Already have a license? Download your software
New feature
Burp Scanner will automatically audit in-scope API requests that are issued from client-side JavaScript using XHR and Fetch.
Feature enhancement
We will make various improvements to the usability of the HTTP message inspector, based on user feedback.
Feature enhancement
Based on feedback, we have a number of changes planned to improve your experience in Burp Suite Professional - including options to customize the UI and layout.
New feature
A completely new extensibility framework, supporting Burp extensions written in Java, JavaScript, or Python 3 - leading to much richer capabilities in the future.
Feature enhancement
Addition of support for popup page elements when using Burp Scanner's recorded login (authenticated scanning) feature.
Feature enhancement
Improved memory and processing efficiency for various Burp features. Users will also gain feedback on any resource-hungry BApps.
New feature
Burp Scanner will check for a number of security vulnerabilities relating to JSON Web Tokens (JWT).
Feature enhancement
Fine-tuning of Burp Scanner, to optimize its performance when scanning sites built using React or AngularJS.
Feature enhancement
Further optimized performance in default settings - to enable faster scans without compromising coverage.
Done
More options for brute forcing and fuzzing. New payload types and placement options, richer results analysis, and incremental saving.
Done
Add-ons to Burp Suite Professional's embedded browser have enhanced manual testing for DOM-based vulnerabilities.
Done
Perform software composition analysis (SCA) of client-visible code. Report JavaScript libraries in use that contain known vulnerabilities.
Done
Enumerate API endpoints to scan APIs in target applications. API scanning utilizes OpenAPI (Swagger) definitions.
Done
Update without lifting a finger. Burp Suite Professional can now update itself automatically - without user intervention.
Done
Find cutting-edge vulnerabilities with Burp Scanner. Scan checks based on James Kettle's latest web cache poisoning research.
Done
Best-in-class coverage and scanning performance for challenging targets like AJAX-heavy single page app, with browser-driven (Chromium) scanning. Enabled by default.
Read all release notesDone
Burp Scanner can now report new classes of HTTP/2-specific vulnerabilities.
Done
Burp Scanner can now detect injection into a wider range of templating engines, and will employ OAST techniques to detect blind SSTI.
Done
Burp Scanner now handles navigational actions that cause DOM updates without a synchronous request to the server, allowing better handling of single-page applications.
Based on the user popularity of certain BApps (Logger++ and Flow), Burp Suite Professional has gained native, resource-efficient logging functionality.
Done
Use HTTP/2 for both inbound and outbound communication over TLS (beta feature). Also gives control of TLS protocols within Burp Proxy.
Done
Manipulate browser traffic more easily. Improved access to headers, parameters, and more - plus automatic encoding and decoding.
Done
See exactly what you're looking at - without changing tab. Tools like Burp Repeater and Burp Intruder now allow you to render responses.
Done
Make code easier to work with. Burp Suite will prettify JSON, XML, HTML, CSS, and JavaScript within the HTTP message editor.
Done
The HTTP message inspector has gained new capabilities, enabling manual exploitation of HTTP/2-specific vulnerabilities using Burp Repeater. The Burp Extender API has also been enhanced to enable HTTP/2-specific attacks.
Done
We have improved the placement and encoding of scan payloads within JSON and XML data structures.
Done
Burp Scanner now detects and interacts with more DOM elements that can cause JavaScript-triggered navigation, in addition to conventional links and forms.
Done
All Burp Suite Professional users now gain access to an optional early adopters' release track - giving early access to new and experimental features.
Done
Better scrutinize login-related functionality by recording complex login sequences in a browser. Ideal for JavaScript-heavy logins, or single sign-on.
Done
Proxy HTTPS traffic with no configuration necessary. Burp Suite's embedded Chromium browser can now take care of everything.
Done
Significant improvements to Burp Scanner - enabling enhanced performance and coverage of modern navigational patterns.
See more customer stories![]()
The tool is self sufficient, with many features out of the box and allows for extensibility. No need for servers or databases. It's a well calibrated "gun". It lets us either validate findings from external security reports or penetration test our software while in development. Source: TechValidate survey of PortSwigger customers
Software Engineer
Large Enterprise Financial Services Company