD5: 3f36c29637c99e9426718a74746b0aa9
SHA256: 8a337214b126e50f1d2b2055a35b7b80ea54601df70458d3b7e69af213e92c5e

MD5: 94f6e88ffc0c57a0f3ebd6bb7307236a
SHA256: 90a99549d93c15bc6ce2d33c5fd35adbbe403c3a1f8ca8eed2a32854ec60afb8

MD5: d1612f9172507f5d31e2271369529a5c
SHA256: e8473675ca256a0a2dcf13498481543f360881c1949db78648248d656ec6ca70

MD5: f210b5d81632ccf0aaaa566bf728c7e4
SHA256: 0cd3d4c4f3e469ba18a356521c982206b1785c0cf51405bd602ba1a0418698f8

MD5: e7569b00c2947ae71852f8483e85a785
SHA256: 080521f6c24a60eb0c67c583c59692eb0eec75ffe7d14f8885ac6afa62fa1ffa

Thursday, September 8, 2016


This release introduces a new scan check for second-order SQL injection vulnerabilities. In situations where Burp observes stored user input being returned in a response, Burp Scanner now performs its usual logic for detecting SQL injection, with payloads supplied at the input submission point, and evidence for a vulnerability detected at the input retrieval point.

The release also fixes a number of minor bugs.

MD5: b3296c14edbd8e118dd398259de15e5e
SHA256: e1412249fecdfb1fe3ac6d71920a2e243bec257f4961df5c37ab17f0f37ddaeb

MD5: 1191db44110714272fb474784b3d4dd0
SHA256: ce2da473fdb65f4704ad6597dcd6615ec84e7a4c3c81deaf4f2de360d362a9bd

MD5: 1385fa0625448329a8bde17d78b22f62
SHA256: 749e3d23d1d486c823d189da155d5637785de9ff6c5763f23fb54aa128e8a38f

MD5: 3cb9c69c9b589729ed46f75a7eca215d
SHA256: baa558f4754254ac2d7b9e94e6326929f8ac4553c60290d071a328a228573614

MD5: 05c1b4a8105d4e3d54d440ef89f0a8a3
SHA256: cba0a84144804fcc57ebb7a947c52aaee58452f14664e1c2c8ea8890f1ad1c12

MD5: 3f076d7508486ed8ca2045da47c482e1
SHA256: 4e92d57071c2402a471bff2684c056425dd32da2d97ed53682ac23d40f33c3a0

MD5: 71e8b517945a5a942b95b4fd01240505
SHA256: b1102ff98d7d4708e79028a0fa379e5e153b57645c2605c59eae28eabcd2fcc5

MD5: 738ee3c774c4ad9e3aefaaa4b4e6784c
SHA256: 185a86d6698c1da4224536a44c2ec2566226bc6c2399ab5b2ddb6f23539ed13f

MD5: b733aecf1678ca6352c6377e2a43a339
SHA256: 36f3c9e587f25bde066477c6a9e84fb3bc06fbae50e20c64de2a84af206377da

MD5: 4eea896f832ec4f0fcb93c4a0fe27040
SHA256: 873589bb08749b65ac9c4a47b11d00d94472fcf1dd08ff1756813e8a758a3b00

Monday, August 22, 2016


This release introduces native platform installers for Windows, Linux and OS X. These install Burp together with a private Java runtime environment, so you don't need to worry about installing or updating Java. The installation of Burp is fully integrated with standard OS features (start menu, dock, taskbar etc.), making it easier to launch Burp without use of the command line.

Pro edition users can obtain Burp platform installers in two ways:
  • Log in to your account and choose which installer to download.
  • Use the existing update feature to obtain the latest Burp JAR file, run that, and choose "Download other installers" from the Help menu.
Free edition installers can be obtained directly from the download page.
Note that although the platform installers have been extensively tested on various platforms, these are officially experimental and we welcome users' feedback about how they perform in real-world conditions. We will continue to distribute plain JAR files for people who prefer those.

There is also improved handling of updates. When an update is available, Burp lets you view full details of the release, and choose which installer type to download. When a release is flagged as beta, you can choose whether to download the beta release or the latest stable release.

A number of other enhancements have also been made:
  • The performance of the Proxy history view filter has been considerably improved, and changes to the filter are applied much faster on very large histories. 
  • Some instances where redundant data is saved to Burp project files have been fixed.
  • The options to select font size now permit selection of very large font sizes, as a workaround for lack of proper support for HiDPI screens on Java 8 and earlier.

MD5: 4f1b6f84c35c8b500cbf3085c382d797
SHA256: 88fa1d45493d3a835c97de1d63bcccc8bd94644eba64404044ba29390aae702e

MD5: 2a0a142e82b90813023707d611686f56
SHA256: 2ba86b92440c68dc9b9c9fc8af5de3e095cdfed3fc668f01064f8f475ad98740

MD5: d126dd11dc58fc1040bcf12f39966232
SHA256: c41894cce04a194fcb73ef0760bf9300fe283400a39b1f757d15827f68db94ad

MD5: 6d95586b8798a1e84692557ea87270ff
SHA256: 1430a8c481d1e7979719c9816a2f273529bef72bef46625d61ebfb30f8edb62e

MD5: 9066f94d41f4caf90756308be373ff7e
SHA256: 82c704200030ec941331baea1ec3948f0bfb4b1265410550df286a1102efaac0

MD5: 703f19226b8e53617d383b367f7fb437
SHA256: aa1d443288bc08112e556aad4959d1f81c3ee0d375d04efa2270fcf0fe03d514

MD5: c3aa1ef36ed80d34372f89be4b05ab03
SHA256: 3cf5c69130e95c2a3ea396d2c946b406d4448a1d9efe16be8b7d4adfcadf43d7

MD5: 471cc3470f2a80a7a02f345365c5603c
SHA256: ebcb7ad6732485569b36c145a4b99643056fc358c16ba1630a25f68b1e214c92

MD5: 3e29f6c7bc6a40fb456fce046097cc38
SHA256: dc023f8de24915fb52171d213f151499ea739a369d3646a469455dbe901c54a7

MD5: c1c4b842fa538f8c72c6171b669ddda2
SHA256: c0c303037432890921cfeed32cb428b1f7eb13ca8c7276eaeda5fb89e06b40df

Tuesday, July 26, 2016


This release introduces a new tool, called Burp Infiltrator.

Burp Infiltrator is a tool for instrumenting target web applications in order to facilitate testing using Burp Scanner. Burp Infiltrator modifies the target application so that Burp can detect cases where its input is passed to potentially unsafe APIs on the server side.

The initial release of Burp Infiltrator supports applications written in Java or other JVM-based languages such as Groovy. Java versions from 4 and upwards are supported. In future, Burp Infiltrator will support other platforms such as .NET.

For more details about how Burp Infiltrator works, how to use it, and some other important considerations, please refer to the Burp Infiltrator blog post and the Burp Infiltrator documentation.

Burp Infiltrator makes use of Burp Collaborator for its communications back to the instance of Burp Suite that is performing scans. To support this, some new capabilities have been added to Burp Collaborator. Users who have deployed a private Burp Collaborator server should upgrade to the new version.

Some minor bugs have been fixed, including:
  • A bug which caused the values of some project options to change when an existing Burp project is reopened.
  • A bug which prevented editing of macro requests when using a disk-based project.
  • A bug which prevented the hostname from being correctly parsed from some TLS client hello messages when Burp Proxy is running in invisible mode.
MD5: 85ab62c473e2be60d8da15ccc0c80cde
SHA256: 43fede912099ff0af99ac595ca45b56aef3af4a5743c5b5d3107ed170da74551

Thursday, May 12, 2016


This release adds some enhancements to, and fixes some minor issues with, the Burp projects feature:
  • If the operating system exits abnormally when Burp is running with a disk-based project then some in-memory data may not be saved to disk, resulting in a partially corrupted project file. On reopening a project, Burp now detects this condition, and offers to repair the project file. The repair process will preserve as much data as possible from the corrupted project file.
  • When a new project is created, at the second step of the startup wizard where a configuration file is selected, Burp now lets you specify to use the selected option by default in future. If you have created a configuration file that you prefer to use for new projects, using this feature avoids the need to manually select your configuration file every time.
  • In the startup wizard, the lists of recently used project and configuration files now automatically hide any items that no longer exist on disk.
  • Burp now prevents selection of the current project file in all file dialogs, to avoid accidental overwriting of project data.
  • A bug that could lead to bloating of project files with redundant data has been resolved.
Thanks are due to everyone who has provided feedback about the new projects feature since the 1.7beta release. Based on the enhancements made since that release, the projects feature is now officially out of beta, and this release may be regarded as stable. As with all Burp features, we welcome ongoing feedback about the projects feature as people continue to use it.

Burp Suite Professional:

MD5: f104167fd64b8212e0b1b4c65736aa91
SHA256: 2fa319e45a91c9ccc6e96dee3e362f62be9a6e1dff84827d99830d4703913ba4

Burp Suite Free Edition:

MD5: a6019d5cbea725c44342303084343ade
SHA256: f5c83a2cfa4bdf9010d7033f0e66cc76bfd732cccfcc279ef7b14078046161d1

Monday, April 25, 2016


This release improves the resilience of disk-based projects in situations where the operating system terminates abnormally.

Burp uses memory-mapped files for disk-based projects. The operating system has responsibility for synchronizing data held in memory with files on disk, and ensures eventual consistency even if an individual process crashes. However, if the operating system itself crashes, then some in-memory data may not be written to disk, leading to a partially corrupted project file. Burp now tries to reduce the impact of this event, by forcing the operating system to write to disk more frequently, and by reopening project files in a more fault-tolerant manner. We are continuing to investigate ways of avoiding data loss in the event of the operating system terminating abnormally, and expect to make further enhancements in future releases. For this reason only, we are continuing to describe the disk-based projects feature as being in beta.

MD5: 9ffbaf30d02f13dfca3f694a946147ba
SHA256: 48a2370ee0cac43d8aca3b97563c24b9b66fc65b9197a75282394900a5a8ad73

Monday, April 18, 2016


This release fixes a number of minor bugs:
  • A bug affecting the sending of some requests from Intruder to other tools when a disk-based project is being used.
  • A bug that could sometimes cause the SSL client certificates configuration UI to become corrupted when restoring settings that are not valid on the current machine.
  • A bug that could sometimes cause superfluous semicolons to be introduced into requests when manipulating cookie parameters via the API.
  • A bug that could very occasionally cause Burp Proxy's processing of HTTPS requests to stop working.
Although we are not aware of any significant bugs in version 1.7, this update is still officially a beta release, to allow more time for bugs to be identified.

Burp Suite Professional:

MD5: 2d75c238f00906dc415f8cb115399317
SHA256: 41fd0d33e0fce1d68c11100e6d1e73b85a97fd65a56c083b64411309ba39ac0f

Burp Suite Free Edition:

MD5: f645734ecd263ad713f024ca00fa0d15
SHA256: f5bb8e45b3a0873c64c443e9bf68f8ec90e682a544e335571398da039e81ebcb

Tuesday, April 12, 2016


This major release introduces several new features, including:
  • Burp projects
  • Burp configuration files
  • A new startup wizard
  • New APIs
  • New command line arguments
Full details about the new features can be found on the Burp projects blog post.

Note: This is a beta release and disk-based projects are an experimental feature. The release should be used with caution, as it may contain bugs that cause unexpected behavior including loss of data.

The release also fixes a bug in the Collaborator server that may cause loss of service if unexpected interaction data is received. Users who have deployed their own private Collaborator server should update to the latest version as soon as possible. The Collaborator server function in the new release may be regarded as stable and suitable for production use.

Burp Suite Professional:

MD5: 77b6daf566b4d5abdf5ff725edfbc946
SHA256: 4931f5d6351614a357a8ccb3edff5c9c4f9fe14cefb0966547187b2da93a0d45

Burp Suite Free Edition:

MD5: 9851e2c48ce91e6e9b47b789aec50245
SHA256: 6b02a74fa537504c8df4d7901cfe293a7ecb97aac91f06550498b7b73f382ea3

Thursday, March 3, 2016


This release improves the logic of some scan checks that depend upon the content type of responses.

Burp has previously reported content type incorrectly stated on any occasion where the stated content type of a response differs from the actual content (as determined by Burp). This has frequently led to a lot of noise because (a) Burp's own content type sniffing has not been perfect; and (b) many content type mismatches have no security implications. Hence, many users got accustomed to just ignoring this issue, despite the fact that, in some rare situations, it can lead to high-severity issues like cross-site scripting.

The cases where this issue matters occur when a response is intended to actually contain non-HTML content such as an image, but a browser may attempt to interpret the response as HTML based on the stated content type. This can lead to XSS if the content is dynamically generated, uploaded by a user, or otherwise contains user input.

In the real world, browsers' actual sniffing of responses depends on several factors, including:
  • The stated content type
  • The presence of the header X-content-type-options: nosniff
  • The file extension of the request URL
  • The browser type and version
The Burp research team have generated every possible permutation of these factors and identified all of the permutations that might lead to a browser attempting to interpret a response as HTML. This knowledge is now baked into Burp, so that Burp only reports the issue when a suitable combination of the above factors is observed. Further, the Burp advisory identifies precisely which browsers may be affected by an issue:

The other type of issue where the situation arises is cross-site scripting. In the past, Burp applied XSS checks to all responses that were either stated or appeared to contain HTML. The scan logic has now been tightened to be more accurate and informative in cases where exploitability of the issue depends upon browser sniffing:
  • Burp now uses its knowledge of actual browser behavior (based on the factors listed above) to determine whether any browser might attempt to interpret a response as HTML.
  • If content sniffing depends on the request URL having a different file extension, Burp will attempt to manipulate the extension so as to trigger this.
  • Any relevant details about specific browsers' behavior is included in the issue detail.
  • Seemingly unexploitable issues are still reported as informational, because a manual tester might nonetheless be able to find a way to exploit them.

Unrelatedly, the configuration of client SSL protocols and ciphers has been modified to include a master toggle specifying whether to use the default protocols and ciphers of the Java installation. This is the new default option, and can be overridden to allow configuration of specific protocols and ciphers. This change simplifies the configuration UI and makes it easier to share Burp configurations between different machines.

MD5: 8b4d1bad5f919d85fa09be7e35fba92f
SHA256: 2ff45ca7f1f3a01e675bfff7a2fa9804475102291085afa88dbdeca2b353a211

Wednesday, February 24, 2016


This release adds the capability to report reflected DOM-based and stored DOM-based vulnerabilities.

Burp already reports reflected XSS (where reflection of input allows direct execution of supplied JavaScript) and DOM-based XSS (where data is read from a controllable DOM location and processed in a way that allows execution of JavaScript). Burp now joins these steps together, to handle cases where:
  1. The server returns reflected or stored input in the value of a JavaScript string.
  2. That string is processed in a way that allows execution of JavaScript code from within the string.
The new capability applies to all of the DOM-based vulnerability types that Burp can report, such as JavaScript injection, WebSocket hijacking and open redirection.

MD5: cdba3138c9c0a92f1c2b19171db26e92
SHA256: 7bbd5500bb21a87fda1660f394d828d6c3bdcecc5df951a4f9e81a52dc28e62f

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2016 PortSwigger Ltd. All rights reserved.