PortSwigger Burp Suite Professional Reviews

• HTTP proxy for packet capture
• Repeater
• Intruder
• Spider
• Decoder
• Comparer

Burp Suite is a versatile tool for manual web application penetration testing; mainly used by skilled ethical hackers to test security of web-based applications. It helps capturing and modifying HTTP packets and variables, and observing the application’s response. It allows fuzzing the variable in an intuitive way, repeating the same method, crawling a web application, and similar functionalities.

The professional edition of Burp Suite provides some automated pen-testing scripts to detect application vulnerabilities, like SQL injection, XSS, etc. However, this component is not extremely useful. The results need to be double-checked manually, and false positives are very common, i.e., the tool detects a vulnerability from the HTTP respond when a vulnerability does not actually exist.

I have been using it for five years.

It is a tool used mostly for manual tasks, it is stable enough for that purpose.

If you attempt to map a large website using the Spider component, it can take a long time, and the tool may crash.

I have not used technical support, but online documentation and Help have always been sufficient.

I have used Charles Proxy, CAT, and Fiddler as well, but found Burp easier to use.

For automated scanning, there are stronger alternatives to Burp, such as Acunetix, IBM AppScan, Nexpose, Qualys, etc.

There is no setup needed. It is a Java app that does not need to be installed.

The free version is one of the best proxy tools for manual testing. For automated testing, it provides the best value for money in the market.

I evaluated Charles Proxy, Fiddler, and Context App Tool (CAT), which are great HTTP proxies. I like CAT and Burp as the best free ones.

To effectively use Burp, you will need someone with enough technical hands on skills in ethical hacking and penetration testing.

I use the solution to intercept requests and scan applications.

The most valuable feature of PortSwigger Burp Suite Professional is the Burp Intruder tool.

The solution’s pricing could be improved.

I have been using PortSwigger Burp Suite Professional for around two to three years.

We have not faced any issues with the solution’s stability.

Over 500 people are using the solution in our organization.

The solution’s initial setup is easy.

PortSwigger Burp Suite Professional is an expensive solution.

I would recommend the solution to other users. Using PortSwigger Burp Suite Professional for the first time is not easy, but you can use it easily after using a demo version. The solution's Intruder tool has helped improve our security testing efficiency. The solution's Repeater tool has helped us with testing for web vulnerabilities.

Overall, I rate the solution a nine out of ten.

This is a solution for which I provide services to our customers and I also use it personally.

As part of our organization, we build internal applications. Before they are put into production, we run a suite of security tests to ensure that our applications are not vulnerable to any known issues. We use PortSwigger Burp for testing, as well as OSASP Zap. We do similar tests in multiple tools to make sure that we cover the entire set of use cases.

I have this solution deployed as one user on a single machine, which is used by a designated security tester.

The most valuable features are Burp Intruder and Burp Scanner.

The automatic scanning feature is helpful.

The interface for the automatic scan can be improved because it is easy for technical users, but the business users have trouble with it. There is documentation but the interface should be more user-friendly.

There should be a heads up display like the one available in OWASP Zap. I think that it would be a very good addition.

I have worked with PortSwigger Burp for about ten years.

This solution is stable and we have had no major problems.

We have had no issues with scalability, although we are using a standalone installation with only a single user. We may expand usage in the future.

We also have OWASP Zap and we continue to use these two tools.

Zap has a heads up display within its own browser, which is a very good feature. Zap is also completely free, whereas Burp has a free version but it also has licenses available.

For the most part, we use open-source solutions, which are free of charge.

The initial setup is simple and very straightforward. We were not setting up a server, so it took perhaps five minutes to get up to speed and begin using it.

There are different licenses available that include a free version.

We do have problems with some of the add-ons that we install from the marketplace. They may not be available or out of support, so when you want to install them, they are not there.

This is a very nice tool and anybody can use it, from beginner to expert level. There are some simple and straightforward settings with documentation that is very clear. If you follow the steps you can easily get up to speed within five minutes for a single user.

I would rate this solution an eight out of ten.

We use this solution for the security assessment of web applications before their release to the internet. The security assessment team uses this product to identify vulnerabilities and vulnerable code that developers may introduce. We host all of the beta applications in our internal web servers and then the security team starts assessments when the development freezes.

In the early years, we did not check our web applications for security vulnerabilities before releasing them to customers. Since we began this practice for every application, our clients are really happy and value our work.

BurpSuite helps us to identify and fix silly mistakes that are sometimes introduced by our developers in their coding. 

The auto scanning feature provides really good details about issues that it finds.

Crawling web applications using Burp Spider, Target Site Map, automating customized attack with Burp Intruder, and manipulating parameters with Burp Repeater are the most useful and used features.

The Auto Scanning features should be updated more frequently and should include the latest attack vectors.

It would be really helpful if the issue details contained example recommendations on how to fix the issues identified, or perhaps point to external recommendations for reference. 

I have never had issues running this application, so I would say it is stable.

Scalability is very simple and easy.

We have not needed to contact technical support, although there is a very big community of users.

Prior to this solution, we used various open-source or free applications. We wanted to streamline and improve productivity by standardizing the products that we use.

The initial setup of this solution is very straightforward and easy.

We performed the deployment in-house. There were no complicated steps.

Our ROI is above two hundred percent.

There is no setup cost and the cost of licensing is affordable.

We tested all of the free apps and could not find a stable all-in-one solution other than BurpSuite.

All application development organizations should purchase BurpSuite and train their developers on how to use this solution to identify security flaws. This will help to ensure that the applications released to the public internet will have better protection from malicious attackers.

I'm a junior cybersecurity analyst, and I'm helping the seniors to do some testing. Meanwhile, I'm also getting trained with the tool. I mostly use it for vulnerable apps assessment and some auditing. Other analysts use it for penetration testing.

We are using the latest version. We downloaded it three days ago.

I find the attack model quite amazing, where I can write my scripts and load my scripts as well, which helps quite a bit. All the active scanning that it can do is also quite a lot helpful. It speeds up our vulnerability assessment and penetration testing. Right now, I am enjoying its in-browser, which also helps quite a bit. I'm always confused about setting up some proxy, but it really is the big solution we all want.

I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us. 

I have been using PortSwigger Burp for six months now.

I have found no issues so far with its stability. I can't complain anything about it.

I can't say much about that because we are going to transition to cloud management. I don't know for sure how it is going to scale up. We are still in the testing and planning stages. We currently have approximately five users, and our team is still growing.

I haven't yet used their technical support.

The initial setup is completely easy. It took a day to deploy.

It is expensive for us in Brazil because the currency exchange rate from a dollar to a Brazilian Real is quite steep.

It is a really big solution. There are so many modules. You got to have some training to do it properly and go through a lot of documentation.

I would rate PortSwigger Burp a nine out of ten. I haven't found anything to complain about, but there is always some room for improvement.

Primarily, I use it for scanning the applications and as a proxy to capture and manipulate the application traffic. That is the most useful set of features I have seen in this tool.

The customer is almost all the time results-oriented and they want them real quick.

Burp gives my organization a great authentic source of information on the security posture of web infrastructure.

PortSwigger launched a feature called Burp Extender, which enables organizations to use their own third-party code and integrate with Burp to use its capabilities and create their own customized results. This way, organizations do not need to worry about changing the reporting format and all. They will just get better results.

Burp is the best web application penetration testing tool that I have ever used.

Although all the features of Burp are very useful, I personally love its capability to automatically and accurately detect vulnerabilities. So, I would say it is the Burp scanner that is THE most powerful, valuable, and an awesome feature.

Another, very interesting and quite extensible feature is Intruder. The way you can customize your payloads to suit your penetration testing needs is simply outstanding.

The best thing is that all features are available just out-of-the-box and at a very nominal price.

The one feature that I would like to see in Burp is active scanning of REST based web services. A lot of organizations are providing APIs to access their services to support different business models like SaaS. Scanning these APIs is still a challenge for many security product companies. Even Burp does not have a direct and easy way of scanning REST based web services.

There is a capability to scan SOAP based web services provided there is a WSDL available. So, to conclude active web services scanning is something that I would like to see as an improvement in Burp.

No. Quite stable. The executable JAR file is quite better since there is no installation required.

I have only used it as a single user. But many of my colleagues use it and I have never heard of any such issues.

Apologies. Never Tried.

I have used a lot of tools for web application scanning and penetration testing -- like Qualys WAS, Nikto, OWASP ZAP proxy, Paros Proxy, DirBuster, Burp, etc.

The reason for switching to Burp is the capabilities of this tool. The scanner is very powerful and the way it integrates with third-party code is really cool. Other tools simply do not have these capabilities.

Quite straightforward. Thanks to the availability in executable JAR format -- this makes it a highly portable solution.

I have implemented as an inhouse one. There is no installation as such since the solution is an executable jar file. User just need to double click and start using it.

This is a value for money product.

I am a consistent user of web application scanners and penetration testing solutions.

I have used Qualys WAS, OWASP ZAP, sqlmap, Paros Proxy, and Nikto. But nothing stands close to Burp, because this tool has everything in one single portable powerful package.

If you are looking for a single web application penetration testing solution at low cost, definitely give it a try. You can request a trial of the pro version from PortSwigger if you would like to see the scanner capability in action.

They will, of course, require organizational contacts. Almost all the other features are available in the free version, also.

We use this solution when we develop any of our software applications and host it with the website for external clients. All of the applications go through the vulnerability scanner.

Burp Suite is very helpful. The extension that it provides with the community version for the skills mapping is excellent.

The interface for external clients needs improvement.

Currently, the scanning is only available in the full version of Burp, and not in the Community version.

I would like the scanning included for free also.

We have been using this solution for a year and a half.

It's a stable solution. We have not had any issues.

I have not contacted technical support. 

We have not experienced any issues where we couldn't resolve them using our internal team.

We have not required any technical support.

When we compare it to other programs that we have such as OWAP Zap, we found Burp to be more suitable.

The initial setup is straightforward.

It is very easy to automate. It requires some configuration that has you follow step by step instructions. 

It can take four to five hours to go live.

Anyone with minimal knowledge and training can use this tool.

We are using the community version, which is free.

We evaluated OWASP Zap, which was fully open-source.

We use the community version and found that Burp was easier and more useful.

The interface is better in PortSwigger Burp.

I would rate PortSwigger Burp an eight out of ten.

• Proxy
• Repeater
• Intruder
• Extender API (and plug-ins)
• CSRF generator

This is by far the best application assessment tool I have used. It is more usable and has more features than most of the enterprise tools that cost 10-100 times as much.

I've used it for five years.

No issues encountered.

There are some memory issues, where the application runs out of memory and crashes. This is directly related to Java. This was improved after switching to 64-bit Java, but it still creeps up once in a while.

No issues encountered.

It's excellent.

It's very good.

I use many projects, but Burp is the best all round solution for manual application testing.

It's very straightforward, you just have to double-click a Jar file.

You get many features with the free product, but the real power is unlocked with the Pro version. The intruder is an amazing tool and makes the entire product worth purchasing, and the ability to perform automatic backups is well worth the small price of this product as well.