πChangelog
π v3.0.0
π Major New Features
π Multi-Step Scanning
Profiles now support multiple steps, enabling complex attack chains and multi-stage vulnerability testing. Each step can define its own payloads, match rules, and detection logic. Includes cookie reuse across steps for authenticated workflows, per-step request/response viewing in scan results, and path discovery per step.
π§ Global Variables System
New user-managed variable system from the Variables tab. Define and customize variables like {REDIRECT_DOMAIN}, {BC}, {RANDOM}, {CURRENT_URL}, {CURRENT_HOST}, {CURRENT_PORT}, {CURRENT_COOKIES}, {CURRENT_USER_AGENT}, {CURRENT_REFERER}, and more. Custom variables are dynamically replaced in payloads, greps, and raw requests.
β±οΈ Time-Based Detection Engine
New time delay matching logic for detecting timing-based vulnerabilities (e.g., sleep-based SQL injection, blind command injection). Supports three comparison modes: "Between", "Greater than", and "Less than", with configurable thresholds. Fully integrated into multi-step scanning workflows.
π URL Filtering for All Scan Types
Filter URLs popup now appears before Active, Passive, and Smart scanning, giving full control over scope, domains, and file extensions before launching scans.
π― Stop-on-First-Match Optimization
When a payload matches for a given profile and insertion point, remaining payloads for that combination are automatically skipped. Uses AtomicBoolean.compareAndSet() for thread-safe deduplication, reducing redundant issues from 6+ to 1-2 per insertion point.
β‘ Per-Scan Scanner Settings
Thread pool size, concurrency, and requests per second are now configured per scan in the URL Filter popup. Each scan creates its own independent thread pool with the configured number of threads, allowing different scans to run with different performance settings simultaneously. Scanner settings have been removed from the global Options tab.
βΈοΈ Pause & Resume with PausableThreadPoolExecutor
True thread-safe pause/resume using a custom PausableThreadPoolExecutor that uses ReentrantLock and Condition for zero-loss state management. Threads block at safe synchronization points during pause and resume exactly where they left off. Paused time is tracked and excluded from scan duration and timeout calculations.
π·οΈ Tag-Based Passive Scan Launching
Passive scans can now be launched from the right-click context menu with tag-based filtering. The Passive Scan submenu organizes profiles by type (Request/Response) and tag, with profile counts displayed next to each tag. This enables focused passive scanning β run only security header checks, or only secret detection profiles, instead of running all passive profiles.
π Tags Column and Set New Tag for Passive Profiles
All three profile tables (Active, Passive Request, Passive Response) now share the same layout with a Tags column showing assigned tags. The right-click context menu on all tables includes Enable, Disable, and Set New Tag options. Selecting multiple profiles and using Set New Tag tags them all at once.
π₯οΈ New UI Features
πͺ Non-modal Dialogs β All profile, rule, and tag editors are now non-blocking. Edit profiles while interacting with Burp Suite.
π Profile & Rule Duplication β "Duplicate" button on all profile tabs and Rules with automatic naming.
π±οΈ Double-click to Edit β Double-click any profile or rule row to open the editor.
π΄ Payload & Grep Markers β Highlighted in red for better visibility.
π Improved Grep Table β Increased height for better readability.
π Consistent Profile Tables β All three profile tables (Active, Passive Request, Passive Response) now have identical columns (Enabled, Profile Name, Tags, Author's Twitter) and context menus.
β‘ Scanning Efficiency Improvements
βΈοΈ PausableThreadPoolExecutor β Thread pool that supports pause/resume without terminating threads, with precise paused-time tracking.
𧡠Per-scan thread pools β Each scan creates its own independent thread pool with configurable threads, concurrency, and RPS.
π Request rate limiting β Configurable requests per second per scan.
π½ Early filtering pipeline β URL extension, response code, and content-type checks before making HTTP requests.
π Duplicate avoidance β Tracks scanned combinations to prevent re-scanning.
π‘οΈ Redirect loop protection β Maximum 30 redirects per request chain.
β±οΈ Scan timeout detection β Configurable timeout (default 60 minutes) marks scans as Failed. Paused time excluded.
π₯ Queue-based task management for efficient scheduling and idle detection.
π’ Atomic scan ID generation for thread-safe concurrent scan management.
π« Passive scan exclusion list β Automatic filtering of static file extensions.
βοΈ Grep matching optimization β AND/OR logic with short-circuit evaluation.
π Max concurrent scans with graceful 30-minute shutdown timeout.
π·οΈ Tag System Improvements
π Tags column on all profile tables (Active, Passive Request, Passive Response)
βοΈ Set New Tag right-click menu on all three profile tables
ποΈ Tag-based passive scan submenu with profile counts per tag
π¨π© Separate Request/Response tag submenus for focused passive scanning
π€ Alphabetical tag sorting with "All" always at the top
β Duplicate "All" prevention β The "All" tag is no longer duplicated in submenus
π License & Configuration
πͺͺ LicenseSpring Integration β Professional license management.
πΎ Persistent Settings β All configuration persisted across Burp Suite sessions.
π Auto-load BurpBountyData β Automatic profile loading on first launch.
π Dashboard
π Dual-view Dashboard β Per-request log with host, method, path, status, response time, rule/profile name, severity, and confidence. Summary view aggregates by domain.
π‘ Scanner Log β Real-time scan progress with pause/resume/stop controls.
ποΈ Live Passive Scan toggle β Enable/disable automatic passive scanning from the Dashboard.
π¨ UI Polish
β‘ Streamlined Options tab (scanner settings moved to per-scan popup)
βΉοΈ Updated About page
π Improved multi-step configuration layout
Last updated