login

Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Thursday, 22 January 2015

Burp Suite Support Center

We're pleased to announce the arrival of the new Burp Suite Support Center:

The Support Center is a single portal where you can:
  • Read helpful articles on using Burp
  • Search all content
  • Engage in community discussions
  • Send private emails to the Burp Suite support team
  • View all of your support interactions with us
  • Watch tutorial videos (coming soon)
We'll be steadily updating the articles on the Support Center in the months ahead to cover all aspects of using Burp. The community discussions area of the Support Center replaces the existing user forum.

Visit the Support Center >

Thursday, 1 January 2015

Burp Suite Pro price held for 2015

Yet another year has just gone by in which the price of Burp Suite Pro has held steady. Burp has cost $299 for over three years now.

In that time, we've released 47 updates, and added tons of new features. In the last year alone, we've made the following improvements to Burp:
  • The new BApp Store, for sharing community-authored Burp extensions.
  • Support for WebSockets messages.
  • Improved Spider link discovery and WIVET score.
  • Support for nested scan insertion points, enabling Burp to automatically scan complex data structures, such as JSON within XML within a URL parameter.
  • A brand new static code analysis engine, enabling Burp to reliably report DOM XSS and a dozen other new DOM-based issues.
  • Scanner checks for several new types of vulnerability, including:
    • Perl code injection
    • PHP code injection
    • Ruby code injection
    • Server-side JavaScript code injection
    • File path manipulation
    • Serialized object in HTTP message
    • Cross-site request forgery
  • Significant enhancements to existing scan checks, including XSS, SQL injection, OS command injection and file path traversal.
  • A new mechanism for anonymous reporting of Burp's performance, which has enabled us to resolve several edge case bugs and improve Burp's general stability.
  • Numerous other minor enhancements throughout Burp.
All updates are made available to licensed users without any additional charge.

Today, we pledge that we will not increase the USD price of Burp Suite Pro during 2015. Instead of hiking the price, we'll continue to add great new features. Work is already far advanced on some big new features that will further empower Burp users during the course of 2015.

Happy new year!

Thursday, 9 October 2014

Burp integrates with WebInspect

We're very pleased to announce that Burp is now integrated with the WebInspect vulnerability scanner, thanks to a new extension created by the WebInspect team. People who make use of both Burp and WebInspect can use this integration to share findings between the two products, and make your testing workflows more efficient.

To use the integration, first install the WebInspect Connector extension from the BApp Store. Then, in the WebInspect tab, enter the API URL for your instance of WebInspect (for example: http://localhost:8083/webinspect), and click "Connect":


The UI will display the list of WebInspect scans:


To start working with a WebInspect scan, select it from the list and click "Attach to scan". A new tab will open showing the results of the scan:


You can send items from WebInspect to Burp by selecting one or multiple vulnerabilities in the WebInspect scan tab, and use the context menu to perform the following actions:
  • Send to Spider
  • Send to Intruder
  • Send to Repeater
  • Create issue - this will add the vulnerability to Burp Scanner's results

Issues created in Burp's results are tagged with "[WebInspect]":


You can send items from Burp to WebInspect as follows:
  • Select one or multiple issues in the Burp Scanner results.
  • Use the context menu option "Send to WebInspect".
  • Select an open WebInspect scan.

This will create the issue in WebInspect, and will also create a crawling session based on the selected base request. Issues created in WebInspect's results are tagged with "[Burp]":


We hope that people who use both Burp and WebInspect will find the integration helpful. We plan to announce further integrations between Burp and other leading web security products in the coming months.

Wednesday, 1 October 2014

PortSwigger receives highest score in Manual Web Penetration Testing in Gartner’s Critical Capabilities for Application Security Testing report

In September 2014, Gartner released its Critical Capabilities for Application Security Testing report.

Gartner gave PortSwigger the highest score for manual web penetration testing reflecting 1 out of the 7 use cases in its Critical Capabilities for Application Security Testing report. This new report which reviewed and ranked vendors according to various critical capabilities and use cases saw PortSwigger’s product receive a 4.43 out of a possible 5, the highest product score for its manual web penetration testing use case.

Dafydd Stuttard, founder of PortSwigger Web Security said “It is great that the Gartner report gave us the highest score for its manual web penetration testing use case. We set out to provide the best tool on the market for penetration testing, and we believe our score in this report demonstrates our achievements in this area. We will continue developing Burp Suite to ensure it offers our users cutting-edge capabilities at an affordable price point.

He continues: “We have an ambitious roadmap for our product; users can expect to see our approach for excellence mirrored in many more product enhancements and features. Many of these will see Burp Suite develop the other critical capabilities Gartner has highlighted as key within this market.”

This latest report is designed to be used in conjunction with the Gartner Magic Quadrant for Application Security testing, published by Joseph Feiman & Neil MacDonald on 1 July 2014, which saw PortSwigger move into the ‘Challengers’ quadrant. Together these reports give readers in-depth insight into this important technology market.

For information about PortSwigger Web Security, or to buy or request a trial of Burp Suite, please visit portswigger.net.


PortSwigger Web Security is a global leader in the creation of software tools for security testing of web applications. For nearly a decade, we have worked at the cutting edge of the web security industry, and our suite of tools is well established as the de facto standard toolkit used by web security professionals.

Gartner disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Monday, 11 August 2014

PortSwigger moves into “Challengers” Quadrant in 2014 Gartner Magic Quadrant for Application Security Testing for its web security solution

In July 2014 Gartner released its annual Magic Quadrant for Application Security Testing.

The report published by analysts Joseph Feiman and Neil MacDonald evaluates organizations based on ‘completeness of vision’ and ‘ability to execute’. Gartner have positioned PortSwigger Web Security in the ‘challengers’ quadrant, and according to the report:
“Challengers in this magic quadrant are vendors that have executed consistently, typically by focusing on a single technology. In addition, they have demonstrated substantial competitive capabilities against the leaders in this particular focus area and also have demonstrated momentum in their customer base in overall size and growth.”
Dafydd Stuttard, founder of PortSwigger Web Security, said: “We are delighted that Gartner have recognized us as a challenger in this market. Burp Suite is a powerful web scanning tool, and is extremely competitively priced. It is one of the most widely adopted tools in the market, with users in over 90 countries and a majority of the Fortune 100 companies. Burp Suite provides its users with exceptional capabilities and value for money.”

In this new report, Feiman and MacDonald state that “Global-scale scandals around critical applications’ breaches have highlighted the need for effective detection of exploitable application security vulnerabilities. Application security testing is the solution for web, cloud and mobile applications”.

In the past year, PortSwigger Web Security has accelerated its investment in Burp Suite, and expanded its core team. We have a very ambitious roadmap for the product, driven by the continual changes in web security and our customers’ requirements. We have some major product enhancements planned through 2014 and 2015, which will continue to raise the bar in web security testing.

For information about PortSwigger Web Security, and to trial Burp Suite, please visit portswigger.net.


PortSwigger Web Security is a global leader in the creation of software tools for security testing of web applications. For nearly a decade, we have worked at the cutting edge of the web security industry, and our suite of tools is well established as the de facto standard toolkit used by web security professionals.

Gartner disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Monday, 28 July 2014

Burp gets new JavaScript analysis capabilities

The latest release of Burp includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including:
  • DOM-based XSS
  • JavaScript injection
  • Client-side SQL injection
  • WebSocket hijacking
  • Local file path manipulation
  • DOM-based open redirection
  • Cookie manipulation
  • Ajax request header manipulation
  • DOM-based denial of service
  • Web message manipulation
  • HTML5 storage manipulation

In the initial release, the new functionality is officially experimental, and will be enhanced in future releases based on user feedback. The key areas for further enhancement are as follows:
  • Burp supports most core JavaScript language features, including local and global variables, function calls and return values, assignments, arrays, and relevant platform APIs. Two important language features are not supported: object dereferences and function pointer variables. Some vulnerabilities that are dependent on these language features are not currently reported.
  • Static code analysis is resource intensive. We have worked hard on the code analysis engine to minimize memory and CPU consumption, and its performance has been extensively tested against real-world code. However, there is more work yet to do in this area, and in the initial release it may be necessary to (a) increase the memory that is assigned to the Java process; (b) restrict static code analysis to key targets of interest; (c) configure a suitable maximum analysis time for complex items. See the static code analysis options for more details.
  • In a future release, we may provide a UI similar to the active scan queue, containing a view of pending and current code analysis tasks, and enabling the user to pause, resume or cancel individual tasks.
  • Some further refinement may be necessary of Burp's rules for identifying tainted sources and dangerous sinks, and mapping these to vulnerability types.
Despite the above opportunities for enhancement, the current functionality is sufficiently powerful that it would be wrong for us to sit on it any longer, and it's time for users to try it out in real-world situations. Feedback is actively welcomed about the new capabilities, to help drive the above and other improvements.

How does Burp's code analysis work? We don't simply match suspicious code based on patterns, which is too error-prone and only finds the simplest bugs. We don't execute the code, or fuzz the DOM in an instrumented browser, as this can lead to worse performance problems, many missed vulnerabilities, and poor code coverage due to missed execution branches. We don't employ any external dependencies as these can be brittle and a pain for users to set up.

Rather, Burp contains a home-grown language parser and dataflow analysis engine. We identify places in the code where data is read from potentially tainted sources within the DOM, and trace this data through possible execution paths in the code. If the data can reach a dangerous sink, then a potential vulnerability is reported. This is not, of course, a new approach to static code analysis, but there are many challenges in the details that we believe we have solved in novel and effective ways.

Have fun!

Thursday, 29 May 2014

PortSwigger is sponsoring BSides Manchester

PortSwigger Web Security is proud to be a gold sponsor of BSides Manchester. This free security conference is right on our doorstep in the North West of England, so we're very happy to be supporting it.

As the team behind Burp Suite grows, we're always on the look out for great people with a strong web security background. If you're at the event, come and find us and we can talk about how you could help us make Burp even better.

We also have a number of conference tickets to give away to Burp users. If you haven't managed to obtain a ticket to the event, and you (or your employer) are a licensed user of Burp Suite Pro, please email us at office@portswigger.net to claim your ticket - first come first served!

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2015 PortSwigger Ltd. All rights reserved.