PortSwigger Burp Suite Professional Reviews

We are using the latest version and are in the process of upgrading it. 

We use the solution for vulnerability assessment in respect of the application and the sites. We use the intruder part, which is essentially the Proxy part, to check whether any brute-force attacks can be undertaken. 

We wish that the Spider feature would appear in the same shape that it does in previous versions. 

I believe we have developmental tools such Accuratix. It would be nice if the report that was accepted upon scanning would highlight all the weaknesses from the perspective of my application. 

We have been using PortSwigger Burp Suite Professional for the last three years.

We have had no issues with the stability. 

As we only have a couple of licenses, we have not encountered any issues concerning the scalability. 

The technical support is all right. 

This said, we have requested support on a couple of occasions, specifically one concerning training relating to the new features and add-ons coming onto the application, and this is still outstanding. 

The initial setup is not very complex. Rather, it is easy and straightforward. 

For a country such as Sri Lanka, the pricing is not reasonable. 

There are around 10 people using the solution in our organization.

I don't have any advice off the cuff. When it comes to the web crawling features, it does not need to be in the same shape as before, but it would be nice if it allowed us to index associated things in the manner that we did so in the past. 

I rate PortSwigger Burp Suite Professional as a nine out of ten. 

I am a penetration tester at my company and PortSwigger Burp is one of the products that I use in this capacity. It is a manual testing penetration tool.

There are a lot of good features and the most valuable one varies depending on what test you are performing. They are also consistently improving and releasing new features.

Two of the most valuable features are the Extender Tab and Repeater.

With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp. It's not limited to their features because we can always add or do some customization of the features.

Even if you don't know how to code, there are hundreds of third-party plugins that are available to extend the features of the product. Some of them are open-source and there are some that are provided by Burp.

The user interface is good, having been changed within the past two years.

There is not much automation in the tool.

I have been using Burp Suite for between four and five years.

This is a very stable product. The tool is 15 years old and very mature.

Scalability is not an issue because it is not centrally connected. Rather, it is a per-license, user-based tool. We have more than 20 users in the company.

The documentation is very good, so I have never needed to contact technical support.

The initial setup is very straightforward and simple.

No staff is required for maintenance.

At $400 or $500 per license paid annually, it is a very cheap tool.

In comparing features, there is no real competition for this solution. There are a couple of open-source products, but there is no real competitor for the Burp Suite.

This is a standard tool in this industry and anybody who is doing application security testing should be aware of it. My advice for anybody who is considering it is that it is very easy to install and configure, and there is lots of documentation available.

I would rate this solution a nine out of ten.

There are three versions and we are using all three - community, professional and enterprise. We use the community and professional versions on premises and the enterprise version is on cloud. I'm an IT Manager. 

Burp has several good features; it's cheaper than other solutions and you can scan any number of applications and it updates its database. With the professional version, it creates a lot of applications which you can incorporate with your scanning and enable deep diving in the specific section. 

We've faced lots of challenges, including slowing down of the tool, and a lot of error messages, sometimes because of the interface. If we're running a huge number of scans regularly, I think that also slows down the tool so I'm not sure if it is good for lots of scans. I hope they will work on the amount of scans they can handle. There have been improvements in the interface and the reporting structure, but they need to do more. They have a long way to go. For now, if we use the interface directly, we need to use an integration with our web application. We're after value for money. 

I've been using this solution for about 18 months. 

Stability depends upon the amount of scans you are running. Sometimes there are problems with the stability and it could be improved. 

Scalability depends upon which of the Burp versions you're using. If you're using Pro it's not scalable because it's dedicated to one person. But when it comes to Enterprise, yes it is scalable, it's easy. 

Support depends on how much you're paying. We get good support from them which we need because there are lots of issues occurring frequently. The pro version has less problems but it only takes one scan at a time, so it's good but restricting. The technical support is trying to solve the issues of stability we are having right now.

I would recommend this solution depending on the requirements of the company. 

I would rate this solution a seven out of 10. 

We use the solution for scanning our in-house external facing website.

It has been provide user direct access to users scan their websites and find vulnerability in good price. Burp is one of the most extensively used tool in org to do other security based investigations. We are trying to mitigate risk using vulnerabilities identified by Burp.

The solution is very user-friendly.

The way they do the research and they keep their profile up to date is great. They identify vulnerabilities and update them immediately. 

The biggest drawback is reporting. It's not so good. I can download reports, but they're not so informative. 

For example, they are providing very good information about vulnerabilities, but when you are scanning the whole pathway, we want to see information like percentages, how much is finishing, and how much it is not, etc. If the scan fails, they should tell us when or how it stopped, if it failed, why it has failed, and how to avoid something like this from happening again. They need something more in-depth and more technical. 

I would like to have some more features, which I can play around with. It's not so flexible.

I've been using the solution for more than 1 year.

The solution sometimes has stability problems when they have fixed or released some new package. Instability has happened to us two or three times. It was difficult because we had to implement this disaster recovery plan at that point in time. It wasn't a disaster, but the whole system does stop because of that.

Easily scalable when it comes to Enterprise version. but Enterprise version itself is not as effective as pro.

The technical support team is very good. They are quick at responding and they help us to resolve issues within the organization.

In the past, we had issues around connectivity while we were doing some scanning. The scanning kept getting killed somehow. The quality of the job was poor. The scan was not completed successfully, so we needed technical support to assist. It was hard to identify what the issue was and how to fix it, but they did.

The installation is not difficult. We only needed one person to handle the implementation. Setting up the agents may be tricky, but if a person is knowledgable, it shouldn't be an issue.

Inhouse one

When we had an issue with scanning, we did look into exploring other options like OWASP Zap, Acunetix, etc. We stayed with Burp because we had it set up in our system, and then they had our scanning issue fixed.

We use the on-premises deployment model.

I would rate the solution seven out of ten.

We primarily use the solution for security testing - specifically for web-application security. 

The crawling capability is excellent.

The product has very good reporting capabilities. They give you multiple reporting options.

The solution has a variety of different extensions that you can use.

The solution has a pretty simple setup.

The pricing of the solution is quite high. It would be ideal for the customers if they could lower the costs involved in their subscription.

We have new tools in R language programming platforms that are coming up. The solution needs to ensure its compatible with that language.

I've been using the solution for about two years at this point.

We use this solution every day. I don't have any issues with the solution. There aren't bugs or glitches. It doesn't crash or freeze. It's reliable.

I'm a consultant. I tend to use the tool for my clients. I only have one license on my computer. I don't need to scale the product.

The solution is scalable, however. There's a different version for that aspect. You have Community, Professional, and Enterprise editions. Each has different capabilities.

The solution offers good support services. There's also the product team that can assist. Overall, I've been happy with the level of service I've received.

I've worked with other solutions, such as Acutenix. As a consultant, I always have two to three tools for running and validating for testing. There is no plus or minus to each tool, really. The process itself would be more like using multiple tools to find out whether it appears in all the tools or not.

The initial setup is not overly complex. It's easy and straightforward. A company shouldn't have any issues with the implementation process.

The deployment takes a maximum of an hour, actually. If you have to configure some prerequisites, it is one hour tops. There are advanced setups, however, how advanced the implementation depends on the client environment. If a company has an advanced setup, it could take some time. 

Ultimately, the solution is installed directly onto my laptop.

The maintenance process is pretty minimal. The yearly subscription keeps everything updated. They will notify you if there is an upgrade that needs to be addressed.

The pricing of the solution is quite high. Costs are based on their subscription model. The pricing affects whether a client will engage with me and the solution or not. It could be a deal-breaker. Budgets are often tight.

The solution has an annual subscription model, and therefore you'll have to keep updating the new version. It's part of the package. They release a new version and that is covered under your subscription.

I'm a consultant. I buy tools from multiple vendors. I provide development assessment services for my clients.

This is one more product in the suite of tools or applications, which are used for testing. Anyone at any sized company could use this solution.

I'd recommend this solution. It's one more tool to have in your bag.

I would rate the solution at a ten out of ten.

The primary use case is generally for security compliance on web applications. We provide services to our customers with Burp both on-prem and on cloud. I'm a solutions consultant and we are customers of PortSwigger Burp. 

Their flagship feature would be the active scanner, which carries out an automated look up of any web vulnerabilities reflecting over to one of the main compliance standards, like OWASP. This provides an accurate security audit for their web applications.

One downside of the solution would be their false positive checks. As with most automated security tools, there is still a high false positive issue. Hopefully they will be able to improve on that in the future. It would also be helpful if the solution had the capability of handling larger reports. Another area of improvement would be to have a customizable dashboard. It's currently restricted now to their own interface. If you want to utilize the other features available in their API documentation, then you have to write some code yourself. It would be great if their interface could be somewhat customizable.

I've been using this solution for two years. 

The stability of the solution is generally fine.

The solution is easily scalable, depending on licensing of course. For example, on the cloud set up, you can easily scale the agents and such. But in terms of bandwidth, maybe when it comes to their reporting feature, there are some limitations with the detail that can be downloaded from the report. I've found that the system can crash if you try to download a report with many details.

In my opinion the initial setup is pretty straightforward. The workflow is easy to understand and they have a lot of documentation on how to perform many of the key tasks.

I believe the price is good where it's at right now. They have a very competitive price point although recently they've been incrementally increasing in price. It's still competitive. 

I would definitely recommend PortSwigger as a primary tool for auditing any open vulnerabilities of anything related to web applications. 

I would rate this product an eight out of 10. 

The most valuable feature is the application security. It also has a reasonable price. 

It has an end product and a repeater. Other solutions don't offer options like these. 

The Burp Collaborator needs improvement. There also needs to be improved integration. 

I have been using PortSwigger Burp for the past six years. 

It's not so stable. Some of the security aspects aren't so stable. 

Burp is scalable. 

We have around 150 users using Burp at my company. We use it daily.  

I haven't needed to contact their technical support. 

The initial setup is simple. It only takes two to three minutes. 

We are consultants so we do the implementation ourselves. 

It only requires one person for the implementation and maintenance. 

It costs 39,000 including taxes per year. 

I would recommend this solution to somebody considering Burp. 

I would rate it an eight out of ten. 

• Intruder - allows inserting predefined or custom payloads at chosen locations inside requests and analyzing results using custom filters;
• Repeater - allows reissuing requests to manually verify reported issues, changing parameters or issuing a specific sequence of requests to test for logic flaws;
• Extender - allows installing additional modules from the BApp store, created by the community in Java, Python or Ruby;

It provides unique features that help me quickly identify and exploit security vulnerabilities in web applications.

Some extra features are not available in the core product (WSDL parsing, SOAP calls, Error checks, Authorization bypass), but additional modules created by the community can be easily installed from the BApp store through Extender, or you can write your own in Java, Python or Ruby.

I have been using it for two years.

Spidering large websites can use a lot of memory and might result in a crash on systems with lower RAM.

It's better to add only one website per project for the same reason as above.

I didn't use technical support.

I used many solutions but I found the best value, features and documentation in Burp.

Starting Burp only involves running a .jar file. The latest version also comes with a executable installer. Setting up a project can be more complex, involving configuring the proxy, scope and different spidering/scanning options.

I believe it has one of the lowest prices for commercial products ($~350 per user per year).

Before choosing this product, I evaluated free products - Arachni, OWASP ZAP, w3af, Vega - and commercial products - Acunetix, Qualys Web Application Scanner.

If you expect a product in which you input your website and click a scan button, Burp is not for you. Burp Suite Pro can perform an automatic scan, but the real power of the product lies in the modules that aid in manual testing. A few weeks are usually needed to read the documentation and ramp-up on all the features, for someone without previous experience.