This release adds broad coverage for modern authentication and API discovery:
- Scan content protected by WebAuthn authentication, including biometrics and passkeys.
- Scan content protected by TOTP.
- Find APIs in your AWS environments, using our new Amazon API Gateway integration.
- Create custom integrations to discover APIs in your own environments.
Scan web apps protected by passkeys, biometrics, or hardware keys
You can now scan applications that rely on passkeys and modern multi-factor authentication, that use WebAuthn. This includes logins such as fingerprint or facial recognition, device PINs like Windows Hello, and hardware security keys like YubiKey.
This means the scanner can successfully navigate these login flows and scan authenticated areas of your application that were previously hard to reach.
When you record a passkey login, the scanner handles the full WebAuthn authentication process for you. It simulates the required steps during scanning, so there's no need for a physical biometric sensor or security key. This makes it much easier to include these applications in your automated scans. For more information, see WebAuthn passkeys in recorded logins.
NOTE: Support is limited to applications that implement the WebAuthn standard. Non-WebAuthn authentication methods or flows tied to specific hardware models may not be supported.
Scan web apps that use TOTP multi-factor authentication
Burp Suite DAST now supports TOTP multi-factor authentication in recorded login sequences. When you paste a login script that includes a TOTP entry, Burp Suite DAST automatically detects it and prompts you to configure TOTP.
You can configure TOTP by uploading an image of the QR code shown by your target app, during MFA setup. Alternatively, you can configure it manually. Once configured, Burp Scanner automatically generates valid passcodes during scans.
You need to configure the status checker to use TOTP MFA. For more information, see Configuring TOTP MFA.
Automatically discover and scan APIs
You can now connect Burp Suite DAST to Amazon API Gateway, to automatically find APIs running in your AWS environment. Once connected, discovered APIs appear in API finder, ready for you to onboard and start scanning straight away.
This makes it much easier to uncover APIs you might otherwise miss, especially in large or fast-moving environments. You can create multiple AWS connections and set a schedule to check for new or updated APIs, helping you maintain visibility as your infrastructure evolves. For more information, see Integrating with AWS.
We'll continue to expand this area, with support for more API integrations coming soon.
Create custom integrations for discovering APIs
If your organization doesn't manage APIs through one of our supported platforms, you can use our GraphQL API to write scripts to pull API definitions from any source. You can then push them directly into API finder, ready to triage and scan. For more information, see Coding custom integrations.
Other improvements
We've improved the UI for setting the scope of your sites, to make it clearer and easier to use. Start URLs and scope settings are now laid out in a way that better reflects how they relate to each other.
Bug fixes
We fixed the following bugs:
- We fixed an issue where stacking certain scan configurations could enable more scan checks than intended.
- For Kubernetes deployments, we fixed an issue where users received repeated EULA acceptance requests.
Browser upgrade
We've upgraded Burp's browser to Chromium 145.0.7680.165 for Windows & macOS and 145.0.7680.164 for Linux. For more information, see the Chromium release notes.