Burp Suite 2.0 beta is now available to Professional users.
This is a major upgrade, with a host of new features, including:
- A new crawler, able to automatically handle sessions, detect changes in application state, crawl with multiple logins, and deal with volatile content.
- A new scanning engine, featuring automatic session handling, multiple scan phases, improved detection of stored input, consolidation of site-wide passive issues, efficient treatment of frequently occurring insertion points, and graceful handling of application errors.
- A new dynamic JavaScript analyzer, with dramatically improved detection of DOM-based vulnerabilities.
- A new dashboard for monitoring and controlling automated activities.
- A new scan launcher, and the ability to carry out multiple parallel scans.
- New live scanning capabilities.
- Improved management of system resources, through a central task execution engine.
- A new configuration library for storing useful settings.
- A new REST API for integration with other tools.
- A new response renderer that functions as well as any modern browser.
Use with caution
Significant parts of Burp’s existing codebase have been completely rewritten or heavily modified, and there is a mass of new code. This is very much a beta release, and we expect Burp Suite 2.* to remain officially in beta for an extended period while problems are identified and ironed out.
You should use Burp 2.0 if you want to try out its cutting-edge features and are happy to accept:
- There are bugs.
- It might miss some vulnerabilities that Burp 1.* can find.
- You might lose your work.
- It might perform poorly.
- We will be releasing annoyingly frequent bugfix updates.
If you prefer the stability and integrity of a mature, battle-hardened product with an already awesome feature set, then please continue using Burp 1.* until we are officially out of beta.
Product roadmap
Releasing major new software always involves a balance between waiting until it is perfect (if ever) and getting cool new features into the hands of users. We firmly believe that what we have built already is too good to withhold from users for any longer. But there are some important things left to do, which we will be addressing over the coming months:
- The crawler still doesn’t handle JavaScript navigation properly. We plan to improve this to the point where Burp navigates just as well as a real browser.
- The crawler doesn’t parallelize its work as much as it could, and doesn’t make full use of the configured maximum concurrent request limit. Addressing this will improve the speed of crawling in most cases.
- The new crawler is missing some capabilities of the old Spider relating to discovery of content outside of normal browsing (robots.txt, links in HTML comments, etc.).
- The site map still represents crawl results based only on URLs, and for GET requests contains one entry per unique URL. We plan to provide a visualization of the navigational graph that is generated by the crawl, and also support overloaded URLs within the site map itself.
- The navigational graph that is generated by the crawl is only currently used during an audit that follows on directly, within a crawl-and-audit scan. We plan to make this data available for other purposes, including ad hoc auditing of selected items and manual testing tools such as Burp Repeater.
- We know that people want improved tools for manual WebSockets testing. These are in the pipeline.
While it is still in beta, Burp 2.* will be available to licensed Professional users only. Following the beta phase, we will release a major update to Community Edition users.