PortSwigger Burp Suite Professional Reviews

I used this solution while working with a bank, and while it wasn't much of a DevSecOps tool, it was a good tool for penetration testing.

It is a good manual penetration tool. It was easy to learn.

If your application uses multi-factor authentication, registration management cannot be automated. There are also some session management issues we have found if we want to integrate it into the pipeline. There were also some authentication-related issues we found at the time. These issues were more specific to the enterprise edition. I have worked on a paid version of the standalone solution, which is best for manual penetration testing.

I rate Burp Suite's stability a ten out of ten.

I rate Burp Suite's scalability a seven out of ten. We wanted to have more scalability in my last company, where we wanted the enterprise edition, but there were some challenges we faced. We couldn't find a solution to the problem statements for most of our business use cases back then. We then dropped the idea of using Burp Suite Enterprise and opted for a standard one for manual penetration testing.

There were ten users in my unit working with Burp Suite.

Support-wise, the solution was also very good. Across the globe, all the manual penetration testers use Burp Suite. If we had any questions, we received good support from GitLab and other forums.

Whenever we raised any query, such as if we wanted to file an invoice for reimbursement at the organization level, the support was good at the nontechnical and technical levels.

Positive

The initial setup is easy, not only in the office, since I'm working on my laptop now with the community edition. The configuration is pretty straightforward.

Burp Suite is affordable. Admins can purchase the tool, which is affordable enough that college students can purchase it if they want to learn it.

The solution is not a good candidate for a DevSecOps tool.

I recommend this solution for manual penetration testers. It is the best tool with the best support. PortSwigger has added plugins to efficiently catch bugs, for example, HTTP request smuggling. There are a lot of plugins, such as how to hide the JWT token. These plugins minimize the effort required by manual penetration testers so they can find bugs quickly with the help of these plugins. They have good support if anybody wants to learn how to use and install plugins. There is a lot of documentation available online.

I rate PortSwigger Burp Suite Professional an eight out of ten.

I am a penetration tester working for a private organization. I evaluate the security of applications companies develop. I check for security vulnerabilities in web applications, Android and iOS devices, and thick and thin clients using Burp Suite. I use it to prevent applications from being hacked by outsiders.

Burp Suite has been very useful in reducing the time needed for testing applications. Without using Burp Suite, testing could extend up to ten days or more. It provides a flexible way to evaluate vulnerabilities and mistakes developers make while developing applications.

Burp Suite is valuable since it provides automated scan facilities, including authenticated and unauthenticated scanning. It offers flexibility, macros, and features to reduce the effort required for authenticated sessions. It also makes it easy to find blind SQL injection and OOB attacks.

Integration is a big problem. Currently, it's more challenging to integrate Burp Suite into the CI/CD pipeline compared to SAP (which is open source with many plugins available). More technical knowledge is required for integration.

I have nearly more than five years of experience with Burp Suite.

I would rate stability an eight out of ten.

I am 100% confident in Burp Suite, so I would rate its scalability a ten out of ten.

Whenever we email, they respond back on time. The support is brilliant.

Positive

The setup is simple. You need Java JDK support of 11 or more and sufficient memory and space.

I would rate the pricing a six out of ten. It's not as flexible here as it might be in European or American markets.

SAP is a good alternative as a free version.

Burp Suite has started a certification called Burp Suite Certified Professional (BSCP) that I recommend to pursue as it provides good documentation.

I'd rate the solution nine out of ten.

We are an IT organization. We use the solution for the security testing of applications. It helps us identify vulnerabilities in the applications.

The product has a good learning hub. It is good for beginners who want to learn security testing. The scan reports are good. They cover most things. The reports give details about the issues and suggest solutions. It's really useful for web applications. I use Intruder for brute-force attacks.

The product has a new API feature. It provides the scan report for APIs similar to the scan report we receive when we use web URLs. The vendor must provide documentation on how to use the new API feature. I did not find any guide on how to use the feature.

I have used the solution for two years.

I rate the product’s stability seven out of ten.

The product has limitations for mobile app security testing. We are unable to perform mobile app testing for Android and iOS.

I faced some login issues and contacted the support team, but the team could not provide a solution. I found the solution in the documentation.

Neutral

The tool is easy to install. All the steps are given in the documentation. The installation takes less than 10 to 15 minutes.

PortSwigger Burp Suite Professional is expensive compared to other tools. There are open-source tools available in the market. The cost of one PortSwigger license is expensive.

I have recommended the paid version of the tool in my current organization. Integrations with other tools are moderately easy.

Overall, I rate the product a seven out of ten.

We use the solution for scanning and manual penetration testing. We have a verification and security assessment as a dynamic security assessment for manual application testing.

The solution helps to automate API security assessments. It incorporates features of both black hat and red team engagements. We streamline bug bounty hunts. It helps in API testing, where manual intervention was previously necessary for each payload. With the new deck feature, Burp Suite enables automation accessible in the external tab. This feature allows testers to select specific targets, such as login or registration pages, and apply different attack vectors. It enhances efficiency, saving time and resources, which is beneficial when dealing with larger-scale web applications or numerous APIs.

Manual assessment in the tool is great.

Scanning needs to be improved in enterprise and professional versions. The enterprise version has challenges related to scheduled scans. If a scan fails after two days without notification during offline periods, that time is lost. Sometimes, it took up to 24 hours to realize that certain tests had failed for various reasons. There's significant room for improvement in automating scans.

I have been using PortSwigger Burp Suite Professional for more than 10 years.

The product is a good tool for application assessment.

I rate the solution’s stability an eight-point five out of ten.

The automation features in Burp Suite For vulnerability assessment and penetration testing may not be as extensive as other tools like NetSparker. Other tools may offer more comprehensive capabilities, especially in areas such as source code. Features like capture and OTP testing might be more robustly supported in other tools. There may be limitations in automation with Burp Suite Professional. NetSparker could be more suitable for tasks like two-factor authentication testing.

Four to five are using this solution.

The professional version is not very scalable, whereas the enterprise version is scalable. I can run multiple scans.

Technical support is good.

Positive

We have used Netsparker and WebInspect. WebInspect is very difficult to operate.

The initial setup takes more than a week. The professional version is a plug-and-play.

There is a Java package that you can easily use without installing it.

The product is cheap compared to other products.

I rate the product’s pricing a seven out of ten, where one is expensive and ten is cheap.

We have an infrastructure and DevOps team of eight to ten people for solution maintenance.

Reporting is good and very light. The response is fine.

I recommend the solution for dynamic assessment.

Overall, I rate the solution a nine out of ten.

We use the solution for scanning. It also has a repeater function to replay a request. I'm using it for brute forcing and future scheduling.

We have a quick firewall before PortSwigger Burp Suite Professional to test for SQL injection. Suppose the firewall is blocking some special characters. In that case, we can use Intruder to quickly identify which special character is blocked and which characters are enabled by feeding Intruder with a list of all possible special characters. We can also use Intruder to clock the use of some tools like Secure Map. We can feed Intruder with a list of SQL injection or XSS payloads and test the vulnerability directly. The scanner is handy in identifying vulnerabilities. SSTI vulnerabilities are within Burp Suite. It is a time saver and useful tool for most cybersecurity consultants and penetration tests.

PortSwigger is a time-saver application. It has a webscanner feature. The regional agencies can help a lot in identifying potential vulnerabilities.

You can have many false positives in Burp Suite. It depends on the scale of the penetration testing. If you have experience, you can quickly determine the false positive.

PortSwigger Burp Suite Professional lacks an authentication feature for handling certain applications. For example, consider applications that utilize authentication, where tokens typically expire after one hour. Burp does not automatically handle reauthentication in such scenarios. While it does offer a feature to set rules for automatically renewing authentication, it's specific to particular applications. However, the process for applications with token-based authentication has become more complicated. When running a web scanner, authentication may fail due to expired tokens after one hour, rendering the scanner unable to authenticate with the application. 

I have been using PortSwigger Burp Suite Professional for 7 years.

All resources on PortSwigger are online, whether on their website or forums. Whenever we encountered any issue, we contacted their support directly via email. They are pretty quick to respond and provide good assistance.

Positive

We trust Burp Suite to identify vulnerabilities in the application with pretty good accuracy.

The solution is worth the money.

You can enhance web features with Burp Suite because it works well with many plugins. There is a large community around it that develops custom plugins. You can integrate these plugins into your app to quickly identify various vulnerabilities. There are both free and paid plugins available. We build apps exclusively with Burp Suite Professional. There are many tools available to assist with vulnerability management. You can download and export Burp Scanner output and load it into a vulnerability management tool. This allows developers to track vulnerabilities and manage the process of correcting them, providing status updates to management.

Overall, I rate the solution a ten out of ten.

We use the solution to do VAPT. 

I am impressed with the tool's detailed analysis for penetration testing. AppScan can give only visibility, but it can't do the PT part. But the PortSwigger Burp Application can do both, and it gives much more visibility on the PT rating.

I need the solution to be more user-friendly. The solution needs to be user-friendly.

I have been using the solution for three years.

It is a stable solution. I rate the stability an eight out of ten.

It is a scalable solution but needs to be more user-friendly. I rate the scalability an eight out of ten.

The initial setup was easy. The deployment takes around a week.

I rate the setup an eight out of ten.

I rate the pricing a four out of ten.

I rate the solution an eight out of ten overall.

We are using the solution for web application testing. From Burp Suite, we can test the application security. We have a team of system auditors, and our auditors use Burp Suite.

We are working with the community version, and it provides all the features we need.

It's good testing software. 

For application security, Burp Suite is one of the best solutions. It has all the proxy and all the features so that we can test all the application's vulnerabilities. 

They have an extension feature, so at intervals, they provide extensions that provide some helpful updates. They continuously update the product, and they continuously provide extensions. Through the extensions, we get new features at regular intervals.

The pricing is fine. 

We can customize and configure as needed.

We found the product to be quite stable. 

It's already great. There isn't anything needed for improvement. 

The initial setup is a bit complex. 

I've used the solution for three years. 

The solution is very stable and reliable. There are no bugs or glitches. It doesn't crash or freeze. 

The solution can scale. It's per system. If you are using it on 100 systems, you must install it on all 100 systems. It's not like you install a central product, and you scale. It's not the client-server architecture; you must install it on every system if you want to test.

We have two or three users on the solution.

We've never escalated any issues to technical support. I've never directly dealt with them.

This is among the best in comparison to all other tools. If we compare it to Zap, et cetera, Burp Suite is the best among those. There's also Nikto and lots of tools available. We prefer to work with Burp as Burp Suite is like a framework. It has lots of tools in-built. Therefore, we can do multiple tasks on a single platform from a single framework. It's like a one-stop shop.

The solution is a little bit complex. It's not exactly straightforward. 

The deployment itself was a pretty easy process. It was quick.

We do not find it difficult to maintain the solution.

We handled the initial setup ourselves in-house. 

We use the community version. It's free.

Pricing is not very high. It was around $200.

They have some licenses, and features and they have some different categories. I need to go through the sites, however, I know they have different versions.

We are using Burp Suite. We are not selling Burp Suite.

At this time, we're using the most up-to-date version of the product.

I'd recommend the solution to others. I would rate it ten out of ten.

We use PortSwigger to find simple bugs via authorization and authentication testing. It's about preventing attacks. Burp Suite enables you to drill down and check all test cases, irrespective of the application on which it's built. We are customers of PortSwigger and I'm a consultant.

Port Swigger enables automation of different tasks such as authorization testing. New extensions come in every day which can be used in Burp Suite while testing. 

In general, there's not much to complain about but the stability of the tool is not good enough. I know that the RAM utilization is something they're working on but using a scan currently takes up too much memory. Resource utilization is an issue because when you're application testing, there are multiple threats and multiple application requests that are going in the backend.

I've been using this solution for four years. 

The stability could be improved. 

The scalability is quite good because PortSwigger can be used by multiple users through Jenkins and other things. 

The technical support is quite good. 

Positive

The initial setup is not that difficult because there's good documentation on the PortSwigger website. Our employees each installed on their own machine, it's an executable file. 

Return on investment is good because it's a globally known product. All our  customers know Burp Suite. There's a return on investment because it's a major tool necessary for performing any manual or automation testing.

The licensing cost depends on the number of users. One person can use the tool on a single laptop that can be shared between multiple users under a single license. We have around 15 users. We pay an annual license fee that includes technical support, it's not that expensive. They also provide a free community version. 

I recommend this solution and rate it seven out of 10 because it offers multiple features.