We changed our name from IT Central Station: Here's why

PortSwigger Burp Suite Professional OverviewUNIXBusinessApplication

PortSwigger Burp Suite Professional is #1 ranked solution in top Fuzz Testing Tools, #3 ranked solution in AST tools, and #6 ranked solution in application security tools. PeerSpot users give PortSwigger Burp Suite Professional an average rating of 8 out of 10. PortSwigger Burp Suite Professional is most commonly compared to OWASP Zap: PortSwigger Burp Suite Professional vs OWASP Zap. The top industry researching this solution are professionals from a computer software company, accounting for 29% of all views.
What is PortSwigger Burp Suite Professional?

Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

PortSwigger Burp Suite Professional was previously known as Burp.

PortSwigger Burp Suite Professional Buyer's Guide

Download the PortSwigger Burp Suite Professional Buyer's Guide including reviews and more. Updated: January 2022

PortSwigger Burp Suite Professional Customers

Google, Amazon, NASA, FedEx, P&G, Salesforce

PortSwigger Burp Suite Professional Video

Archived PortSwigger Burp Suite Professional Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
AVP - Software Quality Assurance at a tech services company with 201-500 employees
Real User
Top 20
Very secure with excellent suite testing models and an easy initial setup

What is our primary use case?

Currently, we're trying to import the solution to implement it to other applications for our website. So far, it's been fantastic.

What is most valuable?

The suite testing models are very good. It's very secure.

What needs improvement?

The solution isn't too stable. The fundamentals of it make it difficult to use. Sometimes it takes me to other applications that are being run. The scalability capabilities of the solution could be improved.

For how long have I used the solution?

I've been using the solution for three years.

What do I think about the stability of the solution?

The stability is okay, but we are finding issues.

What do I think about the scalability of the solution?

The solution doesn't offer very good scalability.

How are

What is our primary use case?

Currently, we're trying to import the solution to implement it to other applications for our website. So far, it's been fantastic.

What is most valuable?

The suite testing models are very good. It's very secure.

What needs improvement?

The solution isn't too stable. The fundamentals of it make it difficult to use. Sometimes it takes me to other applications that are being run.

The scalability capabilities of the solution could be improved.

For how long have I used the solution?

I've been using the solution for three years.

What do I think about the stability of the solution?

The stability is okay, but we are finding issues.

What do I think about the scalability of the solution?

The solution doesn't offer very good scalability.

How are customer service and technical support?

We haven't had to contact technical support.

Which solution did I use previously and why did I switch?

We didn't previously use a different solution.

How was the initial setup?

The initial setup is straightforward. Deployment doesn't take more than two to three hours.

What about the implementation team?

We handled the implementation ourselves.

What other advice do I have?

We use the on-premises deployment model.

I'd rate the solution nine out of ten. I haven't compared it with other vendors, but it is a best-seller currently.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Vijayanathan Naganathan
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Real User
Great design, excellent features like Intruder, Repeater, Decoder with plenty of plug-ins from community forums.
Pros and Cons
  • "Once I capture the proxy, I'm able to transfer across. All the requested information is there. I can send across the request to what we call a repeater, where I get to ready the payload that I send to the application. Put in malicious content and then see if it's responding to it."
  • "The biggest improvement that I would like to see from PortSwigger that today many people see as an issue in their testing. There might be a feature which might be desired."

What is our primary use case?

Clients come to me for an assessment of their web applications to see the risks that they are facing with their applications. They want to ensure that their application is free of being manipulated and also secure, so they reach out to us to do vulnerability assessment and application penetration testing. We make use of PortSwigger's BurpSuite tool carry this out. We look at it more from an application standpoint, what common vulnerabilities there are like the top 10 OWASP vulnerabilities like Injection(OS/SQL/CMD), broken authentication, session management, cross site request forgery, unvalidated redirects/forwards, etc. Those are the primary uses we make use for this tool.

How has it helped my organization?

We're an independent IT organization that specializes in vulnerability assessment and penetration testing, and we focus here on application security. This tool really helps me unearth security issues and vulnerabilities that are on the applications shared by my clients. Unearthing these issues really helps me build confidence and relationships with clients on two counts. First part is that, they want a reliable and robust tool with which we are able to unearth security issues in there. The second part of it is, I give them more confidence in their application securedness before they make a decision on going live.

I can't name customers, but I've been working with a US university education platform providing client for the last three years. Earlier we tried different tools but in the last couple of years, we stuck to the Burp Suite tool and year after year, we've been periodically doing the application security for them. The confidence has really leveraged the relationship to build the pipeline of business that I have. At the same time, the confidence that the customer in their platform going live has remained intact. That really helps me build accountability and it helps me put forward my organization as a strong security testing organization space.

What is most valuable?

I like the way the tool has been designed. Once I capture the proxy, I'm able to transfer across, all the requested information that is there. I can send across the request to the 'Repeater' feature. I put in malicious payloads and then see how the application responds to it.

More than that, the Repeater and Intruder are really awesome features on BurpSuite. For example, if I'm going to test for a SQL injection, I have certain payloads that are trying to break into the application. I make use of these predefined payloads which come as part of the tool are really useful for us to use and see how the application behaves. With the help of the BurpSuite tool, we are very well ahead to see if the application is going to break at any point in time.

So the Repeater and the Intruder, are great features that are there. More than that I think the entire community support is really fabulous. As well as of the number of plug-ins that people have written for the tool. Those have been standouts. Community support is really strong. We see a lot of plug-ins that are made available that work along with the tool.

What needs improvement?

In the earlier versions what we saw was that the REST API was something that needed to be improved upon but I think that has come in the new edition when I was reading through the release offset available. 

There is a certain amount of lead time for the tickets to get resolved. The biggest improvement that I would like to see from PortSwigger is what many people see as a need in their security testing that coudl be priortized and developed as a feature which can be useful. For example, if they're able to take these kinds of requests, group them, prioritize and show this is how the correct code path is going to be in the future, this is what we're going to focus around in building in the next six months or so. That could be something that will be really valuable for testers to have.

For how long have I used the solution?

I've been using the solution for about three years.

What do I think about the stability of the solution?

Burp Suite is quite robust. The good part is that it also comes with an automatic back-up feature in it which automatically saves all the request-responses, alerts, attacks in the systems periodically.In the event of your laptop crashing/going down on power, you still have last saved application state which has saved the recording. Once you power up again, you can launch Burp Suite and go back the last point of save of the complete recording /requests/tests in the system.

What do I think about the scalability of the solution?

With the open edition, it's not a problem to install on any number of machines. When it comes to the professional edition, you need a license and you have to pick a license type. I have to use it against a particular machine on which I would run. From there I would run my scans. Let's say I don't find my laptop or my computer fast enough, and I decide to move my license across to a higher processor, higher memory laptop or computer, I can easily move the license across to the new machine.

As long as I am on that particular license use, I have one license that I'm able to move across to one instance at any given point of time. That is quite stable. I think even more than that, for a top-priced edition you can take multiple contract licenses. Something like a license server where you might have five licenses. You might have 10 installations and you can have different people working on various routes use the tool. Only those five licenses will be needed. In that instance, scalability is definitely a great point for most uses.

Currently, if you look at the users that are linked to roles that we have, one is the security test engineer and one is the security test analyst. At any given point in time, only one person uses the tool for engagement in the professional edition. We have about two to three people working with us on these projects.

How are customer service and technical support?

I found technical support to be quite responsive. I usually get an email response within three or four hours which is very good. There's plenty of documentation that has relatively good pointers as to the documentation's impact. Also, documentation is a good part of the knowledge base. They have started something that's very awesome by implementing that. They point us to areas in our tickets that have answers within the available knowledge base documentation, which is shared as part of the whole response. It's definitely a good thing.

Which solution did I use previously and why did I switch?

I've used different tools like Acunetix. 

The first tool that we started with was Acunetix. Acunetix as quite expensive, first and foremost. It's more suitable for web application scanning and penetration. PortSwigger's has a larger play beyond applications, it supports REST API and all that stuff, that kind of support is great with PortSwigger.

The kind of mechanism that's there is you can just capture the flow if the application. They usually have what is called as a flow sequence in proxy history with which all the user actions are captured. That's all that is done by the tool completely. Once that information is there, much you can control exploit requests with the tool. Whatever the tool shows, I have the opportunity to throttle and change payloads and see how the application behaves.

We used the online web scanners with Acunetix. We found it a little difficult and that was one reason why. In fact, when we got the contract with the client and we evaluated multiple tools, that's why we chose PortSwigger's BurpSuite.

How was the initial setup?

The initial setup was straightforward. It's not complex at all. Today it comes along with a job size which makes it much more affordable and easy. I don't think the installation is ever a challenge here. 

In some setups, all I do is this: if I'm setting it up for Windows, I cannot get my path through which I want to set this up. A few clicks and I'll be able to get the entire tool set up. I would say it requires some amount of knowledge to do testing. So also we are able to set up the tool against an application. Let's say there is an application that comes through for testing. Until I get to know the way I have to configure the target URLs and capture the entire traffic flow. That is easy. Now there are jar files also being made available for easier instantiation of the tool.

It is not a challenge in setting up the tool at all because there's plenty of videos and documentation available around in both the PortSwigger website as well as in open forums like YouTube and all that. It's quite easy to set it up. Personally, I haven't had trouble. We haven't had any major challenges in terms of setting up the tool. Not just purely from an installation standpoint, but also from a perspective of beginning to capture traffic across the different applications that we serve. 

The installation takes about less than four to five minutes. It doesn't take more than that.

In terms of security implementation strategy, when we take control of any tests that we do, we set the proxies in place based on the settings that are there on the tool and then set up the same proxy across on a browser for which we will capture the traffic. Once we do that, our implementation strategy is to capture the entire traffic in terms of specifying a target URL, the application or the website and the test. We do a proper login and ensure that all the data captures are there. Then we see that all the requested sponsors are getting logged in properly inside the tool and we are able to capture that. So once we do that, we try to simulate all user flows that would be there on the tool. 

Based on the different tools that are there, we capture the flow and enter a fake login and then we do a scan. The scan helps to unlock issues that are there. That kind of test is to identify all the actions that we do. We particularly do what is called an active scan which is like after you use the browser, make all the user clicks, events, and all that, the tool is able to capture it in the background. It does an active scan, and it gives what are potential issues that are there. So once we are done with that, we look at all the issues that are there, and then we make it run through a boot scan based on the requests that we have captured. Typically this takes a final good amount of time which depends on the amount of traffic that you have captured through the tool.

The one good thing that I would like to highlight is that irrespective of how much traffic is captured from my application flow, the tool is quite robust. I have seen other tools that sometimes the application, or rather the tool, becomes non-responsive. I haven't seen those kinds of issues here.

Then, once we are done with the scan, we pick and choose what are the issues that are there. We look for what are the trouble spots, and what issues are being highlighted. Then we check each of those specific requests, sending them over to another team member, and try them with different payloads, putting them across in the intruder and unearthing issues. So that helps me really test the application using PortSwigger comprehensively, and, more importantly, at the end of the test, it makes it quite easy for me to generate a report which is quite nice and simple which I can forward across to the client. That is essentially the way I go about in my implementation of security testing.

What about the implementation team?

We did the implementation in-house.

What was our ROI?

In terms of ROI, I'd say it helps with client engagement. The tools in relation to ROI allow me to win back-to-back contracts for application security testing with the customers. I would even say I'd be able to break in on a first engagement itself. 

What's my experience with pricing, setup cost, and licensing?

Licensing costs are about $450/year for one use. For larger organizations, they would be able to test against multiple applications simultaneously while others might have multiple versions of applications which needs to be tested which is why there is an enterprise edition. We might have more than five to six people in the organizations doing security testing. You can give full-base access to them and control who uses your licenses.

It depends on the stream of projects, business pipeline that I get, but security is not something that done all throughout the year. We get it in cycles. We pace it in such a way that from our different customers that we work with, we actually have one project running throughout the year. I might do a project for Client X during the month of let's say January to February. Then for another client, I might have something lined up for April to May. So with a single license, I am able to maximize the usage very well.

What other advice do I have?

The tool comes in three type. First, there is the  Open Community Edition, which is meant for people who use it to learn the tool or use it to secure their system. This edition does not have scanning features enabled to source scan the against application URLs or websites. From the standpoint of learning about security tests or assessing the security of application without scanning, the community edition really helps.

Then you also have a Professional edition which is more meant for doing comprehensive vulnerability assessment and penetration application which is very important. Especially for independent teams like ours who make use of tools based on tech, etc. The good part about the professional edition is that it comes with a term license which is cost-effective. You pay for an annual charge and use it for a year's time and then you can extend it on an as-needed basis.

Apart from these, we also have an Enterprise Edition which has features like scan schedulers unlimited scalability to test across multiple websites in parallel, supporting multiple user access with role based access control and easy integration with CI tools.

The very best way this tool can be used through is to understand the application, identify the various roles that are there in the application. Then capture the user flows, with Port Swigger's BurpSuite, and understand what the requests are making use of the different features in BurpSuite. 

Post this the teams look at and analyze all the requests being sent. Observe the requests, use various roles with the tool using a repeater and intruder, analyze what's breaking through in the application. As you can quickly analyze with the intruder out here how the application's really behaving, how the payload is being sent across the tool. Then you get a quick sense of what's available which could be checked through for false positives and then arrive at the final output along with it.

This is how I would like to handle the implementation of the solution.

I would rate this solution 10 out of 10.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
564,322 professionals have used our research since 2012.
Real User
Proactively assess our in-house software for vulnerabilities in advance of public release
Pros and Cons
  • "BurpSuite helps us to identify and fix silly mistakes that are sometimes introduced by our developers in their coding."
  • "The Auto Scanning features should be updated more frequently and should include the latest attack vectors."

What is our primary use case?

We use this solution for the security assessment of web applications before their release to the internet. The security assessment team uses this product to identify vulnerabilities and vulnerable code that developers may introduce. We host all of the beta applications in our internal web servers and then the security team starts assessments when the development freezes.

How has it helped my organization?

In the early years, we did not check our web applications for security vulnerabilities before releasing them to customers. Since we began this practice for every application, our clients are really happy and value our work.

BurpSuite helps us to identify and fix silly mistakes that are sometimes introduced by our developers in their coding. 

What is most valuable?

The auto scanning feature provides really good details about issues that it finds.

Crawling web applications using Burp Spider, Target Site Map, automating customized attack with Burp Intruder, and manipulating parameters with Burp Repeater are the most useful and used features.

What needs improvement?

The Auto Scanning features should be updated more frequently and should include the latest attack vectors.

It would be really helpful if the issue details contained example recommendations on how to fix the issues identified, or perhaps point to external recommendations for reference. 

For how long have I used the solution?

I have been using this solution for more than five years.

What do I think about the stability of the solution?

I have never had issues running this application, so I would say it is stable.

What do I think about the scalability of the solution?

Scalability is very simple and easy.

How are customer service and technical support?

We have not needed to contact technical support, although there is a very big community of users.

Which solution did I use previously and why did I switch?

Prior to this solution, we used various open-source or free applications. We wanted to streamline and improve productivity by standardizing the products that we use.

How was the initial setup?

The initial setup of this solution is very straightforward and easy.

What about the implementation team?

We performed the deployment in-house. There were no complicated steps.

What was our ROI?

Our ROI is above two hundred percent.

What's my experience with pricing, setup cost, and licensing?

There is no setup cost and the cost of licensing is affordable.

Which other solutions did I evaluate?

We tested all of the free apps and could not find a stable all-in-one solution other than BurpSuite.

What other advice do I have?

All application development organizations should purchase BurpSuite and train their developers on how to use this solution to identify security flaws. This will help to ensure that the applications released to the public internet will have better protection from malicious attackers.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cyber Security Analyst at a tech vendor with 1,001-5,000 employees
Real User
A low cost security solution that identifies issues quickly but could offer better integration
Pros and Cons
  • "The Spider is the most useful feature. It helps to analyze the entire web application, and it finds all the passes and offers an automated identification of security issues."
  • "The number of false positives need to be reduced on the solution."

What is our primary use case?

The primary use case is security for the development lifecycle. We use the application for security testing.

How has it helped my organization?

The solution helps to identify security issues quickly.

What is most valuable?

The Spider is the most useful feature. It helps to analyze the entire web application and it finds all the passes and offers an automated identification of security issues.

What needs improvement?

The number of false positives needs to be reduced on the solution.

I'm not sure whether some features need to be added because the product has a specific toolset, and if I do need some additional features, currently I get them in different security products. The solution, however, could better integrate with various other tools.

For how long have I used the solution?

I've been using the solution for three years.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

The solution is not designed to be scalable. You have an individual license, and I use it individually.

How are customer service and technical support?

I have not needed to use the solution's technical support.

Which solution did I use previously and why did I switch?

Before Burp I was manually proxying the data myself. I have experience making my own tools for security assessment. Burp is pretty convenient, and it's one of the most popular tools, which is why I began using it.

I also use Wireshark, which is pretty effective too.

How was the initial setup?

The initial setup was straightforward.

What about the implementation team?

We implemented the solution ourselves.

What's my experience with pricing, setup cost, and licensing?

Licensing is paid on a yearly basis. The yearly cost is about $300.

What other advice do I have?

For application security testing, I would suggest Burp. It's probably the leader in this area. It's just like analog tools such as OWASP ZAP, which is open-source. OWASP ZAP is still not as effective as Burp is.

The solution helps to find different security issues, and it helps identify many, many security issues quickly, and that's what makes it such a useful tool.

I would rate the solution seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Andrei Sandulescu
IT Auditor & Compliance Officer at Intellimind
Real User
Top 5Leaderboard
Proactively finds and solves issues before our external auditors do
Pros and Cons
  • "Some of the extensions, available using Burp Extender, are also very good and we have found issues by using them."
  • "I would like to see a more optimized solution, as it currently uses a lot of CPU power and memory."

What is our primary use case?

Our primary use for this solution is to perform vulnerability scanning before we deploy software in production.

How has it helped my organization?

This solution has done a lot to improve our organization. It allows us to be proactive and solve issues before our external auditors find them. 

What is most valuable?

The most valuable feature of this solution is the scanning functionality. Some of the extensions, available using Burp Extender, are also very good and we have found issues by using them.

Burp Intruder is another very good feature in this solution.

What needs improvement?

I would like to see a more optimized solution, as it currently uses a lot of CPU power and memory. Sometimes, the application is blocking.

The reporting also needs improvement. Specifically, if there is an issue that exists on many pages, then I do not want to see the same thing repeated many times throughout the report. Rather, it should be pointed out as a global error, and only shown the one time. 

In the next version, I would like an option to scan the environment where the application is installed. I would also like a better cryptographic study, with more controls.

For how long have I used the solution?

Between two and three years.

What do I think about the stability of the solution?

This solution is very stable.

What do I think about the scalability of the solution?

I would say that this is a very scalable solution.

We do plan to increase our usage, but not beyond the Professional version. It is not our intention to move to the Enterprise version right now.

How are customer service and technical support?

I would rate their technical support a five out of five.

How was the initial setup?

The initial setup and deployment are straightforward and take very little time.

Only one person from the IT department is required for deployment and maintenance.

What about the implementation team?

We handled the implementation internally.

What's my experience with pricing, setup cost, and licensing?

Our licensing cost is approximately $400 USD per year. There are no costs in addition to the standard licensing fees.

Which other solutions did I evaluate?

We did evaluate other options before choosing this solution.

What other advice do I have?

I would recommend this product to others. It is very straightforward and it is oriented to the application, which is why we chose it. I would also recommend reviewing and using the extensions that are available.

I would rate this solution a nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
ITCS user
Security Specialist at Alfa-A IT
Real User
Built-in manual tools help with finding bugs and vulnerabilities

What is our primary use case?

I use this primarily for intercepting mobile HTTP and HTTPS requests with SSL pinning bypass. It's a better tool for manual tasks.

How has it helped my organization?

This solution has helped a lot in finding bugs and vulnerabilities, and the scanner is good enough for simple web apps.

What is most valuable?

The best feature that I've found is the built-in manual tools.

What needs improvement?

The scanner and crawler need to be improved.

For how long have I used the solution?

More than three years.

What is our primary use case?

I use this primarily for intercepting mobile HTTP and HTTPS requests with SSL pinning bypass. It's a better tool for manual tasks.

How has it helped my organization?

This solution has helped a lot in finding bugs and vulnerabilities, and the scanner is good enough for simple web apps.

What is most valuable?

The best feature that I've found is the built-in manual tools.

What needs improvement?

The scanner and crawler need to be improved.

For how long have I used the solution?

More than three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user787785
Senior Security Engineer at a insurance company with 10,001+ employees
Real User
More accurate than other solutions we are using but can sometimes be slow to perform
Pros and Cons
  • "This tool is more accurate than the other solutions that we use, and reports fewer false positives."
  • "There is a lot to this product, and it would be good if when you purchase the tool, they can provide us with a more extensive user manual."

What is our primary use case?

Our primary use case for this solution is to perform application security testing.

How has it helped my organization?

I don't have specific metrics but I can say that using this tool adds value.

What is most valuable?

There are several features that I like about this solution. The most valuable feature is that it has support for add-ons where we can add extra little scripts to the tool to perform more automated testing.

I like using the Repeater feature to perform proxy testing, and the Repeaters have dashboards now. The add-ons are compatible with the dashboards, as well. 

What needs improvement?

There is a lot to this product, and it would be good if when you purchase the tool, they can provide us with a more extensive user manual. This would help us to better understand the product, and we would not need to buy a separate book.

In the next release, I want to see it more interactive and have more multitasking with some faster features. Sometimes scanning takes a long time, so they need to add more tricks to reduce the time spent in security testing.

For how long have I used the solution?

More than one year.

What do I think about the stability of the solution?

Stability-wise it is good.

What do I think about the scalability of the solution?

It is possible to work on multiple projects at the same time. I have tried five or six, and it is working fine. I would agree that the scalability is very good, and we have not found a limit yet.

We have approximately thirty users for this solution and they are the testers. As our team grows, we'll need to buy more licenses.

How are customer service and technical support?

We have used technical support three times, and each time received an email within twenty-four hours. They first try to understand the problem, and then after this, they provide step by step instructions for what to do. It's pretty easy.

Which solution did I use previously and why did I switch?

We have always used Burp Suite because it is a well-known tool.

How was the initial setup?

This solution is very easy to install and understand.

For a single user, it will take thirty to forty-five minutes. For our organization, it took between eight and nine hours.

What about the implementation team?

We handled the implementation and deployment ourselves.

What was our ROI?

We have seen ROI with this product.

What's my experience with pricing, setup cost, and licensing?

The cost is approximately $500 for a single license, and there are no additional costs beyond the standard licensing fees.

Which other solutions did I evaluate?

We considered using OWASP Zed Attack Proxy, which is open source. We decided to use this alongside the current solution, and also with IBM Security AppScan.

This tool is more accurate than the other solutions that we use and reports fewer false positives.

What other advice do I have?

They are steadily improving things and adding features to this product. It was only three months ago when they added the dashboard support. Before that, they only had passive and active scanning to perform the testing part. It now has a complete website of scanning features which were previously not there.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Analyst at a tech services company with 201-500 employees
MSP
Very Well Suited for Personal Use
Pros and Cons
  • ""The product is very good just the way it is; It has everything already well established and functions great. I can't see any way for this current version to be improved.""
  • "The Initial setup is a bit complex."

What is our primary use case?

My primary use case for this solution is designed around my own personal use. Burp Suite is a graphical tool for testing Web application security. The tool is written in Java.

How has it helped my organization?

I use Burp Suite on my laptop in my room for my personal research study. Since I don't use it for corporate work or company research purposes I can't comment on how it has improved my organization. 

What is most valuable?

In my opinion, all of the features seem to be of equal value really. I'm currently using the latest version.

What needs improvement?

The product is very good just the way it is; It has everything already well established and functions great. I can't see any way for this current version to be improved.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

My impressions of the stability of the solution are quite good.

What do I think about the scalability of the solution?

My impressions of the scalability of the solution are good.

Which solution did I use previously and why did I switch?

At work, I use an open source SAP solution. It's a free tool. It's a fully automated tool and it's fully furnished. Currently, I'm the only user and it's my job to analyze this product.

How was the initial setup?

The initial setup was somewhat complex, to be honest.

What's my experience with pricing, setup cost, and licensing?

My only advice for anyone looking for a personal use case for testing Web application security is this is a good option.

Which other solutions did I evaluate?

Before choosing this tool, no, I didn't evaluate any other options. I know what I wanted and I'm very happy with it.

What other advice do I have?

It's actually a very good product. It's pretty automated and it's easy to work with. No additional features need to be added because it's already an extraordinary tool. So there's no need for additional improvement.

Great product. I rate this product a 9 out of 10 for its total package of value-added features.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Senior Information Security Analyst at a tech services company with 10,001+ employees
Real User
Thanks to the availability in executable JAR format -- this makes it a highly portable solution
Pros and Cons
  • "I personally love its capability to automatically and accurately detect vulnerabilities. So, I would say it is the Burp scanner that is THE most powerful, valuable, and an awesome feature."
  • "The one feature that I would like to see in Burp is active scanning of REST based web services. A lot of organizations are providing APIs to access their services to support different business models like SaaS. Scanning these APIs is still a challenge for many security product companies."

What is our primary use case?

Primarily, I use it for scanning the applications and as a proxy to capture and manipulate the application traffic. That is the most useful set of features I have seen in this tool.

How has it helped my organization?

The customer is almost all the time results-oriented and they want them real quick.

Burp gives my organization a great authentic source of information on the security posture of web infrastructure.

PortSwigger launched a feature called Burp Extender, which enables organizations to use their own third-party code and integrate with Burp to use its capabilities and create their own customized results. This way, organizations do not need to worry about changing the reporting format and all. They will just get better results.

What is most valuable?

Burp is the best web application penetration testing tool that I have ever used.

Although all the features of Burp are very useful, I personally love its capability to automatically and accurately detect vulnerabilities. So, I would say it is the Burp scanner that is THE most powerful, valuable, and an awesome feature.

Another, very interesting and quite extensible feature is Intruder. The way you can customize your payloads to suit your penetration testing needs is simply outstanding.

The best thing is that all features are available just out-of-the-box and at a very nominal price.

What needs improvement?

The one feature that I would like to see in Burp is active scanning of REST based web services. A lot of organizations are providing APIs to access their services to support different business models like SaaS. Scanning these APIs is still a challenge for many security product companies. Even Burp does not have a direct and easy way of scanning REST based web services.

There is a capability to scan SOAP based web services provided there is a WSDL available. So, to conclude active web services scanning is something that I would like to see as an improvement in Burp.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

No. Quite stable. The executable JAR file is quite better since there is no installation required.

What do I think about the scalability of the solution?

I have only used it as a single user. But many of my colleagues use it and I have never heard of any such issues.

How are customer service and technical support?

Apologies. Never Tried.

Which solution did I use previously and why did I switch?

I have used a lot of tools for web application scanning and penetration testing -- like Qualys WAS, Nikto, OWASP ZAP proxy, Paros Proxy, DirBuster, Burp, etc.

The reason for switching to Burp is the capabilities of this tool. The scanner is very powerful and the way it integrates with third-party code is really cool. Other tools simply do not have these capabilities.

How was the initial setup?

Quite straightforward. Thanks to the availability in executable JAR format -- this makes it a highly portable solution.

What about the implementation team?

I have implemented as an inhouse one. There is no installation as such since the solution is an executable jar file. User just need to double click and start using it.

What's my experience with pricing, setup cost, and licensing?

This is a value for money product.

Which other solutions did I evaluate?

I am a consistent user of web application scanners and penetration testing solutions.

I have used Qualys WAS, OWASP ZAP, sqlmap, Paros Proxy, and Nikto. But nothing stands close to Burp, because this tool has everything in one single portable powerful package.

What other advice do I have?

If you are looking for a single web application penetration testing solution at low cost, definitely give it a try. You can request a trial of the pro version from PortSwigger if you would like to see the scanner capability in action.

They will, of course, require organizational contacts. Almost all the other features are available in the free version, also.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Penetration Testing Advisor at a tech services company with 1,001-5,000 employees
Real User
The real power of the product lies in the modules that aid in manual testing.

What is most valuable?

  • Intruder - allows inserting predefined or custom payloads at chosen locations inside requests and analyzing results using custom filters;
  • Repeater - allows reissuing requests to manually verify reported issues, changing parameters or issuing a specific sequence of requests to test for logic flaws;
  • Extender - allows installing additional modules from the BApp store, created by the community in Java, Python or Ruby;

How has it helped my organization?

It provides unique features that help me quickly identify and exploit security vulnerabilities in web applications.

What needs improvement?

Some extra features are not available in the core product (WSDL parsing, SOAP calls, Error checks, Authorization bypass), but additional modules created by the community can be easily installed from the BApp store through Extender, or you can write your own in Java, Python or Ruby.

For how long have I used the solution?

I have been using it for two years.

What do I think about the stability of the solution?

Spidering large websites can use a lot of memory and might result in a crash on systems with lower RAM.

What do I think about the scalability of the solution?

It's better to add only one website per project for the same reason as above.

How are customer service and technical support?

I didn't use technical support.

Which solution did I use previously and why did I switch?

I used many solutions but I found the best value, features and documentation in Burp.

How was the initial setup?

Starting Burp only involves running a .jar file. The latest version also comes with a executable installer. Setting up a project can be more complex, involving configuring the proxy, scope and different spidering/scanning options.

What's my experience with pricing, setup cost, and licensing?

I believe it has one of the lowest prices for commercial products ($~350 per user per year).

Which other solutions did I evaluate?

Before choosing this product, I evaluated free products - Arachni, OWASP ZAP, w3af, Vega - and commercial products - Acunetix, Qualys Web Application Scanner.

What other advice do I have?

If you expect a product in which you input your website and click a scan button, Burp is not for you. Burp Suite Pro can perform an automatic scan, but the real power of the product lies in the modules that aid in manual testing. A few weeks are usually needed to read the documentation and ramp-up on all the features, for someone without previous experience.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user492585
Information Systems Security Officer at a financial services firm with 1,001-5,000 employees
Real User
It helps capturing and modifying HTTP packets and variables, and observing the application’s response.

What is most valuable?

  • HTTP proxy for packet capture
  • Repeater
  • Intruder
  • Spider
  • Decoder
  • Comparer

How has it helped my organization?

Burp Suite is a versatile tool for manual web application penetration testing; mainly used by skilled ethical hackers to test security of web-based applications. It helps capturing and modifying HTTP packets and variables, and observing the application’s response. It allows fuzzing the variable in an intuitive way, repeating the same method, crawling a web application, and similar functionalities.

What needs improvement?

The professional edition of Burp Suite provides some automated pen-testing scripts to detect application vulnerabilities, like SQL injection, XSS, etc. However, this component is not extremely useful. The results need to be double-checked manually, and false positives are very common, i.e., the tool detects a vulnerability from the HTTP respond when a vulnerability does not actually exist.

For how long have I used the solution?

I have been using it for five years.

What do I think about the stability of the solution?

It is a tool used mostly for manual tasks, it is stable enough for that purpose.

What do I think about the scalability of the solution?

If you attempt to map a large website using the Spider component, it can take a long time, and the tool may crash.

How are customer service and technical support?

I have not used technical support, but online documentation and Help have always been sufficient.

Which solution did I use previously and why did I switch?

I have used Charles Proxy, CAT, and Fiddler as well, but found Burp easier to use.

For automated scanning, there are stronger alternatives to Burp, such as Acunetix, IBM AppScan, Nexpose, Qualys, etc.

How was the initial setup?

There is no setup needed. It is a Java app that does not need to be installed.

What's my experience with pricing, setup cost, and licensing?

The free version is one of the best proxy tools for manual testing. For automated testing, it provides the best value for money in the market.

Which other solutions did I evaluate?

I evaluated Charles Proxy, Fiddler, and Context App Tool (CAT), which are great HTTP proxies. I like CAT and Burp as the best free ones.

What other advice do I have?

To effectively use Burp, you will need someone with enough technical hands on skills in ethical hacking and penetration testing.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user245421
Senior Security Consultant at a tech services company with 501-1,000 employees
Consultant
It is the best all round solution for manual application testing but there are some stability problems directly related to Java.

What is most valuable?

  • Proxy
  • Repeater
  • Intruder
  • Extender API (and plug-ins)
  • CSRF generator

How has it helped my organization?

This is by far the best application assessment tool I have used. It is more usable and has more features than most of the enterprise tools that cost 10-100 times as much.

For how long have I used the solution?

I've used it for five years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

There are some memory issues, where the application runs out of memory and crashes. This is directly related to Java. This was improved after switching to 64-bit Java, but it still creeps up once in a while.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

It's excellent.

Technical Support:

It's very good.

Which solution did I use previously and why did I switch?

I use many projects, but Burp is the best all round solution for manual application testing.

How was the initial setup?

It's very straightforward, you just have to double-click a Jar file.

What other advice do I have?

You get many features with the free product, but the real power is unlocked with the Pro version. The intruder is an amazing tool and makes the entire product worth purchasing, and the ability to perform automatic backups is well worth the small price of this product as well.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros sharing their opinions.