PortSwigger Burp Suite Professional Reviews

I used this solution while working with a bank, and while it wasn't much of a DevSecOps tool, it was a good tool for penetration testing.

It is a good manual penetration tool. It was easy to learn.

If your application uses multi-factor authentication, registration management cannot be automated. There are also some session management issues we have found if we want to integrate it into the pipeline. There were also some authentication-related issues we found at the time. These issues were more specific to the enterprise edition. I have worked on a paid version of the standalone solution, which is best for manual penetration testing.

I rate Burp Suite's stability a ten out of ten.

I rate Burp Suite's scalability a seven out of ten. We wanted to have more scalability in my last company, where we wanted the enterprise edition, but there were some challenges we faced. We couldn't find a solution to the problem statements for most of our business use cases back then. We then dropped the idea of using Burp Suite Enterprise and opted for a standard one for manual penetration testing.

There were ten users in my unit working with Burp Suite.

Support-wise, the solution was also very good. Across the globe, all the manual penetration testers use Burp Suite. If we had any questions, we received good support from GitLab and other forums.

Whenever we raised any query, such as if we wanted to file an invoice for reimbursement at the organization level, the support was good at the nontechnical and technical levels.

Positive

The initial setup is easy, not only in the office, since I'm working on my laptop now with the community edition. The configuration is pretty straightforward.

Burp Suite is affordable. Admins can purchase the tool, which is affordable enough that college students can purchase it if they want to learn it.

The solution is not a good candidate for a DevSecOps tool.

I recommend this solution for manual penetration testers. It is the best tool with the best support. PortSwigger has added plugins to efficiently catch bugs, for example, HTTP request smuggling. There are a lot of plugins, such as how to hide the JWT token. These plugins minimize the effort required by manual penetration testers so they can find bugs quickly with the help of these plugins. They have good support if anybody wants to learn how to use and install plugins. There is a lot of documentation available online.

I rate PortSwigger Burp Suite Professional an eight out of ten.

We use PortSwigger Burp Suite Professional for security. I'm a security tester and I need it for my daily activities, I require it.

PortSwigger Burp Suite Professional has improved the organization by providing the security standards of the applications across the organization.

We can test the weakness or loopholes in the application an attacker can use. We have an internal team that conducts the pen-testing from a hacker's point of view and try to close the issue before it is opened to the internet.

The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools.

PortSwigger Burp Suite Professional can improve by having more features in the free version for beginners to try.

I have been using PortSwigger Burp Suite Professional for approximately two years.

The reliability of PortSwigger Burp Suite Professional is good. It doesn't hang very much, and it doesn't get stuck anywhere, it is reliable.

PortSwigger Burp Suite Professional is scalable. You can add in-scope items, and remove any items that are not on the scope.

We have approximately 30 people using the solution in my organization. We have managers, consultants, and senior consultants using it. If our testers increase the number of users will increase and then we will increase our usage of this solution.

I have not needed to use the support from PortSwigger Burp Suite Professional.

I was previously using OWASP Zap.

The initial setup of PortSwigger Burp Suite Professional was simple. It can be done in approximately three minutes.

I rate the initial setup of PortSwigger Burp Suite Professional a five out of five.

I did the implementation of PortSwigger Burp Suite Professional myself.

If there is a software update it is fairly simple to upgrade. There is a lot of reference material online. 

There are multiple versions available of PortSwigger Burp Suite, such as enterprise, commercial, professional, and beginners.

My company has paid for the license for the solution. The price of the solution could be less expensive.

This is one of the best solutions in the market. I would advise others to try this solution out.

I rate PortSwigger Burp Suite Professional a nine out of ten.

I am a penetration tester working for a private organization. I evaluate the security of applications companies develop. I check for security vulnerabilities in web applications, Android and iOS devices, and thick and thin clients using Burp Suite. I use it to prevent applications from being hacked by outsiders.

Burp Suite has been very useful in reducing the time needed for testing applications. Without using Burp Suite, testing could extend up to ten days or more. It provides a flexible way to evaluate vulnerabilities and mistakes developers make while developing applications.

Burp Suite is valuable since it provides automated scan facilities, including authenticated and unauthenticated scanning. It offers flexibility, macros, and features to reduce the effort required for authenticated sessions. It also makes it easy to find blind SQL injection and OOB attacks.

Integration is a big problem. Currently, it's more challenging to integrate Burp Suite into the CI/CD pipeline compared to SAP (which is open source with many plugins available). More technical knowledge is required for integration.

I have nearly more than five years of experience with Burp Suite.

I would rate stability an eight out of ten.

I am 100% confident in Burp Suite, so I would rate its scalability a ten out of ten.

Whenever we email, they respond back on time. The support is brilliant.

Positive

The setup is simple. You need Java JDK support of 11 or more and sufficient memory and space.

I would rate the pricing a six out of ten. It's not as flexible here as it might be in European or American markets.

SAP is a good alternative as a free version.

Burp Suite has started a certification called Burp Suite Certified Professional (BSCP) that I recommend to pursue as it provides good documentation.

I'd rate the solution nine out of ten.

We are an IT organization. We use the solution for the security testing of applications. It helps us identify vulnerabilities in the applications.

The product has a good learning hub. It is good for beginners who want to learn security testing. The scan reports are good. They cover most things. The reports give details about the issues and suggest solutions. It's really useful for web applications. I use Intruder for brute-force attacks.

The product has a new API feature. It provides the scan report for APIs similar to the scan report we receive when we use web URLs. The vendor must provide documentation on how to use the new API feature. I did not find any guide on how to use the feature.

I have used the solution for two years.

I rate the product’s stability seven out of ten.

The product has limitations for mobile app security testing. We are unable to perform mobile app testing for Android and iOS.

I faced some login issues and contacted the support team, but the team could not provide a solution. I found the solution in the documentation.

Neutral

The tool is easy to install. All the steps are given in the documentation. The installation takes less than 10 to 15 minutes.

PortSwigger Burp Suite Professional is expensive compared to other tools. There are open-source tools available in the market. The cost of one PortSwigger license is expensive.

I have recommended the paid version of the tool in my current organization. Integrations with other tools are moderately easy.

Overall, I rate the product a seven out of ten.

We use the solution for scanning and manual penetration testing. We have a verification and security assessment as a dynamic security assessment for manual application testing.

The solution helps to automate API security assessments. It incorporates features of both black hat and red team engagements. We streamline bug bounty hunts. It helps in API testing, where manual intervention was previously necessary for each payload. With the new deck feature, Burp Suite enables automation accessible in the external tab. This feature allows testers to select specific targets, such as login or registration pages, and apply different attack vectors. It enhances efficiency, saving time and resources, which is beneficial when dealing with larger-scale web applications or numerous APIs.

Manual assessment in the tool is great.

Scanning needs to be improved in enterprise and professional versions. The enterprise version has challenges related to scheduled scans. If a scan fails after two days without notification during offline periods, that time is lost. Sometimes, it took up to 24 hours to realize that certain tests had failed for various reasons. There's significant room for improvement in automating scans.

I have been using PortSwigger Burp Suite Professional for more than 10 years.

The product is a good tool for application assessment.

I rate the solution’s stability an eight-point five out of ten.

The automation features in Burp Suite For vulnerability assessment and penetration testing may not be as extensive as other tools like NetSparker. Other tools may offer more comprehensive capabilities, especially in areas such as source code. Features like capture and OTP testing might be more robustly supported in other tools. There may be limitations in automation with Burp Suite Professional. NetSparker could be more suitable for tasks like two-factor authentication testing.

Four to five are using this solution.

The professional version is not very scalable, whereas the enterprise version is scalable. I can run multiple scans.

Technical support is good.

Positive

We have used Netsparker and WebInspect. WebInspect is very difficult to operate.

The initial setup takes more than a week. The professional version is a plug-and-play.

There is a Java package that you can easily use without installing it.

The product is cheap compared to other products.

I rate the product’s pricing a seven out of ten, where one is expensive and ten is cheap.

We have an infrastructure and DevOps team of eight to ten people for solution maintenance.

Reporting is good and very light. The response is fine.

I recommend the solution for dynamic assessment.

Overall, I rate the solution a nine out of ten.

We use the solution for scanning. It also has a repeater function to replay a request. I'm using it for brute forcing and future scheduling.

We have a quick firewall before PortSwigger Burp Suite Professional to test for SQL injection. Suppose the firewall is blocking some special characters. In that case, we can use Intruder to quickly identify which special character is blocked and which characters are enabled by feeding Intruder with a list of all possible special characters. We can also use Intruder to clock the use of some tools like Secure Map. We can feed Intruder with a list of SQL injection or XSS payloads and test the vulnerability directly. The scanner is handy in identifying vulnerabilities. SSTI vulnerabilities are within Burp Suite. It is a time saver and useful tool for most cybersecurity consultants and penetration tests.

PortSwigger is a time-saver application. It has a webscanner feature. The regional agencies can help a lot in identifying potential vulnerabilities.

You can have many false positives in Burp Suite. It depends on the scale of the penetration testing. If you have experience, you can quickly determine the false positive.

PortSwigger Burp Suite Professional lacks an authentication feature for handling certain applications. For example, consider applications that utilize authentication, where tokens typically expire after one hour. Burp does not automatically handle reauthentication in such scenarios. While it does offer a feature to set rules for automatically renewing authentication, it's specific to particular applications. However, the process for applications with token-based authentication has become more complicated. When running a web scanner, authentication may fail due to expired tokens after one hour, rendering the scanner unable to authenticate with the application. 

I have been using PortSwigger Burp Suite Professional for 7 years.

All resources on PortSwigger are online, whether on their website or forums. Whenever we encountered any issue, we contacted their support directly via email. They are pretty quick to respond and provide good assistance.

Positive

We trust Burp Suite to identify vulnerabilities in the application with pretty good accuracy.

The solution is worth the money.

You can enhance web features with Burp Suite because it works well with many plugins. There is a large community around it that develops custom plugins. You can integrate these plugins into your app to quickly identify various vulnerabilities. There are both free and paid plugins available. We build apps exclusively with Burp Suite Professional. There are many tools available to assist with vulnerability management. You can download and export Burp Scanner output and load it into a vulnerability management tool. This allows developers to track vulnerabilities and manage the process of correcting them, providing status updates to management.

Overall, I rate the solution a ten out of ten.

The solution has improved the organisation as it helps with scanning and doing the reports for the developers. The solution also helps with communicating the everyday issues and delivering high security and web applications to the customers.

The intercepting feature is the most valuable.

Mitigating the issues and low confluence issues needs some improvement. Implementing demand with the ChatGPT under the web solution is an additional feature I would like to see in the next release.

The solution is used for scanning and doing reports for the developers.

It is a stable solution.

It is a scalable solution. Ten specialists are working with Burp Suite Professional currently. We plan to increase the usage in the future. I rate the scalability an eight out of ten.

The solution is implemented through a third-party team.

Positive

I have used Nessus, previously. Nessus helped with only OS and analysis but Burp Suite helps with application scanning, detecting vulnerabilities and expertisation.

The initial setup is easy. The deployment is done under a professional, and it takes one hour to be deployed. We have to add our information to get our code directly into the box and then we scan their applications. A single person is required for the deployment. I rate the initial setup a ten out of ten.

The solution is implemented through a third-party team.

The pricing of the solution is reasonable. We only need to pay for the annual subscription. I rate the pricing five out of ten.

All the security issues and the integration of the vulnerabilities will happen automatically and manually in the website. So the solution will be very helpful for the website. I rate the overall solution a nine out of ten.

We use the solution to do VAPT. 

I am impressed with the tool's detailed analysis for penetration testing. AppScan can give only visibility, but it can't do the PT part. But the PortSwigger Burp Application can do both, and it gives much more visibility on the PT rating.

I need the solution to be more user-friendly. The solution needs to be user-friendly.

I have been using the solution for three years.

It is a stable solution. I rate the stability an eight out of ten.

It is a scalable solution but needs to be more user-friendly. I rate the scalability an eight out of ten.

The initial setup was easy. The deployment takes around a week.

I rate the setup an eight out of ten.

I rate the pricing a four out of ten.

I rate the solution an eight out of ten overall.