Enterprise Edition 2021.3

08 March 2021 at 16:24 UTC

SHA256: {SHA FROM OPTION GOES HERE} MD5: {MD5 FROM OPTION GOES HERE}

This release includes several enhancements that help you to better integrate Burp Suite Enterprise Edition with other web applications. It also adds support for some additional database versions, along with a significant number of minor improvements and bug fixes.

CORS whitelisting for enhanced integration with other web applications

If you want to integrate Burp Suite Enterprise Edition with a third-party web application, or one that you've developed yourself, it probably needs access to your sites and scan data. This release adds a new option that lets you whitelist trusted origins for cross-origin resource sharing (CORS) via the GraphQL API.

Once you've whitelisted the origin on which your other application is running, its client-side JavaScript will have access to the full functionality exposed by the GraphQL API. This allows you to develop more powerful integrated applications that can fetch the relevant data, create and edit sites, and launch new scans directly from the browser using AJAX.

By default, all cross-origin requests initiated by JavaScript in the browser will be blocked unless you have explicitly whitelisted their origin. To do this, go to the network settings page and add trusted origins to the "Allowed Origins for GraphQL API" list.

Improvements to the GraphQL API

  • You can now include an optional schedule_item_id parameter in a scans query. This makes it much easier to locate the Scan that was generated by a ScheduleItem you've just created.
  • You can use the new site query to fetch an individual Site by its ID. This means you no longer have to fetch the whole SiteTree in order to query a specific known Site.
  • You can now send gzip-encoded data to the API.

Additional database support

Burp Suite Enterprise Edition now supports the following additional database versions:

  • PostgreSQL 11, 12, and 13
  • MariaDB 10.4 and 10.5

For a full list of databases that you can use with Burp Suite Enterprise Edition, please check the system requirements.

Other improvements

  • If you upload an invalid recorded login script, you are now informed of this when you try to save so that you can fix the issue right away. Previously, you would only know that your script was invalid once a scan started and subsequently failed to log in.
  • You can no longer add end-of-scan report recipients to a site unless an admin user has configured a connection to an email server. This helps prevent situations where you mistakenly believe that colleagues are receiving scan reports even though no emails are actually being sent.
  • Burp Scanner's embedded Chromium browser is now stored in the data directory that you select in the installation wizard. Previously, this would be unpacked in your home directory, which was causing issues for some customers.
  • On the "Site" > "Details" page, if you click on the ? icon to view the scan configuration, the configuration ID is now displayed in the URL in your browser's address bar for easier access.
  • When you cancel a scan with errors, the error message is now displayed in the "Cancel scan" confirmation dialog.

Bug fixes

  • The link for the REST API is now generated using the correct domain name for your web server. Previously, the default IP address would still be used to generate the API link even if you had manually set a different "Web server URL" in the network settings.
  • A problem with our site-tree caching has been fixed. This should dramatically improve performance when using our APIs.
  • The database transfer tool no longer assumes that the agent user for the database is called burp_agent. You can now use the tool even if you assigned a different username when setting up your database.
  • A problem with the network settings page has been fixed. A bug in the previous release meant that you were unable to save changes to other settings while the "Use TLS" option was enabled.
  • Adding client TLS certificates to a scan configuration now works as expected. A bug in the previous release meant that you would sometimes encounter a "value required" error when trying to upload a new certificate.
  • We have also fixed several minor UI-related bugs that were introduced by some of our recent changes.

Cloud deployment links

We no longer provide AWS CloudFormation or Azure Resource Manager templates. We're releasing an improved, much simpler deployment method soon and recommend waiting for this instead.