The first broad area of new functionality in Burp v1.4 is various features to help test access controls. Fully automated tools generally do a terrible job of finding access control vulnerabilities, because they do not understand the meaning or context of the functionality that is being tested. For example, an application might contain two search functions – one that returns extracts from recent news articles, and another that returns sensitive details about registered users. These functions might be syntactically identical – what matters when evaluating them is the purpose of each function and the nature of the information involved. These factors are way beyond the wit of today’s automated tools.
They promised more blogging on the topic, I really am curious to see what next Burp features have been implemented !
