![]() This can be very helpful when testing microservice-based apps. API scanning - (as above) Burp Scanner can now automatically parse many API definitions.The crawler - Burp Suite 2.0's crawler was a game changer in testing the modern web when it replaced Burp 1.x's outdated Spider.Check out some of the cool new stuff we've introduced, and some other features that will be dropping any day soon:Ī Burp Scanner crawl and audit provides great visibility, and is designed to complement your manual testing workflow. Version 2.0 brought Burp Suite Professional bang up to date back in 2018 - with a raft of new functionality - but we didn't stop there. The features above are only the tip of the iceberg. New and upcoming features in Burp Suite Professional All of the necessary proxy listener settings are automatically adjusted, and there's no need to manually install a CA certificate. Simply open the embedded browser and begin proxying traffic (including HTTPS) immediately. On top of this, the embedded browser provides Burp Suite users with a quick and easy out-of-the-box setup. Functionality built on the back of the embedded browser includes DOM Invader, authenticated scanning, and JavaScript scanning - and there'll be more to come. The introduction of Burp Suite's embedded Chromium browser has been revolutionary for testing workflows - providing a foundation for many new features. API scanning is a feature that will grow in power alongside Burp Scanner's JavaScript scanning functionality, as well as something that will greatly strengthen the scanner itself, as it is further developed. This can often reveal attack surface that a traditional scanner would miss. And of course, since 2019, there's been an OWASP Top 10 just for API vulnerabilities.īurp Scanner has gained the ability to scan for API security vulnerabilities - automatically parsing OpenAPI v3 REST API definitions written in JSON. To put this in perspective, Okta recently cited Gartner in predicting that by 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise applications. The rise of single-page applications (SPAs) has gone hand in hand with an increasing reliance on APIs and microservices - which in turn has created swathes of new attack surface. For more information, check out James Kettle's Black Hat USA 2021 presentation: " HTTP/2: The Sequel is Always Worse". And of course Burp Scanner now has the ability to carry out these attacks automatically. These include the ability to carry out HTTP/2 exclusive attacks we pioneered, which can't be represented using HTTP/1. We've now added a number of convenient manual HTTP/2 testing features developed with PortSwigger Research. HTTP/2's attack surface has barely been audited up until now - due to the complete lack of any suitable tooling - but we're changing all that. It's kind of impossible to talk about Burp Suite's feature set right now without mentioning HTTP/2 testing. There are many ways Burp Suite Professional makes life easier for testers when dealing with modern web apps, but here are three major features we've introduced recently: Testing HTTP/2 How Burp Suite Pro helps you to test the modern web We're also educating the next generation of pentesters - with free learning in the Web Security Academy, and initiatives like our $99 Burp Suite Certified Practitioner qualification. With Burp Suite Professional, our aim has always been to help you cut through that complexity - saving you time and making life easier. It also makes AppSec daunting to learn for beginners, who lack the benefit of ever having operated in simpler times. All of this adds to your testing workload. Each passing year brings with it new frameworks, technologies, and design trends - not to mention vulnerabilities. The modern web is an increasingly complex beast.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |