PortSwigger Burp Suite Professional Reviews

It's an individual tool that security professionals use for their manual pen-testing. We use it for capturing the traffic, intercepting the traffic between the browser and the application. We try to manipulate the applications, the traffic so that whatever input that is accepted by the application is sanitized and validated. We try to analyze the application for input validation. All inputs are handled correctly.

Another use case is having a scanner module built-in where you can browse the entire application. The scanner can continuously scan the application for vulnerabilities based on OWASP Top 10 standards. Likewise, you can come to know what vulnerabilities are in the application. Later, you can go through the vulnerabilities one by one and triage them.  

There are many different modules in Burp Suite. We have a comparator module where you can compare the request and response. You have the Repeater module where you can repeat the sequences. They can be used for other test use cases such as doing disciplinary attacks or brute force attacks on the applications. 

Basically, there are a wide variety of use cases and applications.

Request handling capacity, it do not handle huge chuck of requests as it freezes.

And obviously as all tool does Burp also gives some false positive results, vetting has to be done thoroughly.

The most valuable feature of Burp Suite is probably how we can intercept the request and response. We can manipulate a request and send it back to the server. Intercepting is one of the best features for sure. 

The scanner is excellent. The scanner is one of the good features. If you compare it to more expensive tools like WebInspect or IBM AppScan, you'll realize that, at a very low cost, Burp Suite can provide good results.

The is a good amount of documentation available online. The solution is stable.

The initial setup isn't too complex.

The solution offers some great extensions through a BApp store. Users can implement extensions and upload them to the BApp store.

The solution has a great user interface.

Its strong user community is always helpful when it comes to any problem regarding the tool.

Although it provides great writeup for the identified vulnerabilities but reporting needs to improve with various reporting templates based on standards like OWASP, SANS Top 25, etc. The tools needs to expand its scope for mobile application security testing, where native mobile apps can be tested and can provide interface to integrate with mobile device platform or mobile simulator's. Burp suite has great ability to integrate with Jenkins, Jira, Teamcity into CI/CD pipeline and should provide better ways of integration with other such similar platforms.

I've been using the solution for more than eight years now - right from their open-source free version through to their professional version.

The stability is quite good. We have no complaints. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.

Obviously, Burp Suite is a DAST tool and good asset for pentester's. However, we need to see how best it can be utilized for automation so that DAST can be automated. Dynamic application testing can be automated and can integrate Burp into CI/CD pipeline using Jenkins. That said, we need to make it use it in a more efficient way. There should be some methods or some guidance from Burp on how best we can use it for automation.

We've never interacted with tech support. That's mostly due to the fact that there is already a lot of material that is available online. With all of the details readily available, we don't need to interact with tech support.

The initial setup isn't too difficult. It's JAR based. I would say it's an analog file. It just requires minimum requirements like Java and a license. After that, you are good to go.

Burp Suite provides different licenses. They have open-source free-to-use licenses, which can be used by anyone. Then, they have a standalone license that, as a security professional, you can use. They have their Enterprise version as well. I use the professional version.

Initially, when we were using Burp Suite, I hardly remember the version we started at. 

The actual costs vary from country to country, however, I would say it's cheaper if you compare it to other DAST solutions and tools.

Compared to other web applications assessment tools Burp suite is a solid tool for web based penetration testing for a reasonable price.

We are just customers and end-users.

I'd advise other organizations that this solution is a pretty good tool for manual penetration testing. It has good features like the Scanner and Sequencer, Repeater, and there are extensions. Burp extensions are available where they can customize Burp behavior using their own or third-party code. Those features will be really useful for Burp users. It's also obviously a very cost-effective option.

I would rate the solution at a nine out of ten.

Our use cases are to identify the vulnerabilities of OAST and the other applications we are using. 

The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned.

Additionally, it has good reporting and dashboards and also integrates well with other task management applications that we're using.

One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that.

One more thing they can improve is that despite having a good architecture, it needs a lot of specification. So when you start a project, because it requires a high configuration, the instructor costs more than the project. So it's not cost efficient if it's a big project.

We have different versions of PortSwigger Burp Suite. For the past few years we have been using a professional edition, which is a desktop application. Now we are moving to the Cloud so we explored the enterprise edition. Although we haven't implemented it yet we're already using it. Now we have a better idea how their scanners and spiders actually work.

We've had a license for the professional version for the past two years.

In terms of scalability, I think they can increase the number of regions. And more importantly, it doesn't restrict based on the domains you are scanning. So even if tomorrow you suggest some working space, you can still scan the domains for the regions that you have. If you want to increase the number that you scan, you can buy some more. So scalability is not a big problem, but I think if you are scanning from your side, you have to get the license for some of those activities. That's domain based licensing.

Right now we have two or three people using it.

PortSwigger Burp's technical support is all right. The issues are resolved very quickly so we don't have to wait for long. They also provide you with documentation. Just by going through the documentation we can solve many of our problems.

The initial setup was straightforward. We can install it on a Linux machine. It was fast to set up.

PortSwigger Burp costs around $7,000 and around $2,309 for licensing.

On a scale of one to ten I would rate PortSwigger Burp a seven.

For it to be a 10 it would need to implement the above mentioned different formats for reporting and the interactive security testing.

The primary use case is generally for security compliance on web applications. We provide services to our customers with Burp both on-prem and on cloud. I'm a solutions consultant and we are customers of PortSwigger Burp. 

Their flagship feature would be the active scanner, which carries out an automated look up of any web vulnerabilities reflecting over to one of the main compliance standards, like OWASP. This provides an accurate security audit for their web applications.

One downside of the solution would be their false positive checks. As with most automated security tools, there is still a high false positive issue. Hopefully they will be able to improve on that in the future. It would also be helpful if the solution had the capability of handling larger reports. Another area of improvement would be to have a customizable dashboard. It's currently restricted now to their own interface. If you want to utilize the other features available in their API documentation, then you have to write some code yourself. It would be great if their interface could be somewhat customizable.

I've been using this solution for two years. 

The stability of the solution is generally fine.

The solution is easily scalable, depending on licensing of course. For example, on the cloud set up, you can easily scale the agents and such. But in terms of bandwidth, maybe when it comes to their reporting feature, there are some limitations with the detail that can be downloaded from the report. I've found that the system can crash if you try to download a report with many details.

In my opinion the initial setup is pretty straightforward. The workflow is easy to understand and they have a lot of documentation on how to perform many of the key tasks.

I believe the price is good where it's at right now. They have a very competitive price point although recently they've been incrementally increasing in price. It's still competitive. 

I would definitely recommend PortSwigger as a primary tool for auditing any open vulnerabilities of anything related to web applications. 

I would rate this product an eight out of 10. 

I am a penetration tester at my company and PortSwigger Burp is one of the products that I use in this capacity. It is a manual testing penetration tool.

There are a lot of good features and the most valuable one varies depending on what test you are performing. They are also consistently improving and releasing new features.

Two of the most valuable features are the Extender Tab and Repeater.

With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp. It's not limited to their features because we can always add or do some customization of the features.

Even if you don't know how to code, there are hundreds of third-party plugins that are available to extend the features of the product. Some of them are open-source and there are some that are provided by Burp.

The user interface is good, having been changed within the past two years.

There is not much automation in the tool.

I have been using Burp Suite for between four and five years.

This is a very stable product. The tool is 15 years old and very mature.

Scalability is not an issue because it is not centrally connected. Rather, it is a per-license, user-based tool. We have more than 20 users in the company.

The documentation is very good, so I have never needed to contact technical support.

The initial setup is very straightforward and simple.

No staff is required for maintenance.

At $400 or $500 per license paid annually, it is a very cheap tool.

In comparing features, there is no real competition for this solution. There are a couple of open-source products, but there is no real competitor for the Burp Suite.

This is a standard tool in this industry and anybody who is doing application security testing should be aware of it. My advice for anybody who is considering it is that it is very easy to install and configure, and there is lots of documentation available.

I would rate this solution a nine out of ten.

There are three versions and we are using all three - community, professional and enterprise. We use the community and professional versions on premises and the enterprise version is on cloud. I'm an IT Manager. 

Burp has several good features; it's cheaper than other solutions and you can scan any number of applications and it updates its database. With the professional version, it creates a lot of applications which you can incorporate with your scanning and enable deep diving in the specific section. 

We've faced lots of challenges, including slowing down of the tool, and a lot of error messages, sometimes because of the interface. If we're running a huge number of scans regularly, I think that also slows down the tool so I'm not sure if it is good for lots of scans. I hope they will work on the amount of scans they can handle. There have been improvements in the interface and the reporting structure, but they need to do more. They have a long way to go. For now, if we use the interface directly, we need to use an integration with our web application. We're after value for money. 

I've been using this solution for about 18 months. 

Stability depends upon the amount of scans you are running. Sometimes there are problems with the stability and it could be improved. 

Scalability depends upon which of the Burp versions you're using. If you're using Pro it's not scalable because it's dedicated to one person. But when it comes to Enterprise, yes it is scalable, it's easy. 

Support depends on how much you're paying. We get good support from them which we need because there are lots of issues occurring frequently. The pro version has less problems but it only takes one scan at a time, so it's good but restricting. The technical support is trying to solve the issues of stability we are having right now.

I would recommend this solution depending on the requirements of the company. 

I would rate this solution a seven out of 10. 

Clients come to me for an assessment of their web applications to see the risks that they are facing with their applications. They want to ensure that their application is free of being manipulated and also secure, so they reach out to us to do vulnerability assessment and application penetration testing. We make use of PortSwigger's BurpSuite tool carry this out. We look at it more from an application standpoint, what common vulnerabilities there are like the top 10 OWASP vulnerabilities like Injection(OS/SQL/CMD), broken authentication, session management, cross site request forgery, unvalidated redirects/forwards, etc. Those are the primary uses we make use for this tool.

We're an independent IT organization that specializes in vulnerability assessment and penetration testing, and we focus here on application security. This tool really helps me unearth security issues and vulnerabilities that are on the applications shared by my clients. Unearthing these issues really helps me build confidence and relationships with clients on two counts. First part is that, they want a reliable and robust tool with which we are able to unearth security issues in there. The second part of it is, I give them more confidence in their application securedness before they make a decision on going live.

I can't name customers, but I've been working with a US university education platform providing client for the last three years. Earlier we tried different tools but in the last couple of years, we stuck to the Burp Suite tool and year after year, we've been periodically doing the application security for them. The confidence has really leveraged the relationship to build the pipeline of business that I have. At the same time, the confidence that the customer in their platform going live has remained intact. That really helps me build accountability and it helps me put forward my organization as a strong security testing organization space.

I like the way the tool has been designed. Once I capture the proxy, I'm able to transfer across, all the requested information that is there. I can send across the request to the 'Repeater' feature. I put in malicious payloads and then see how the application responds to it.

More than that, the Repeater and Intruder are really awesome features on BurpSuite. For example, if I'm going to test for a SQL injection, I have certain payloads that are trying to break into the application. I make use of these predefined payloads which come as part of the tool are really useful for us to use and see how the application behaves. With the help of the BurpSuite tool, we are very well ahead to see if the application is going to break at any point in time.

So the Repeater and the Intruder, are great features that are there. More than that I think the entire community support is really fabulous. As well as of the number of plug-ins that people have written for the tool. Those have been standouts. Community support is really strong. We see a lot of plug-ins that are made available that work along with the tool.

In the earlier versions what we saw was that the REST API was something that needed to be improved upon but I think that has come in the new edition when I was reading through the release offset available. 

There is a certain amount of lead time for the tickets to get resolved. The biggest improvement that I would like to see from PortSwigger is what many people see as a need in their security testing that coudl be priortized and developed as a feature which can be useful. For example, if they're able to take these kinds of requests, group them, prioritize and show this is how the correct code path is going to be in the future, this is what we're going to focus around in building in the next six months or so. That could be something that will be really valuable for testers to have.

I've been using the solution for about three years.

Burp Suite is quite robust. The good part is that it also comes with an automatic back-up feature in it which automatically saves all the request-responses, alerts, attacks in the systems periodically.In the event of your laptop crashing/going down on power, you still have last saved application state which has saved the recording. Once you power up again, you can launch Burp Suite and go back the last point of save of the complete recording /requests/tests in the system.

With the open edition, it's not a problem to install on any number of machines. When it comes to the professional edition, you need a license and you have to pick a license type. I have to use it against a particular machine on which I would run. From there I would run my scans. Let's say I don't find my laptop or my computer fast enough, and I decide to move my license across to a higher processor, higher memory laptop or computer, I can easily move the license across to the new machine.

As long as I am on that particular license use, I have one license that I'm able to move across to one instance at any given point of time. That is quite stable. I think even more than that, for a top-priced edition you can take multiple contract licenses. Something like a license server where you might have five licenses. You might have 10 installations and you can have different people working on various routes use the tool. Only those five licenses will be needed. In that instance, scalability is definitely a great point for most uses.

Currently, if you look at the users that are linked to roles that we have, one is the security test engineer and one is the security test analyst. At any given point in time, only one person uses the tool for engagement in the professional edition. We have about two to three people working with us on these projects.

I found technical support to be quite responsive. I usually get an email response within three or four hours which is very good. There's plenty of documentation that has relatively good pointers as to the documentation's impact. Also, documentation is a good part of the knowledge base. They have started something that's very awesome by implementing that. They point us to areas in our tickets that have answers within the available knowledge base documentation, which is shared as part of the whole response. It's definitely a good thing.

I've used different tools like Acunetix. 

The first tool that we started with was Acunetix. Acunetix as quite expensive, first and foremost. It's more suitable for web application scanning and penetration. PortSwigger's has a larger play beyond applications, it supports REST API and all that stuff, that kind of support is great with PortSwigger.

The kind of mechanism that's there is you can just capture the flow if the application. They usually have what is called as a flow sequence in proxy history with which all the user actions are captured. That's all that is done by the tool completely. Once that information is there, much you can control exploit requests with the tool. Whatever the tool shows, I have the opportunity to throttle and change payloads and see how the application behaves.

We used the online web scanners with Acunetix. We found it a little difficult and that was one reason why. In fact, when we got the contract with the client and we evaluated multiple tools, that's why we chose PortSwigger's BurpSuite.

The initial setup was straightforward. It's not complex at all. Today it comes along with a job size which makes it much more affordable and easy. I don't think the installation is ever a challenge here. 

In some setups, all I do is this: if I'm setting it up for Windows, I cannot get my path through which I want to set this up. A few clicks and I'll be able to get the entire tool set up. I would say it requires some amount of knowledge to do testing. So also we are able to set up the tool against an application. Let's say there is an application that comes through for testing. Until I get to know the way I have to configure the target URLs and capture the entire traffic flow. That is easy. Now there are jar files also being made available for easier instantiation of the tool.

It is not a challenge in setting up the tool at all because there's plenty of videos and documentation available around in both the PortSwigger website as well as in open forums like YouTube and all that. It's quite easy to set it up. Personally, I haven't had trouble. We haven't had any major challenges in terms of setting up the tool. Not just purely from an installation standpoint, but also from a perspective of beginning to capture traffic across the different applications that we serve. 

The installation takes about less than four to five minutes. It doesn't take more than that.

In terms of security implementation strategy, when we take control of any tests that we do, we set the proxies in place based on the settings that are there on the tool and then set up the same proxy across on a browser for which we will capture the traffic. Once we do that, our implementation strategy is to capture the entire traffic in terms of specifying a target URL, the application or the website and the test. We do a proper login and ensure that all the data captures are there. Then we see that all the requested sponsors are getting logged in properly inside the tool and we are able to capture that. So once we do that, we try to simulate all user flows that would be there on the tool. 

Based on the different tools that are there, we capture the flow and enter a fake login and then we do a scan. The scan helps to unlock issues that are there. That kind of test is to identify all the actions that we do. We particularly do what is called an active scan which is like after you use the browser, make all the user clicks, events, and all that, the tool is able to capture it in the background. It does an active scan, and it gives what are potential issues that are there. So once we are done with that, we look at all the issues that are there, and then we make it run through a boot scan based on the requests that we have captured. Typically this takes a final good amount of time which depends on the amount of traffic that you have captured through the tool.

The one good thing that I would like to highlight is that irrespective of how much traffic is captured from my application flow, the tool is quite robust. I have seen other tools that sometimes the application, or rather the tool, becomes non-responsive. I haven't seen those kinds of issues here.

Then, once we are done with the scan, we pick and choose what are the issues that are there. We look for what are the trouble spots, and what issues are being highlighted. Then we check each of those specific requests, sending them over to another team member, and try them with different payloads, putting them across in the intruder and unearthing issues. So that helps me really test the application using PortSwigger comprehensively, and, more importantly, at the end of the test, it makes it quite easy for me to generate a report which is quite nice and simple which I can forward across to the client. That is essentially the way I go about in my implementation of security testing.

We did the implementation in-house.

In terms of ROI, I'd say it helps with client engagement. The tools in relation to ROI allow me to win back-to-back contracts for application security testing with the customers. I would even say I'd be able to break in on a first engagement itself. 

Licensing costs are about $450/year for one use. For larger organizations, they would be able to test against multiple applications simultaneously while others might have multiple versions of applications which needs to be tested which is why there is an enterprise edition. We might have more than five to six people in the organizations doing security testing. You can give full-base access to them and control who uses your licenses.

It depends on the stream of projects, business pipeline that I get, but security is not something that done all throughout the year. We get it in cycles. We pace it in such a way that from our different customers that we work with, we actually have one project running throughout the year. I might do a project for Client X during the month of let's say January to February. Then for another client, I might have something lined up for April to May. So with a single license, I am able to maximize the usage very well.

The tool comes in three type. First, there is the  Open Community Edition, which is meant for people who use it to learn the tool or use it to secure their system. This edition does not have scanning features enabled to source scan the against application URLs or websites. From the standpoint of learning about security tests or assessing the security of application without scanning, the community edition really helps.

Then you also have a Professional edition which is more meant for doing comprehensive vulnerability assessment and penetration application which is very important. Especially for independent teams like ours who make use of tools based on tech, etc. The good part about the professional edition is that it comes with a term license which is cost-effective. You pay for an annual charge and use it for a year's time and then you can extend it on an as-needed basis.

Apart from these, we also have an Enterprise Edition which has features like scan schedulers unlimited scalability to test across multiple websites in parallel, supporting multiple user access with role based access control and easy integration with CI tools.

The very best way this tool can be used through is to understand the application, identify the various roles that are there in the application. Then capture the user flows, with Port Swigger's BurpSuite, and understand what the requests are making use of the different features in BurpSuite. 

Post this the teams look at and analyze all the requests being sent. Observe the requests, use various roles with the tool using a repeater and intruder, analyze what's breaking through in the application. As you can quickly analyze with the intruder out here how the application's really behaving, how the payload is being sent across the tool. Then you get a quick sense of what's available which could be checked through for false positives and then arrive at the final output along with it.

This is how I would like to handle the implementation of the solution.

I would rate this solution 10 out of 10.

My main use cases for security testing with PortSwigger Burp Suite Professional are mobile application penetration testing and web application penetration testing in the IT industry.

I find all the features of PortSwigger Burp Suite Professional most useful, particularly the AI enhancement for results and follow-up for retests.

This feature helps me follow up on my results and perform retests step-by-step. The automation in AI verifies the findings, ensuring they are correct, and performs step-by-step testing.

The Intruder tool enhances testing efficiency through intercepting information and analyzing it. It helps to analyze web applications and intercept the traffic.

The only potential improvement would be adding Postman integration specifically for APIs.

I have been working with the tool for five years.

I haven't experienced any issues with stability; it is a stable solution.

They have an option for enterprise for scalability, but I currently use just a single license.

My environment is medium-sized, and I am the only user of this tool.

Before working with PortSwigger Burp Suite Professional, I evaluated other tools for testing such as OWASP ZAP.

PortSwigger Burp Suite Professional offers benefits because it's not open source, providing extra features such as AI enhancements that are not available on OWASP ZAP. OWASP ZAP is completely free.

The setup process for PortSwigger Burp Suite Professional is quite easy. I would rate the setup a nine on a scale from one to ten, where ten means easy.

Deployment takes approximately two minutes.

The cost of PortSwigger Burp Suite Professional is reasonable at approximately $500 per year per user.

As a user and customer, I can say that PortSwigger Burp Suite Professional is a good tool that performs its intended functions effectively. It operates as an interceptor and analysis tool, completing its tasks reliably.

On a scale from one to ten, I rate PortSwigger Burp Suite Professional a nine.

The solution is used for penetration testing of any kind of application. We use it for security testing workflow daily.

PortSwigger Burp Suite Professional is a very good tool. The solution helped us discover vulnerabilities in our applications. Vulnerability elimination is the most important feature.

The intercept feature is valuable. It helps us intercept the traffic and make manual changes. We can find vulnerabilities that are not detected by other products. Burp Intruder is applicable only when there are no blockers on the websites. Burp Repeater impacts the testing outcomes. We use it if we have multiple visits for a specific request. Everything is well-defined.

The tool is very expensive.

I have been using the solution for five years. I am using the 2023 version.

The tool is highly stable. I rate the stability a ten out of ten.

The tool is highly scalable. I rate the scalability a nine out of ten. We have four to five customers. We work with medium-sized businesses.

The setup can be done easily. I rate the ease of setup a ten out of ten. It is a stress-free process. The deployment takes two to three days. The deployment process is very simple. We just do the installation setup and install the key.

I rate the pricing a ten out of ten. There are no additional costs associated with the product.

Burp Intruder does not work if there are multiple requests for a single API. I will recommend the tool to others. Overall, I rate the solution a ten out of ten.