This release adds DOM Invader, a powerful new tool for testing DOM XSS. It also provides improvements to Burp Scanner's navigation of single page applications, a new learning resource, and some minor improvements.
DOM Invader works by putting a canary (a definable string) into sources and looking for the canary in sinks. It can automatically put canaries into URLs and form elements to speed up testing.
DOM Invader also lets you test for web message vulnerabilities by intercepting web messages and providing detailed information about them. You can then manipulate a web message or spoof its origin, manually or automatically.
Improved Burp Scanner navigation of SPAs
This functionality also lays a foundation for auditing asynchronous traffic, which we will be adding soon (see the roadmap). This will allow Burp Scanner to target a bigger attack surface in SPAs.
We've made it easier to quickly learn more about Burp Suite. The Learn tab contains links to tutorials and other useful resources to help your Burp Suite journey. You'll find it on the main interface bar.
If you've already mastered Burp Suite, you can hide the new tab, if you prefer.
This release contains the following small improvements:
- You can now set a project option to stop Burp Suite's embedded browser using GPUs. This avoids an issue in some environments where GPUs are not available.
- You can now edit names and values in-line with a single click in the message inspector table view without having to drill down. In the inspector drill down view non printable characters will be displayed in the same way as in the message editor.