This release enables you to define scan freeze windows, and edit recorded login steps. We added support for scanning OpenAPI 3.1 and 3.2, authentication for OAuth 2.0 client credentials, and reporting for OWASP 10:2025. We also made several other improvements.
Scan freeze windows let you control exactly when scans run
You can now pause scanning automatically during maintenance, busy periods, or critical activity. Use scan freeze windows to automatically schedule times when scanning will pause, and automatically resume at the end of the window.
You can apply scan freeze windows to one or more sites, and set them to repeat indefinitely or until a chosen end date. You can still manually pause and resume scans, if you need to respond to any unexpected activities.
For more information, see Pausing and resuming scans.
Edit recorded login steps with greater control
Adjust individual steps in a recorded login sequence instead of re-recording the whole flow, with our improved user interface. This makes it easier and faster to keep authentication working when your application changes slightly. Insert new steps, update selectors as element IDs evolve, or remove unnecessary steps.
For advanced users, multiple selector types are supported (ID, Link href, Name, Aria label, Class name, Text content, Text nodes, and XPath), along with configurability for browser behavior and shadow DOM handling.
For more information, see Managing steps in a recorded login.
API scanning support for OpenAPI 3.1/3.2
Scan APIs using the latest OpenAPI specification versions. Support for OpenAPI 3.1 and 3.2 means you can import modern API definitions without downgrading or converting them to older formats. This keeps your security testing in sync with your API development workflow.
OAuth 2.0 client credentials authentication for API scanning
Scan APIs that use the OAuth 2.0 client credentials. Enter the token endpoint, client ID, and client secret, and the scanner automatically obtains and refreshes tokens throughout the scan.
This prevents scan failures caused by expired credentials, which is ideal for server-to-server APIs and microservices.
For more information, see Configuring API authentication.
Reporting for OWASP Top 10:2025
We've updated reporting to support the OWASP Top 10 2025 list. For more information, see Reports.
Other improvements
- IPv6 upstream proxy support lets you connect through IPv6 networks without special configuration.
- We now support custom certificates for integrating with Splunk.
- Administrators and Site maintainers now have permission to view credentials in recorded logins by default.
- We've upgraded Burp's browser to Chromium 143.0.7499.41 for Windows & Mac and 143.0.7499.40 for Linux. For more information, see the Chromium release notes.