Burp Suite 2.0 Beta Review

A lot of changes have been made with PortSwigger’s recent release of Burp Suite 2.0! You can see a complete list of all the new goodies by reading the release notes. In this article I’m going to cover just a few key highlights that I think are important. Keep in mind I just upgraded this morning and my experience, analysis and opinion is based on only a couple of hours playing around.

The New Dashboard

Obviously the first thing you’ll likely notice about the interface is a completely new dashboard that you’re welcomed with when you startup a fresh Burp Suite project. Kudos to PortSwigger for making the new dashboard both cosmetically appealing and functionally an improvement over the previous dashboard which was essentially just the Target tab.

The dashboard has three major sections: Tasks, Event log and Issue activity. These components are not only detachable but highly configurable with handy settings buttons intuitively placed in the upper right corner of each pane. I’m definitely in favor of these change and hope it permeates into deeper areas of the application.

The New Crawler

Not long after starting to test an app you’ll notice right away the spider tab has been removed entirely. It has been completely replaced with a brand new crawler which you can read about here. I don’t have much to say about the new crawler in regards to it being better or more accurate then the old spider but I thought the configuration wizard that pops up when you launch a new scan was intuitive and therefore hard to mess up. One thing I did notice was the inability to save a set of credentials to the library for later use. I suppose this is probably a feature to protect insecure storing of credentials. None the less, I found myself disappointed that I had to enter a username/password each time I wanted to launch a credentialed crawl task.

No More Scan Tab

Its hard to miss the bright green buttons at the top of the dashboard which control starting a new vulnerability scan and enabling live scanning of proxy traffic. These buttons simply launch a menu/wizard driven experience to completely replace the scan tab and all of its options. This feels a lot more like Nessus or Acunetix or any other more commercially used automated scan engines. Again I feel this is a positive change as it enhances the intuitive feel of the application and overall user experience.

Also their appeared to be some noticeable improvements in the granularity of scan profile configuration. Maybe these options existed in previous releases and I simply hadn’t made use of them but I thought it was a cool feature. One of the first things I did was simply create a scan profile to exclude all “Informational” checks. This speeds the scan and also greatly reduces the amount of “noise” you find in the results.

In Conclusion

Once you get over the initial shock and awe of the new dashboard view the rest of Burp is still just Burp. That’s a good thing btw! I suspect some people (particularly those who are change averse) will take offense to the new UI and the removal of familiar tabs but I imagine after they spend some time playing around like I had they’ll come to terms with it. I’m excited to see what new features and enhancements come out of this version in future releases.

P.S. earlier this week PortSwigger announced they are building a REST API for Burp Suite. I was most excited to download 2.0 because I assumed it would be included in this version and I desperately want to play with it. Unfortunately I was let down and as far as I can tell the release date for the REST API is still TBD. If anyone has any information on when to expect it please let me know!

EDIT: 8/30/2018 This is completely false! The REST API was there the whole time. Thanks to several people who pointed this out to me!!

Thanks for reading, hack responsibly.