Matt Atkinson |
30 September 2021 at 13:39 UTC
The modern web is an increasingly complex beast. Each passing year brings with it new frameworks, technologies, and design trends – not to mention vulnerabilities. All of this adds to your testing workload. It also makes AppSec daunting to learn for beginners, who lack the benefit of ever having operated in simpler times.
With Burp Suite Professional, our aim has always been to help you cut through that complexity – saving you time and making life easier. We’re also educating the next generation of pentesters – with free learning in the Web Security Academy, and initiatives like our $99 Burp Suite Certified Practitioner qualification.
How Burp Suite Pro helps you to test the modern web
There are many ways Burp Suite Professional makes life easier for testers when dealing with modern web apps, but here are three major features we’ve introduced recently:
Testing HTTP/2
It’s kind of impossible to talk about Burp Suite’s feature set right now without mentioning HTTP/2 testing. HTTP/2’s attack surface has barely been audited up until now – due to the complete lack of any suitable tooling – but we’re changing all that.
We’ve now added a number of convenient manual HTTP/2 testing features developed with PortSwigger Research. These include the ability to carry out HTTP/2 exclusive attacks we pioneered, which can’t be represented using HTTP/1. And of course Burp Scanner now has the ability to carry out these attacks automatically. For more information, check out James Kettle’s Black Hat USA 2021 presentation: “HTTP/2: The Sequel is Always Worse”.
Scanning API endpoints
The rise of single-page applications (SPAs) has gone hand in hand with an increasing reliance on APIs and microservices – which in turn has created swathes of new attack surface. To put this in perspective, Okta recently cited Gartner in predicting that by 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise applications. And of course, since 2019, there’s been an OWASP Top 10 just for API vulnerabilities.
Burp Scanner has gained the ability to scan for API security vulnerabilities – automatically parsing OpenAPI v3 REST API definitions written in JSON. This can often reveal attack surface that a traditional scanner would miss. API scanning is a feature that will grow in power alongside Burp Scanner’s JavaScript scanning functionality, as well as something that will greatly strengthen the scanner itself, as it is further developed.
Cutting through complexity
The introduction of Burp Suite’s embedded Chromium browser has been revolutionary for testing workflows – providing a foundation for many new features. Functionality built on the back of the embedded browser includes DOM Invader, authenticated scanning, and JavaScript scanning – and there’ll be more to come.
On top of this, the embedded browser provides Burp Suite users with a quick and easy out-of-the-box setup. Simply open the embedded browser and begin proxying traffic (including HTTPS) immediately. All of the necessary proxy listener settings are automatically adjusted, and there’s no need to manually install a CA certificate.
New and upcoming features in Burp Suite Professional
The features above are only the tip of the iceberg. Version 2.0 brought Burp Suite Professional bang up to date back in 2018 – with a raft of new functionality – but we didn’t stop there. Check out some of the cool new stuff we’ve introduced, and some other features that will be dropping any day soon:
A Burp Scanner crawl and audit provides great visibility, and is designed to complement your manual testing workflow.
Burp Scanner does more
Download the latest version of Burp Suite Professional to access all of these features and more.
DOM Invader uses Burp Suite’s embedded Chromium browser to make testing for DOM XSS much easier.
Manual features help you test faster
- Embedded browser – embedding Chromium within Burp has enabled many of the features in this post. It also makes life much easier for beginners – because no configuration is necessary before proxying traffic through the embedded browser.
- HTTP/2 functionality – (as above) we’ve added a wealth of functionality to help you test for HTTP/2 vulnerabilities – including the ability to easily “kettle” requests.
- DOM Invader – (as above) designed in close collaboration with PortSwigger Research, DOM Invader uses Burp’s embedded browser to make DOM XSS much easier to find.
- Logger – by popular demand, desktop editions of Burp Suite now include native logging functionality – giving you a record of all Burp-generated HTTP traffic.
- WebSocket messages – intercept and edit WebSocket messages – including the ability to reconfigure the negotiation requests used to create WebSockets.
- Save Intruder attacks in project files – you can now save attacks made using Burp Intruder to your project files. This is very convenient when working on a large project.
- Message Inspector – the Inspector gives the message editor access to many Burp Suite functions, without switching tabs. It includes useful features like auto-decoding.
Download the latest version of Burp Suite Professional to access all of these features and more.
Upcoming features
- Further SPA scanning capability – by automatically auditing in-scope API requests made using XHR or Fetch, Burp Scanner will exploit more SPA attack surface.
- New SSTI scan checks – use Burp Scanner to detect server-side template injection (SSTI) in a wider range of templating engines, and check for blind SSTI, using OAST.
- More manual testing functionality for HTTP/2 – including additional support within Burp Repeater, Extender, and the Inspector. Test HTTP/2 more efficiently.
- Burp Scanner speed enhancements – fine-tuning of Burp Scanner’s default settings, to enable faster scanning without compromising coverage.
- Payloads within data formats – placement and encoding of Burp Scanner payloads within JSON and XML will be improved when making API calls – enhancing reliability.
- Inspector improvements – based on discussion with Burp Suite users, the message inspector will be developed to give further efficiency gains in manual testing.
- Message editor improvements – again, based on feedback drawn from Burp Suite’s user community, we will be looking to fine-tune the usability of the message editor.
- Logger improvements – including the ability to export logs as CSV files for use externally.
Please see the Burp Suite Professional roadmap for more details of upcoming features.
The Burp Suite Pro user interface has had an overhaul – and now includes features like Dark Mode.
It doesn’t stop there
Of course, the most important feature of Burp Suite is the one we can’t automate – it’s you – the person driving it. We want to help our users develop – which is why we’ve introduced features like the new embedded “Learn” tab, revamped our user interface to be more intuitive, and created a range of Burp Suite Pro video tutorials. There’s also a new guide on getting started with Burp Suite, for users who are completely new to the software.
Finally, if you’ve not already, then it’s well worth taking a look at the Web Security Academy. There you’ll find free learning materials and almost 200 free labs – encompassing everything from classic bugs, to the very latest vulnerabilities. And did we mention that you can now get Burp Suite certified for just $99?