Burp Suite Free Edition v1.5 is now available to download.
This is a significant upgrade with a wealth of new features added since v1.4. The most notable of these are described below.
Burp's UI has been completely overhauled, to improve looks and usability:
You can now add comments and highlighting to items as they appear in the Proxy intercept window. This is useful when manually stepping through an application, allowing you to annotate interesting requests as they are made, and then return to these in the Proxy history for further investigation.
You can now bind Proxy listeners to specific IP addresses, in addition to the loopback interface and all interfaces.
Burp now implements sslstrip-style functionality, allowing you to use non-SSL-capable tools against HTTPS applications, or to perform active MITM attacks against users who begin browsing using HTTP:
There is a new ECB Block Shuffler payload type. This is designed for testing ECB-encrypted tokens and other data, to check their vulnerability to block shuffling attacks.
Burp Intruder now has improved extract grep functionality, which lets you define each extract grep location simply by selecting into the base response, or, during a live attack, by selecting into any result response that contains interesting content (such as an error message).
JSON is now fully supported, with automatic placement of payload positions and syntax colorizing in the message viewer.
The context menu now has a Paste URL as request item. This configures Repeater to make a GET request using the URL on the clipboard. The headers included within this request are taken from the request headers defined in the Spider options.
The context menu now has an Add to site map item, to facilitate manual content mapping.
Burp now supports streaming HTTP responses, and handles these in a way that lets you and the application continue working. Streaming responses are often used for functions like continuously updating price data in trading applications, where the server keeps the response stream open, pushing further data in real time as this becomes available. Because intercepting proxies use a store-and-forward model, they can break these applications - the proxy waits indefinitely for the streaming response to finish, and none of it is ever forwarded to the client. Burp now lets you specify which URLs return streaming responses. The Proxy tool will pass these responses straight through to the client as data is received. The Repeater tool will update the response panel in real time as data is received. Other Burp tools will ignore streaming responses and will close the connections.
There is a new option to drop all out-of-scope requests. Using this option prevents Burp from issuing any requests to out-of-scope URLs, even if they are requested via the Proxy, Repeater etc. You can use this option based on the defined suite-wide scope or on a custom scope.
Burp now handles Android SSL connections, implementing a workaround to accommodate the non-standard CONNECT requests issued by Android devices and the Android emulator.
Various features have been added to the session handling support:
Burp now includes full help documentation within the software itself:
You can open the main help window via the Help menu. Contextual help is also provided throughout Burp. Next to any function or option, you can click the "?" button to view relevant help in a pop-up. And if necessary, you can drill down from there into the main help itself.