This release introduces support for bulk uploading API definitions, and makes it easier to troubleshoot recorded logins.
Bulk import API definitions to start scanning sooner
You can now upload multiple API definition files or provide URLs to hosted specs in one workflow, and create dozens of scan targets at once. The bulk import wizard validates each definition, detects authentication schemes, and applies shared configuration across the whole batch.
If a file can't be parsed or a URL can't be reached, you'll get detailed error messages so you can fix issues before you create sites. This reduces repetition and helps you to start scanning in minutes, even across large API estates.
For more information, see Bulk uploading APIs.
Identify failed recorded login steps in seconds
If recorded logins fail during pre-scan checks, you can now see exactly which step caused the failure. Failed steps are highlighted in the replay timeline, so you can quickly find where authentication broke.
You can also edit recorded login sequences directly from the pre-scan check modal, without navigating back to the recorded login card. If a step fails or needs tweaking, you can update it immediately and re-run the check in one click with Save and run pre-scan check.
For more information, see Using recorded logins.
Smarter time-based SQL injection detection
Burp Scanner now filters out false positives caused by web application firewalls (WAFs) delaying suspicious payloads. This improves accuracy in detecting genuine time-based SQL injection in these scenarios.
Bug fixes
We fixed a bug where scans launched from the REST API ignored the protocol_option parameter.