Product roadmap

Testing workflow

New feature

A brand new tool to help you organize your testing workflow, and keep track of pending actions.

Seed scan from API definition

New feature

Include an API definition as part of the Burp Scanner launch process. Burp Scanner will use this API definition to seed its scan - enhancing its ability to scan APIs and microservices.

User interface - customization

New feature

Alter and customize the layout of your Burp workspace. Tailor Burp Suite's top level tools to the particularities of your workflow.

Collaborator payloads in Intruder attacks

Feature enhancement

Generate and include Burp Collaborator payloads as part of a Burp Intruder attack. Any interactions detected by Burp Collaborator will then be included in the results for your Burp Intruder attack.

Declarative scan checks

New feature

Add scan checks to Burp Scanner using a simplified language we've created specifically for this purpose. This will enable you to create custom scan checks more easily (without writing a BApp extension).

ARM64 support

New feature

Burp Suite Professional and Burp Suite Community Edition will support machines running Linux on an ARM64-based processor.

Additional API functionality

Feature enhancement

We will continue to develop Burp's new Montoya API, adding improved support for WebSockets, as well as functionality around project files - enabling extensions to save data.

Improved Burp Scanner interface

Feature enhancement

Improved visualization of scan activity. Better understand the coverage that your scan configuration has achieved, and how any discovered issues fit into the target's nav structure.

GraphQL scan checks

New feature

Burp Scanner will check for a number of security vulnerabilities relating to APIs that use the GraphQL language.

Access control scan checks

New feature

Burp Scanner will check for a number of security vulnerabilities relating to access control.

React form handling

Feature enhancement

Scan single page applications (SPAs) built using React more easily. Specifically, this will improve Burp Scanner's handling of input elements that do not have an enclosing form tag.

Improved coverage of JavaScript frameworks

Feature enhancement

Fine-tuning of Burp Scanner, to optimize its performance when scanning single page applications (SPAs) built using Angular, Vue.js, and other frameworks.

Collaborator client

Done

Collaborator client now has its own top-level tab, uses a tabbed interface, and saves its interactions in project files, among other improvements.

JWT scan checks

Done

Burp Scanner now checks for a number of security vulnerabilities relating to JSON Web Tokens (JWT).

New API

Done

Burp's Montoya API is a completely new extensibility framework, which will lead to much richer capabilities in the future.

Audit of asynchronous traffic

Done

Burp Scanner now automatically audits in-scope API requests that are issued from client-side JavaScript using XHR and Fetch.

Enhanced Burp Intruder

Done

More options for brute forcing and fuzzing. New payload types and placement options, richer results analysis, and incremental saving.

DOM testing tools

Done

Add-ons to Burp Suite Professional's embedded browser have enhanced manual testing for DOM-based vulnerabilities.

Integrated SCA capabilities

Done

Perform software composition analysis (SCA) of client-visible code. Report JavaScript libraries in use that contain known vulnerabilities.

API scanning

Done

Enumerate API endpoints to scan APIs in target applications. API scanning utilizes OpenAPI (Swagger) definitions.

Automatic updates

Done

Update without lifting a finger. Burp Suite Professional can now update itself automatically - without user intervention.

New web cache poisoning scan checks

Done

Find cutting-edge vulnerabilities with Burp Scanner. Scan checks based on James Kettle's latest web cache poisoning research.

Browser-powered scanning by default

Done

Best-in-class coverage and scanning performance for challenging targets like AJAX-heavy single page app, with browser-driven (Chromium) scanning. Enabled by default.

Read all release notes

Revamped browser powered scanning

Done

We have fundamentally changed the way that Burp Scanner navigates using its built-in browser. This improves scanning of applications that make heavy use of client-side JavaScript for navigation, and lays a strong foundation for further development of the scanner.

User and project options

Done

User and project options are now accessed via a single Settings dialog. We have also added a search function.

Performance improvements

Done

Improved memory and processing efficiency for various Burp features. Users also now get feedback on any resource-hungry BApps.

Message inspector improvements

Done

Various improvements to the usability of the HTTP message inspector, based on user feedback.

HTTP/2-specific vulnerability reporting

Done

Burp Scanner can now report new classes of HTTP/2-specific vulnerabilities.

Server-side template injection

Done

Burp Scanner can now detect injection into a wider range of templating engines, and will employ OAST techniques to detect blind SSTI.

Improved SPA scanning

Done

Burp Scanner now handles navigational actions that cause DOM updates without a synchronous request to the server, allowing better handling of single-page applications.

Native HTTP logging

Done

Based on the user popularity of certain BApps (Logger++ and Flow), Burp Suite Professional has gained native, resource-efficient logging functionality.

HTTP/2 support

Done

Use HTTP/2 for both inbound and outbound communication over TLS (beta feature). Also gives control of TLS protocols within Burp Proxy.

Inspector view

Done

Manipulate browser traffic more easily. Improved access to headers, parameters, and more - plus automatic encoding and decoding.

Render pages within Burp tools

Done

See exactly what you're looking at - without changing tab. Tools like Burp Repeater and Burp Intruder now allow you to render responses.

Improved scan speed

Done

Further optimized performance in default settings - to enable faster scans without compromising coverage.

Support for popups in recorded login sequences

Done

Addition of support for popup page elements when using Burp Scanner's recorded login (authenticated scanning) feature.

Improved user experience

Done

A number of changes to Burp Suite Professional's UI, based on user feedback - including grouped tabs, and four new preset modes for Burp Scanner.

HTTP/2-based enhancements

Done

The HTTP message inspector has gained new capabilities, enabling manual exploitation of HTTP/2-specific vulnerabilities using Burp Repeater. The Burp Extender API has also been enhanced to enable HTTP/2-specific attacks.

Payloads within data formats

Done

We have improved the placement and encoding of scan payloads within JSON and XML data structures.

Improved navigational coverage

Done

Burp Scanner now detects and interacts with more DOM elements that can cause JavaScript-triggered navigation, in addition to conventional links and forms.

Early adopters releases

Done

All Burp Suite Professional users now gain access to an optional early adopters' release track - giving early access to new and experimental features.

Recorded login sequences

Done

Better scrutinize login-related functionality by recording complex login sequences in a browser. Ideal for JavaScript-heavy logins, or single sign-on.

Embedded browser for manual testing

Done

Proxy HTTPS traffic with no configuration necessary. Burp Suite's embedded Chromium browser can now take care of everything.

Browser-powered scanning enhancements

Done

Significant improvements to Burp Scanner - enabling enhanced performance and coverage of modern navigational patterns.

Pretty printing in the HTTP message editor

Done

Make code easier to work with. Burp Suite will prettify JSON, XML, HTML, CSS, and JavaScript within the HTTP message editor.