PortSwigger Burp Suite Professional Reviews

We use the solution for security assessments. It's a special tool for penetration testers or security specialists.

PortSwigger Burp Suite Professional is a standard tool in the security industry. It's a stable solution that has many features. You can download different plugins if you don't have them in the standard edition. You can also write your own plugins if you know how to do it.

The solution’s pricing could be improved.

I have been using PortSwigger Burp Suite Professional for more than five years.

PortSwigger Burp Suite Professional is quite a stable solution, and I don't remember it crashing too much.

I rate the solution an eight or nine out of ten for stability.

PortSwigger Burp Suite Professional is not a cloud solution. Since you have to download it to every machine you use, it's not scalable at all. Around seven users use the solution in our organization.

We have previously used a free, open-source solution called OWASP ZAP. Since PortSwigger Burp Suite Professional is the standard in the industry, it's much better than OWASP ZAP.

The solution's initial setup is straightforward. You just have to download, install, and use it.

You have to download the solution from the internet. You can download the free version or the community edition. If you have a license, then you can download the professional version, install it, enter your license, and then use it. It takes around one minute to deploy the solution.

PortSwigger Burp Suite Professional is totally worth it.

We pay a yearly licensing fee for the solution, which is neither cheap nor expensive.

PortSwigger Burp Suite Professional is a great product for people who need security features.

Overall, I rate PortSwigger Burp Suite Professional ten out of ten.

The Repeater and the BApp extensions are particularly useful. Certain extensions, such as the Active Scan extensions and the Autoracer extension, are very good. 

The crawling functionality has improved, but I would say that in the past, the spider mechanism was more efficient than the current crawling method. 

Generally, I don't rely solely on the Burp Scanner, but I utilize BApp extensions to achieve better results than the standard scanner. Mostly, I always rely on external extensions, specifically those that provide better results.

I would like to see the return of the spider mechanism instead of the crawling feature. Burp Suite's earlier version 1.7 had an excellent spider option, and it would be beneficial if Burp incorporated those features into the current version. 

The crawling techniques used in the current version are not as efficient as those used in earlier versions.

We have been using it for seven to eight years now. We have Burp Suite Professional and Burp Suite Enterprise Edition listed in our database.

We use the latest 2023 version. 

I would rate the stability an eight out of ten. If people know how to perfectly use it, it is a stable solution. For freshers, it is tough. 

I would rate the scalability a six out of ten. The primary reason is the high number of false positives compared to actual positives. 

Additionally, understanding the scan configuration can be challenging for newcomers. While experienced users can effectively scale their scanning techniques, those with limited experience may find it difficult to understand the process and identify the root causes of errors. 

Moreover, configuring proxy settings can be complex, leading to difficulties for some users. Overall, there are significant areas for improvement in terms of scalability, particularly in enhancing user understanding and reducing false positives. However, compared to other application security tools, Burp Suite still performs well.

There are around three end users using this solution in our company.

I haven't had the opportunity to interact with their technical team directly. However, the blogs are very informative and provide a wealth of solutions. In most cases, I've been able to resolve issues myself based on the information provided in their documentation. 

For the documentation or web security resources, I would rate it seven out of ten. Burp Suite effectively addresses user concerns and provides clear explanations. The technical blogs are also well-written and address concerns.

I have experience with Burp Suite Professional and Zap Framework. I've used them for a variety of application security testing tasks, including vulnerability scanning, penetration testing, and threat modeling.

I haven't had the need to explore other tools. I've been using Burp Suite since the beginning of my career, and it has consistently met my requirements. I've used other tools in lab settings, but Burp Suite remains my preference.

I would rate my experience with the initial setup of Burp Suite Professional an eight out of ten, with one being difficult and ten being easy.

The deployment was quite quick, only about ten minutes. It requires minimal staff. Anyone can install it on their own requiring administrator privileges. It can be installed on any system and with any version. 

However, the only caveat is that we need to obtain the license from the procurement team. So, it's easy to set up.

I would rate the pricing a one out of ten, with one being cheap and ten being expensive. The pricing is very reasonable and minimal.

First and foremost, I would suggest others thoroughly understand the fundamentals of Burp Suite and how to utilize its extensions effectively. 

Additionally, I would recommend learning about proxy settings and various authentication mechanisms. 

Lastly, I would emphasize the importance of carefully reviewing and configuring scan configurations to minimize false positives and ensure optimal scan performance.

Considering its capabilities and performance compared to other tools, I would give Burp Suite Professional an eight out of ten. 

I used this solution while working with a bank, and while it wasn't much of a DevSecOps tool, it was a good tool for penetration testing.

It is a good manual penetration tool. It was easy to learn.

If your application uses multi-factor authentication, registration management cannot be automated. There are also some session management issues we have found if we want to integrate it into the pipeline. There were also some authentication-related issues we found at the time. These issues were more specific to the enterprise edition. I have worked on a paid version of the standalone solution, which is best for manual penetration testing.

I rate Burp Suite's stability a ten out of ten.

I rate Burp Suite's scalability a seven out of ten. We wanted to have more scalability in my last company, where we wanted the enterprise edition, but there were some challenges we faced. We couldn't find a solution to the problem statements for most of our business use cases back then. We then dropped the idea of using Burp Suite Enterprise and opted for a standard one for manual penetration testing.

There were ten users in my unit working with Burp Suite.

Support-wise, the solution was also very good. Across the globe, all the manual penetration testers use Burp Suite. If we had any questions, we received good support from GitLab and other forums.

Whenever we raised any query, such as if we wanted to file an invoice for reimbursement at the organization level, the support was good at the nontechnical and technical levels.

Positive

The initial setup is easy, not only in the office, since I'm working on my laptop now with the community edition. The configuration is pretty straightforward.

Burp Suite is affordable. Admins can purchase the tool, which is affordable enough that college students can purchase it if they want to learn it.

The solution is not a good candidate for a DevSecOps tool.

I recommend this solution for manual penetration testers. It is the best tool with the best support. PortSwigger has added plugins to efficiently catch bugs, for example, HTTP request smuggling. There are a lot of plugins, such as how to hide the JWT token. These plugins minimize the effort required by manual penetration testers so they can find bugs quickly with the help of these plugins. They have good support if anybody wants to learn how to use and install plugins. There is a lot of documentation available online.

I rate PortSwigger Burp Suite Professional an eight out of ten.

We use it for application security testing purposes. We scan our solutions and then look for issues in them. Upon finding the issues, we send them to the development team who fixes them. However, we use Burp Suite only for a specific client, hence we only have one license and limited use.

The solution is quite helpful for session management and configuration. 

In the Professional version, we cannot link it with the CI/CD process. This feature is included in the enterprise version. Also, it doesn’t have a dashboard to preview the number of issues that were found. A dashboard showing previous issues and their status will be better. These all are enterprise features which are extremely expensive.

I have been using Burp Suite for two years.

It is a stable product. 

It is a scalable solution. We currently have only one to two people using Burp Suite for specific clients.

The customer support is good, however, I haven’t used other tools. It is difficult to compare it and other solutions might provide better support.

I personally don’t use a lot of tools except AWS for general clients.

Burp Suite is easy to set up and takes only five to ten minutes. The installation can be done by one person only. The maintenance isn’t very hard to do.

It is a cheap solution, but it may not be cheaper than other solutions.

I would advise others to also try other tools. As I have only used Burp Suite as an application security solution, I cannot comment on other tools. However, between JAP and Burp Suite, I would surely recommend Burp Suite. Overall, I would rate it an eight out of ten.

We are the resellers and not the customers. Usually, our customers use the solution's vulnerability scanner to check problems with their websites and web applications. While I cannot disclose specific customer names due to our NDA agreements, they normally use the solution to address issues with their web services.

The solution has a limited range of functions, which is good for small companies. This is because, in small companies, websites are less complex. They also have single services which makes the solution good enough for them. However, the most advantageous aspect of the solution is its affordable price.

The Iran market does not have after-sales support. PortSwigger Burp Suite Professional needs to provide after-sales support.

We have been working with the solution for about three years.

The tool is stable. We haven’t received any complaints so far.

I rate the scalability of the solution as six out of ten.

Nessus is a more expensive solution than Burp Suite, which offers a broader range of services, including network and website scanning features. You can’t compare them.

The initial setup was easy. One doesn't need much knowledge to operate it. The solution can be deployed within ten minutes. 

The pricing of the solution is cost-effective and is best suited for small and medium-sized businesses.

I recommend the solution for small and medium-sized businesses. It’s not suited for large enterprises. Everything depends on the cost. A customer with a high budget should go for solutions like Nessus. However, a more cost-effective solution like Burp Suite is recommended if they have a limited budget. My final recommendation is to use the solution that suits your needs. Overall, I rate the solution a five out of ten.

Positive

I am a penetration tester working for a private organization. I evaluate the security of applications companies develop. I check for security vulnerabilities in web applications, Android and iOS devices, and thick and thin clients using Burp Suite. I use it to prevent applications from being hacked by outsiders.

Burp Suite has been very useful in reducing the time needed for testing applications. Without using Burp Suite, testing could extend up to ten days or more. It provides a flexible way to evaluate vulnerabilities and mistakes developers make while developing applications.

Burp Suite is valuable since it provides automated scan facilities, including authenticated and unauthenticated scanning. It offers flexibility, macros, and features to reduce the effort required for authenticated sessions. It also makes it easy to find blind SQL injection and OOB attacks.

Integration is a big problem. Currently, it's more challenging to integrate Burp Suite into the CI/CD pipeline compared to SAP (which is open source with many plugins available). More technical knowledge is required for integration.

I have nearly more than five years of experience with Burp Suite.

I would rate stability an eight out of ten.

I am 100% confident in Burp Suite, so I would rate its scalability a ten out of ten.

Whenever we email, they respond back on time. The support is brilliant.

Positive

The setup is simple. You need Java JDK support of 11 or more and sufficient memory and space.

I would rate the pricing a six out of ten. It's not as flexible here as it might be in European or American markets.

SAP is a good alternative as a free version.

Burp Suite has started a certification called Burp Suite Certified Professional (BSCP) that I recommend to pursue as it provides good documentation.

I'd rate the solution nine out of ten.

We are an IT organization. We use the solution for the security testing of applications. It helps us identify vulnerabilities in the applications.

The product has a good learning hub. It is good for beginners who want to learn security testing. The scan reports are good. They cover most things. The reports give details about the issues and suggest solutions. It's really useful for web applications. I use Intruder for brute-force attacks.

The product has a new API feature. It provides the scan report for APIs similar to the scan report we receive when we use web URLs. The vendor must provide documentation on how to use the new API feature. I did not find any guide on how to use the feature.

I have used the solution for two years.

I rate the product’s stability seven out of ten.

The product has limitations for mobile app security testing. We are unable to perform mobile app testing for Android and iOS.

I faced some login issues and contacted the support team, but the team could not provide a solution. I found the solution in the documentation.

Neutral

The tool is easy to install. All the steps are given in the documentation. The installation takes less than 10 to 15 minutes.

PortSwigger Burp Suite Professional is expensive compared to other tools. There are open-source tools available in the market. The cost of one PortSwigger license is expensive.

I have recommended the paid version of the tool in my current organization. Integrations with other tools are moderately easy.

Overall, I rate the product a seven out of ten.