This release includes some major enhancements to the Scanner engine. Burp can now automatically report the following new types of issues:
- Perl code injection
- PHP code injection
- Ruby code injection
- Server-side JavaScript code injection
- File path manipulation
- Serialized object in HTTP message
- Client-side JSON injection (DOM-based)
- Client-side XPath injection (DOM-based)
- Document domain manipulation (DOM-based)
- Link manipulation (DOM-based)
- DOM data manipulation (DOM-based)
Additionally, the scanning logic for several existing checks has been enhanced to improve accuracy.
A number of bugs have also been fixed, including:
- A bug that caused the option "skip server side injection tests for these parameters" to not work in some situations.
- A bug that caused session handling rules to fail when using the sessions tracer, in some situations.
- A bug affecting the auto-generation of CA-signed per-host SSL certificates, in some situations.
- A bug that sometimes caused Burp to hang on startup when reloading certain extensions.