PortSwigger has added some massive updates to this early adopter release. Out of multiple features and bug fixes, I would emphasize three:
1. Burp Scanner can now detect 8 common JWT vulnerabilities (which includes 6 high severity issues)
Burp Scanner can now detect the following common JWT issues:
- JWT signature not verified
- JWT none algorithm supported
- JWT self-signed JWK header supported
- JWT weak HMAC secret
- JWT arbitrary jku header supported
- JWT arbitrary x5u header supported
- JWT private key disclosed
- JSON Web Key Set disclosed
2. Burp Extender estimates the system impact of individual extensions and the overall impact of all enabled extensions.
“Burp Suite is slow” and “Burp uses a lot of CPU/RAM” are some common rants on social media. This statement doesn’t tell anything about the system configuration, the number of Burp extensions enabled, etc. With this amazing feature, one could get the answer to the question: “Is Burp slow because of the installed extensions?”
Next time someone tells that Burp Suite is slow, tell them to check the overall estimated system impact to make sure Burp is not slow because of extensions. 😉