Yesterday on August 23rd, Portswigger released a major update to the infamous web application vulnerability scanner Burp Suite. Before yesterday, the version was 1.7.37, but as of this newest release the company has moved to a major update and is now released Beta 2.0. The beta is currently only available for professional accounts, with a community edition being released at a later time. The company lists some of the new additions on their site, this is a direct copy from the official site:
- A new crawler, able to automatically handle sessions, detect changes in application state, crawl with multiple logins, and deal with volatile content.
- A new scanning engine, featuring automatic session handling, multiple scan phases, improved detection of stored input, consolidation of site-wide passive issues, efficient treatment of frequently occurring insertion points, and graceful handling of application errors.
- A new dynamic JavaScript analyzer, with dramatically improved detection of DOM-based vulnerabilities.
- A new dashboard for monitoring and controlling automated activities.
- A new scan launcher, and the ability to carry out multiple parallel scans.
- New live scanning capabilities.
- Improved management of system resources, through a central task execution engine.
- A new configuration library for storing useful settings.
- A new REST API for integration with other tools.
- A new response renderer that functions as well as any modern browser.
For testing I will be using the Juice Shop vulnerable machine that I have written about in previous blog posts.
As shown in the screenshot above the new dashboard has a very different approach to giving the engineer the needed information during the test. Along with a new look and feel Burp Suite's 2.0 release looks to improve performance and reliability of testing web applications.
One quick change if you can see clearly enough from the screenshot above is that there is no longer a scanner or a spider tab on the top row of the dashboard. Instead we are left with the two green buttons new scan and new live task. Of course you can always right click on an item in the target tab and choose to scan individual branches or hosts. The new scanning feature will pop up with a modal that will allow you to define your configurations.
Many of the features from previous builds of Burp Suite are still available, but might have been moved around. The screenshot below shows the new scanning and spider configuration page. As you can see you can be very granular in how you setup a scanning configuration. This is exciting as I can use multiple scanning configurations for different portions of the web application. Such as setting up a scanning configuration that will be predominantly used for auditing the JavaScript files from a web application.
However, during the process of playing around with the new scanning configurations I may or may not have found a bug in the beta software. I am not sure if there is something I am missing, but I cannot get the Burp Suite scanning configuration sections to change from not defined to defined. I did send a bug report to Portswigger, and hopefully they will address either my stupidity or the feature.
As you can see from the screenshot below though, that the scanner configuration page gives you a large amount of input on how to perform the auditing of the web application. The spider has the same amount of granularity as well.
Not exactly a new feature to Burp Suite, but the added tab in the scanning configuration modal helps make the login credentials more accessible. I feel this is a great UI choice for usability.
The screenshot below shows the crawler and the auditing of Juice shop live.
The screenshot below demonstrates the competition of a crawler and auditor. This is only an example of one scanner running at a time.
Fortunately, for web application testers everywhere Burp Suite now has support for running multiple scans in parallel. Like I had mentioned above this allows for the engineer to specify multiple scan settings and perform audits concurrently. The amount of time this will save is immense.
The issue activity infographic is very much the same, and just to make sure I wanted to see if Portswigger had made any significant updates to the reporting section. Unfortunately, the reports are still un-editable.
As I continue to dive into the new release I will be writing additional blog posts showing some of the new exciting features (or bugs) of the Burp Suite platform.
