image Get the whitepaper, toolkits & remediation guides → http1mustdie.com
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

DAST 2025.8

19 August 2025 at 08:53 UTC

SHA256: {SHA FROM OPTION GOES HERE} MD5: {MD5 FROM OPTION GOES HERE}

This release enables you to validate API definitions that are accessed through a URL and adds functionality for Postman Collections. We also improved the performance and stability of the site tree, made some other improvements, and fixed some bugs.

Scan with confidence: validate and streamline your API testing

Increase your scan success rate and reduce site setup times with our latest improvements to API testing:

  • You can now validate API definitions provided via URL before starting a scan. This helps you catch issues early, like unreachable or malformed files, without wasting time waiting for scans to fail. It's especially helpful if you're working with fast-changing API specs or have seen a high failure rate in the past.
  • We've improved how Burp Suite DAST handles Postman Collections. When you upload a collection that includes authentication, the app now extracts credentials automatically and displays them in the Authentication tab.
  • You can now upload Postman environment files, to merge into your collection. This removes the need to merge variables manually and speeds up your setup process.
  • You can save an API site before adding authentication, giving you more flexibility in how you prepare scans.

To learn more about using Burp Suite DAST to secure your API definitions, see Scanning APIs.

Make site tree changes faster, even at scale

We've improved the speed and stability of site tree actions like adding, moving, and deleting sites or folders. This is especially noticeable when you're working with many items or making multiple changes in a row.

More control and visibility when configuring scans

You can now sort the Issue types table when you create a custom scan configuration, so it's easier to find what you're looking for.

We also added other useful details across the UI:

  • The Details tab for sites now includes the site ID.
  • For folders, the Scan settings tab is now called Details and shows the folder ID and parent folder.
  • CI-driven scans now have a Details tab too, which includes the correlation ID.

Other improvements

  • You can now leave the Crawl limit fields blank, when you create a custom scan configuration.
  • We've improved how we display multiple recorded logins, when you run a pre-scan check.

Bug fixes

We fixed the following bugs:

  • Removing an authentication scheme from an API-based site could cause the scan to fail.
  • Creating or deleting multiple sites at once could corrupt the site tree.
  • Network delays could cause self-hosted scanning machines to disconnect, but show as connected in the UI. This caused the error message Error Dispatching scan to <machine-name> when a scan failed.
  • The filters now work correctly when you view the scans for a site.
  • We fixed an issue where CI/CD scans failed to parse dynamic token authentication configuration provided via the BURP_SITE_API_DEFINITION_AUTHENTICATIONS environment variable. Dynamic token authentication (such as OAuth2 or JWT tokens) can now be properly configured through environment variables in CI/CD pipelines.

Java update

We updated Java Runtime to 21.0.8, and Azul Zulu to 21.44.17.

Usage of this software is subject to the licence agreement.
All releases