Looking for our research? We've moved it to a dedicated page

Burp Suite Professional: feature roundup

Matt Atkinson | 30 September 2021 at 13:39 UTC
Burp Suite

Burp Suite Professional feature roundup - testing faster

The modern web is an increasingly complex beast. Each passing year brings with it new frameworks, technologies, and design trends - not to mention vulnerabilities. All of this adds to your testing workload. It also makes AppSec daunting to learn for beginners, who lack the benefit of ever having operated in simpler times.

With Burp Suite Professional, our aim has always been to help you cut through that complexity - saving you time and making life easier. We're also educating the next generation of pentesters - with free learning in the Web Security Academy, and initiatives like our $99 Burp Suite Certified Practitioner qualification.

How Burp Suite Pro helps you to test the modern web

There are many ways Burp Suite Professional makes life easier for testers when dealing with modern web apps, but here are three major features we've introduced recently:

Testing HTTP/2

It's kind of impossible to talk about Burp Suite's feature set right now without mentioning HTTP/2 testing. HTTP/2's attack surface has barely been audited up until now - due to the complete lack of any suitable tooling - but we're changing all that.

We've now added a number of convenient manual HTTP/2 testing features developed with PortSwigger Research. These include the ability to carry out HTTP/2 exclusive attacks we pioneered, which can't be represented using HTTP/1. And of course Burp Scanner now has the ability to carry out these attacks automatically. For more information, check out James Kettle's Black Hat USA 2021 presentation: "HTTP/2: The Sequel is Always Worse".

Scanning API endpoints

The rise of single-page applications (SPAs) has gone hand in hand with an increasing reliance on APIs and microservices - which in turn has created swathes of new attack surface. To put this in perspective, Okta recently cited Gartner in predicting that by 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise applications. And of course, since 2019, there's been an OWASP Top 10 just for API vulnerabilities.

Burp Scanner has gained the ability to scan for API security vulnerabilities - automatically parsing OpenAPI v3 REST API definitions written in JSON. This can often reveal attack surface that a traditional scanner would miss. API scanning is a feature that will grow in power alongside Burp Scanner's JavaScript scanning functionality, as well as something that will greatly strengthen the scanner itself, as it is further developed.

Cutting through complexity

The introduction of Burp Suite's embedded Chromium browser has been revolutionary for testing workflows - providing a foundation for many new features. Functionality built on the back of the embedded browser includes DOM Invader, authenticated scanning, and JavaScript scanning - and there'll be more to come.

On top of this, the embedded browser provides Burp Suite users with a quick and easy out-of-the-box setup. Simply open the embedded browser and begin proxying traffic (including HTTPS) immediately. All of the necessary proxy listener settings are automatically adjusted, and there's no need to manually install a CA certificate.

New and upcoming features in Burp Suite Professional

The features above are only the tip of the iceberg. Version 2.0 brought Burp Suite Professional bang up to date back in 2018 - with a raft of new functionality - but we didn't stop there. Check out some of the cool new stuff we've introduced, and some other features that will be dropping any day soon:

The Burp Suite Pro site map

A Burp Scanner crawl and audit provides great visibility, and is designed to complement your manual testing workflow.

Burp Scanner does more

Download the latest version of Burp Suite Professional to access all of these features and more.

DOM Invader in Burp Suite Pro's embedded browser

DOM Invader uses Burp Suite's embedded Chromium browser to make testing for DOM XSS much easier.

Manual features help you test faster

Download the latest version of Burp Suite Professional to access all of these features and more.

Upcoming features

Please see the Burp Suite Professional roadmap for more details of upcoming features.

The Burp Suite Pro Dashboard - in Dark Mode

The Burp Suite Pro user interface has had an overhaul - and now includes features like Dark Mode.

It doesn't stop there

Of course, the most important feature of Burp Suite is the one we can't automate - it's you - the person driving it. We want to help our users develop - which is why we've introduced features like the new embedded "Learn" tab, revamped our user interface to be more intuitive, and created a range of Burp Suite Pro video tutorials. There's also a new guide on getting started with Burp Suite, for users who are completely new to the software.

Finally, if you've not already, then it's well worth taking a look at the Web Security Academy. There you'll find free learning materials and almost 200 free labs - encompassing everything from classic bugs, to the very latest vulnerabilities. And did we mention that you can now get Burp Suite certified for just $99?