PortSwigger Burp Suite Professional Reviews

Primarily, I use it for scanning the applications and as a proxy to capture and manipulate the application traffic. That is the most useful set of features I have seen in this tool.

The customer is almost all the time results-oriented and they want them real quick.

Burp gives my organization a great authentic source of information on the security posture of web infrastructure.

PortSwigger launched a feature called Burp Extender, which enables organizations to use their own third-party code and integrate with Burp to use its capabilities and create their own customized results. This way, organizations do not need to worry about changing the reporting format and all. They will just get better results.

Burp is the best web application penetration testing tool that I have ever used.

Although all the features of Burp are very useful, I personally love its capability to automatically and accurately detect vulnerabilities. So, I would say it is the Burp scanner that is THE most powerful, valuable, and an awesome feature.

Another, very interesting and quite extensible feature is Intruder. The way you can customize your payloads to suit your penetration testing needs is simply outstanding.

The best thing is that all features are available just out-of-the-box and at a very nominal price.

The one feature that I would like to see in Burp is active scanning of REST based web services. A lot of organizations are providing APIs to access their services to support different business models like SaaS. Scanning these APIs is still a challenge for many security product companies. Even Burp does not have a direct and easy way of scanning REST based web services.

There is a capability to scan SOAP based web services provided there is a WSDL available. So, to conclude active web services scanning is something that I would like to see as an improvement in Burp.

No. Quite stable. The executable JAR file is quite better since there is no installation required.

I have only used it as a single user. But many of my colleagues use it and I have never heard of any such issues.

Apologies. Never Tried.

I have used a lot of tools for web application scanning and penetration testing -- like Qualys WAS, Nikto, OWASP ZAP proxy, Paros Proxy, DirBuster, Burp, etc.

The reason for switching to Burp is the capabilities of this tool. The scanner is very powerful and the way it integrates with third-party code is really cool. Other tools simply do not have these capabilities.

Quite straightforward. Thanks to the availability in executable JAR format -- this makes it a highly portable solution.

I have implemented as an inhouse one. There is no installation as such since the solution is an executable jar file. User just need to double click and start using it.

This is a value for money product.

I am a consistent user of web application scanners and penetration testing solutions.

I have used Qualys WAS, OWASP ZAP, sqlmap, Paros Proxy, and Nikto. But nothing stands close to Burp, because this tool has everything in one single portable powerful package.

If you are looking for a single web application penetration testing solution at low cost, definitely give it a try. You can request a trial of the pro version from PortSwigger if you would like to see the scanner capability in action.

They will, of course, require organizational contacts. Almost all the other features are available in the free version, also.

• Intruder - allows inserting predefined or custom payloads at chosen locations inside requests and analyzing results using custom filters;
• Repeater - allows reissuing requests to manually verify reported issues, changing parameters or issuing a specific sequence of requests to test for logic flaws;
• Extender - allows installing additional modules from the BApp store, created by the community in Java, Python or Ruby;

It provides unique features that help me quickly identify and exploit security vulnerabilities in web applications.

Some extra features are not available in the core product (WSDL parsing, SOAP calls, Error checks, Authorization bypass), but additional modules created by the community can be easily installed from the BApp store through Extender, or you can write your own in Java, Python or Ruby.

I have been using it for two years.

Spidering large websites can use a lot of memory and might result in a crash on systems with lower RAM.

It's better to add only one website per project for the same reason as above.

I didn't use technical support.

I used many solutions but I found the best value, features and documentation in Burp.

Starting Burp only involves running a .jar file. The latest version also comes with a executable installer. Setting up a project can be more complex, involving configuring the proxy, scope and different spidering/scanning options.

I believe it has one of the lowest prices for commercial products ($~350 per user per year).

Before choosing this product, I evaluated free products - Arachni, OWASP ZAP, w3af, Vega - and commercial products - Acunetix, Qualys Web Application Scanner.

If you expect a product in which you input your website and click a scan button, Burp is not for you. Burp Suite Pro can perform an automatic scan, but the real power of the product lies in the modules that aid in manual testing. A few weeks are usually needed to read the documentation and ramp-up on all the features, for someone without previous experience.

• HTTP proxy for packet capture
• Repeater
• Intruder
• Spider
• Decoder
• Comparer

Burp Suite is a versatile tool for manual web application penetration testing; mainly used by skilled ethical hackers to test security of web-based applications. It helps capturing and modifying HTTP packets and variables, and observing the application’s response. It allows fuzzing the variable in an intuitive way, repeating the same method, crawling a web application, and similar functionalities.

The professional edition of Burp Suite provides some automated pen-testing scripts to detect application vulnerabilities, like SQL injection, XSS, etc. However, this component is not extremely useful. The results need to be double-checked manually, and false positives are very common, i.e., the tool detects a vulnerability from the HTTP respond when a vulnerability does not actually exist.

I have been using it for five years.

It is a tool used mostly for manual tasks, it is stable enough for that purpose.

If you attempt to map a large website using the Spider component, it can take a long time, and the tool may crash.

I have not used technical support, but online documentation and Help have always been sufficient.

I have used Charles Proxy, CAT, and Fiddler as well, but found Burp easier to use.

For automated scanning, there are stronger alternatives to Burp, such as Acunetix, IBM AppScan, Nexpose, Qualys, etc.

There is no setup needed. It is a Java app that does not need to be installed.

The free version is one of the best proxy tools for manual testing. For automated testing, it provides the best value for money in the market.

I evaluated Charles Proxy, Fiddler, and Context App Tool (CAT), which are great HTTP proxies. I like CAT and Burp as the best free ones.

To effectively use Burp, you will need someone with enough technical hands on skills in ethical hacking and penetration testing.

• Proxy
• Repeater
• Intruder
• Extender API (and plug-ins)
• CSRF generator

This is by far the best application assessment tool I have used. It is more usable and has more features than most of the enterprise tools that cost 10-100 times as much.

I've used it for five years.

No issues encountered.

There are some memory issues, where the application runs out of memory and crashes. This is directly related to Java. This was improved after switching to 64-bit Java, but it still creeps up once in a while.

No issues encountered.

It's excellent.

It's very good.

I use many projects, but Burp is the best all round solution for manual application testing.

It's very straightforward, you just have to double-click a Jar file.

You get many features with the free product, but the real power is unlocked with the Pro version. The intruder is an amazing tool and makes the entire product worth purchasing, and the ability to perform automatic backups is well worth the small price of this product as well.

Mainly, the solution is a proxy. It also contains different tools, including intruder tools for customized automated attacks and tools for repeating requests, or decoding, et cetera. Many tools are there that can perform different tasks for different use cases. Apart from that, we have the BApp Store which contains a lot of tools as well. This Burb Suite is an application where we have all the tools. 

It is mainly used for pen testing.

Features such as the Intruder, Repeater, and Proxy have helped our organization a lot.

The Intruder, Repeater, and Proxy features have been great.

The initial setup is simple.

It is an easily scalable product.

The solution is very stable. 

In some cases, we got a few file postings while doing it by the automatic scan. If that could be better, that would be ideal. The scanner could just be updated a bit more. 

We'd like to have more integration potential across all versions of the product. The enterprise version seems to have better integration services than others. 

I've been working with the solution for six years. 

The solution is quite stable. There are no bugs or glitches and it doesn't crash or freeze. It is reliable. 

The solution scales well. It's not an issue.

I have also had some queries and I have used their support services. It was like all solutions out there. They are quite good in general.

Positive

I have used many other tools. This is one of the best tools that I'm using. I found this one much better. 

We have found the initial setup to be very simple and straightforward. It's not overly complex or difficult. 

For any configuration for deployment in our project, we assign two people. We have a small team of two aligned with our project. They will handle everything related to implementation. The setup doesn't take longer than one day.

In terms of maintenance, for the customers, what we are doing is we have an internal cyber security team, in which there are people doing the pen test. There are people who are doing the vulnerability assessment for the WASP scan, SaaS. For each, we have a separate team, and based on that, most of the deployments are done by these pen testers only. We do not provide maintenance for customers, however, we do provide reporting and technical support.

Before Burb Suite, we had our own technical team there for everything, including deployment. We have a separate network team and they will manage everything - including installation. It is very simple. You can download that directly. It's all very easy to do in-house.

I don't deal with any aspect of the licensing at this time. I can't speak to the exact pricing. 

I'm just a customer and an end-user.

We're using the latest version of the solution. We usually give an auto-update functionality. All the updates came automatically. We are updating it automatically.

We actually have an .EXE file in our system. We have the professional version. We've downloaded and given out the access key. It's on-premises, not the cloud. 

Overall, I've been very happy with the solution. I'd rate it nine out of ten.

We use the product primarily for application security. It helps us conduct scans and perform manual testing.

The platform's most valuable feature is the scanner. It also includes highly beneficial tools like the repeater and decoder. One useful function is the ability to send requests to the repeater without making actual requests through the browser, allowing me to modify requests easily. Additionally, the availability of various extensions, such as SQLite, adds to its value.

One area for improvement is the integrated browser, Chromium. Single Sign-On (SSO) methods like Microsoft authentication login sometimes fail and show errors. As a workaround, I have to use a different browser, such as Firefox, to log in and make Burp work.

I suggest adding a static code analysis feature to Burp. A plugin developers could install in their Integrated Development Environments (IDEs), like Visual Studio, would be incredibly useful. It would allow developers to perform code scanning as they write code.

I have been working with PortSwigger Burp Suite Professional for almost ten years.

I rate the product stability an eight out of ten. 

There are approximately 10 to 15 users in my department or company using Burp. I rate the scalability an eight out of ten. 

The technical support team resolved my issue, though it was not immediate. Since this experience was years ago, I haven't raised any support tickets recently.

Positive

One free tool that I consider a good competitor to Burp is OWASP ZAP.

While ZAP has the advantage of being open-source and cost-free, I would choose Burp for penetration testing. Burp is the best for this purpose, although ZAP is adequate for basic tasks, especially in companies where Burp Suite Professional is unavailable.

The initial setup is simple. We use the desktop version, with the application installed on our local machines.

The platform's pricing is reasonable. It is not very high, especially compared to other tools like Acunetix or Fortify, which are quite expensive.

I recommend the solution to others and rate it a nine out of ten. 

I use the solution to intercept requests and scan applications.

The most valuable feature of PortSwigger Burp Suite Professional is the Burp Intruder tool.

The solution’s pricing could be improved.

I have been using PortSwigger Burp Suite Professional for around two to three years.

We have not faced any issues with the solution’s stability.

Over 500 people are using the solution in our organization.

The solution’s initial setup is easy.

PortSwigger Burp Suite Professional is an expensive solution.

I would recommend the solution to other users. Using PortSwigger Burp Suite Professional for the first time is not easy, but you can use it easily after using a demo version. The solution's Intruder tool has helped improve our security testing efficiency. The solution's Repeater tool has helped us with testing for web vulnerabilities.

Overall, I rate the solution a nine out of ten.