PortSwigger Burp Suite Professional Reviews

It's an individual tool that security professionals use for their manual pen-testing. We use it for capturing the traffic, intercepting the traffic between the browser and the application. We try to manipulate the applications, the traffic so that whatever input that is accepted by the application is sanitized and validated. We try to analyze the application for input validation. All inputs are handled correctly.

Another use case is having a scanner module built-in where you can browse the entire application. The scanner can continuously scan the application for vulnerabilities based on OWASP Top 10 standards. Likewise, you can come to know what vulnerabilities are in the application. Later, you can go through the vulnerabilities one by one and triage them.  

There are many different modules in Burp Suite. We have a comparator module where you can compare the request and response. You have the Repeater module where you can repeat the sequences. They can be used for other test use cases such as doing disciplinary attacks or brute force attacks on the applications. 

Basically, there are a wide variety of use cases and applications.

Request handling capacity, it do not handle huge chuck of requests as it freezes.

And obviously as all tool does Burp also gives some false positive results, vetting has to be done thoroughly.

The most valuable feature of Burp Suite is probably how we can intercept the request and response. We can manipulate a request and send it back to the server. Intercepting is one of the best features for sure. 

The scanner is excellent. The scanner is one of the good features. If you compare it to more expensive tools like WebInspect or IBM AppScan, you'll realize that, at a very low cost, Burp Suite can provide good results.

The is a good amount of documentation available online. The solution is stable.

The initial setup isn't too complex.

The solution offers some great extensions through a BApp store. Users can implement extensions and upload them to the BApp store.

The solution has a great user interface.

Its strong user community is always helpful when it comes to any problem regarding the tool.

Although it provides great writeup for the identified vulnerabilities but reporting needs to improve with various reporting templates based on standards like OWASP, SANS Top 25, etc. The tools needs to expand its scope for mobile application security testing, where native mobile apps can be tested and can provide interface to integrate with mobile device platform or mobile simulator's. Burp suite has great ability to integrate with Jenkins, Jira, Teamcity into CI/CD pipeline and should provide better ways of integration with other such similar platforms.

I've been using the solution for more than eight years now - right from their open-source free version through to their professional version.

The stability is quite good. We have no complaints. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.

Obviously, Burp Suite is a DAST tool and good asset for pentester's. However, we need to see how best it can be utilized for automation so that DAST can be automated. Dynamic application testing can be automated and can integrate Burp into CI/CD pipeline using Jenkins. That said, we need to make it use it in a more efficient way. There should be some methods or some guidance from Burp on how best we can use it for automation.

We've never interacted with tech support. That's mostly due to the fact that there is already a lot of material that is available online. With all of the details readily available, we don't need to interact with tech support.

The initial setup isn't too difficult. It's JAR based. I would say it's an analog file. It just requires minimum requirements like Java and a license. After that, you are good to go.

Burp Suite provides different licenses. They have open-source free-to-use licenses, which can be used by anyone. Then, they have a standalone license that, as a security professional, you can use. They have their Enterprise version as well. I use the professional version.

Initially, when we were using Burp Suite, I hardly remember the version we started at. 

The actual costs vary from country to country, however, I would say it's cheaper if you compare it to other DAST solutions and tools.

Compared to other web applications assessment tools Burp suite is a solid tool for web based penetration testing for a reasonable price.

We are just customers and end-users.

I'd advise other organizations that this solution is a pretty good tool for manual penetration testing. It has good features like the Scanner and Sequencer, Repeater, and there are extensions. Burp extensions are available where they can customize Burp behavior using their own or third-party code. Those features will be really useful for Burp users. It's also obviously a very cost-effective option.

I would rate the solution at a nine out of ten.

We use PortSwigger Burp Suite Professional for security testing and for doing vulnerability scanning mechanisms.

It has partially improved the organization requirement however, The scanning mechanism is pretty slow and takes long duration to scan. Moreover, The server hangs up while scanning. 

This solution provides a very good mechanism for fixing interval time. For example, we can create a schedule, and the schedule runs on time. PortSwigger Burp Suite does not hamper the node of the server, and it does not shut down the server if it is running.

It is quite fast and easy to install as well.

It is also a budget-friendly tool.

The reporting needs to be improved; it is very bad.

The dashboard feature or the front-end of the tool does not look good and is not very creative or user-friendly. It looks complicated when we log in to the tool. It looks boring and outdated.

I've been using this solution within the last 12 months.

Stability-wise, improvements have been made, and it is reliable.

Technical support is not so easy to get a hold of. We had to learn most of the things through the documentation. However, the documentation is not readily available online. We have to create new calls for it, and we have to email them. So, if you have a problem, then it can take some time to resolve it.

No dint use. 

The initial setup was straightforward and took about one to two weeks.

It's a budget-based tool, and it's a pretty decent budget tool for the mid-version of the application. It's a lower priced tool that we can rely on with good standard mechanisms. We have a yearly license.

Client provided product

If you're looking for a budget-friendly tool, I would recommend PortSwigger Burp Suite Professional.

On a scale from one to ten, I would rate this tool at seven.

Our use cases are to identify the vulnerabilities of OAST and the other applications we are using. 

The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned.

Additionally, it has good reporting and dashboards and also integrates well with other task management applications that we're using.

One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that.

One more thing they can improve is that despite having a good architecture, it needs a lot of specification. So when you start a project, because it requires a high configuration, the instructor costs more than the project. So it's not cost efficient if it's a big project.

We have different versions of PortSwigger Burp Suite. For the past few years we have been using a professional edition, which is a desktop application. Now we are moving to the Cloud so we explored the enterprise edition. Although we haven't implemented it yet we're already using it. Now we have a better idea how their scanners and spiders actually work.

We've had a license for the professional version for the past two years.

In terms of scalability, I think they can increase the number of regions. And more importantly, it doesn't restrict based on the domains you are scanning. So even if tomorrow you suggest some working space, you can still scan the domains for the regions that you have. If you want to increase the number that you scan, you can buy some more. So scalability is not a big problem, but I think if you are scanning from your side, you have to get the license for some of those activities. That's domain based licensing.

Right now we have two or three people using it.

PortSwigger Burp's technical support is all right. The issues are resolved very quickly so we don't have to wait for long. They also provide you with documentation. Just by going through the documentation we can solve many of our problems.

The initial setup was straightforward. We can install it on a Linux machine. It was fast to set up.

PortSwigger Burp costs around $7,000 and around $2,309 for licensing.

On a scale of one to ten I would rate PortSwigger Burp a seven.

For it to be a 10 it would need to implement the above mentioned different formats for reporting and the interactive security testing.

We use the solution for scanning our in-house external facing website.

It has been provide user direct access to users scan their websites and find vulnerability in good price. Burp is one of the most extensively used tool in org to do other security based investigations. We are trying to mitigate risk using vulnerabilities identified by Burp.

The solution is very user-friendly.

The way they do the research and they keep their profile up to date is great. They identify vulnerabilities and update them immediately. 

The biggest drawback is reporting. It's not so good. I can download reports, but they're not so informative. 

For example, they are providing very good information about vulnerabilities, but when you are scanning the whole pathway, we want to see information like percentages, how much is finishing, and how much it is not, etc. If the scan fails, they should tell us when or how it stopped, if it failed, why it has failed, and how to avoid something like this from happening again. They need something more in-depth and more technical. 

I would like to have some more features, which I can play around with. It's not so flexible.

I've been using the solution for more than 1 year.

The solution sometimes has stability problems when they have fixed or released some new package. Instability has happened to us two or three times. It was difficult because we had to implement this disaster recovery plan at that point in time. It wasn't a disaster, but the whole system does stop because of that.

Easily scalable when it comes to Enterprise version. but Enterprise version itself is not as effective as pro.

The technical support team is very good. They are quick at responding and they help us to resolve issues within the organization.

In the past, we had issues around connectivity while we were doing some scanning. The scanning kept getting killed somehow. The quality of the job was poor. The scan was not completed successfully, so we needed technical support to assist. It was hard to identify what the issue was and how to fix it, but they did.

The installation is not difficult. We only needed one person to handle the implementation. Setting up the agents may be tricky, but if a person is knowledgable, it shouldn't be an issue.

Inhouse one

When we had an issue with scanning, we did look into exploring other options like OWASP Zap, Acunetix, etc. We stayed with Burp because we had it set up in our system, and then they had our scanning issue fixed.

We use the on-premises deployment model.

I would rate the solution seven out of ten.

PortSwigger Burp Suite Professional has an intercept tab that helps us to scan our APIs, set the response, and request errors.

Scanning APIs using PortSwigger Burp Suite Professional takes a lot of time.

I have been using PortSwigger Burp Suite Professional for the last six months.

PortSwigger Burp Suite Professional is a stable solution.

PortSwigger Burp Suite Professional is a very good product. My experience with the solution has been very good.

Overall, I rate PortSwigger Burp Suite Professional an eight out of ten.

There are three versions and we are using all three - community, professional and enterprise. We use the community and professional versions on premises and the enterprise version is on cloud. I'm an IT Manager. 

Burp has several good features; it's cheaper than other solutions and you can scan any number of applications and it updates its database. With the professional version, it creates a lot of applications which you can incorporate with your scanning and enable deep diving in the specific section. 

We've faced lots of challenges, including slowing down of the tool, and a lot of error messages, sometimes because of the interface. If we're running a huge number of scans regularly, I think that also slows down the tool so I'm not sure if it is good for lots of scans. I hope they will work on the amount of scans they can handle. There have been improvements in the interface and the reporting structure, but they need to do more. They have a long way to go. For now, if we use the interface directly, we need to use an integration with our web application. We're after value for money. 

I've been using this solution for about 18 months. 

Stability depends upon the amount of scans you are running. Sometimes there are problems with the stability and it could be improved. 

Scalability depends upon which of the Burp versions you're using. If you're using Pro it's not scalable because it's dedicated to one person. But when it comes to Enterprise, yes it is scalable, it's easy. 

Support depends on how much you're paying. We get good support from them which we need because there are lots of issues occurring frequently. The pro version has less problems but it only takes one scan at a time, so it's good but restricting. The technical support is trying to solve the issues of stability we are having right now.

I would recommend this solution depending on the requirements of the company. 

I would rate this solution a seven out of 10. 

PortSwigger Burp Suite Professional can be used on the cloud or on-premise.

The most valuable feature of PortSwigger Burp Suite Professional is the dashboard. It is very informative and you can receive all the information you need in one place. It's clear, well-defined, and organized. Anybody without any cybersecurity can use it.

PortSwigger Burp Suite Professional could improve the static code review.

In an upcoming release, PortSwigger Burp Suite Professional can give some possible remedies for any issues it has discovered after a scan of an application. At this time it provides vulnerabilities, having the possible remedies would be a benefit. It would be useful for the developers, to fix the issue immediately.

I have been using PortSwigger Burp Suite Professional for approximately five years.

The stability of PortSwigger Burp Suite Professional is good.

The scalability of PortSwigger Burp Suite Professional is good, it can integrate with other platforms.

In my previous company, I worked for we had 50 people using this solution and in my current company we have approximately 500 people using it.

We can easily reach out to PortSwigger Burp Suite Professional support by phone, email, chat option, and a ticketing option, which is very good.

I rate the support from PortSwigger Burp Suite Professional a five out of five.

Positive

The initial setup of PortSwigger Burp Suite Professional is very simple.

Before choosing PortSwigger Burp Suite Professional I compared other tools, such as IBM AppScan. I found that PortSwigger Burp Suite Professional was more into web application security. The solution is very helpful, easy to use, and install.  They have a free version and anybody can start within minutes.

What solution is best depends on the client size and their requirements. If the client has a large enough budget, or if they're looking for an overall feature, I would recommend PortSwigger Burp Suite Professional as the primary go-to tool. However, if they're having any specific requirements, then they will have to think about using IBM AppScan.

I would recommend the solution to technical professionals and non-technical persons. It is easy to use.

I rate PortSwigger Burp Suite Professional a nine out of ten.

We are using the latest version and are in the process of upgrading it. 

We use the solution for vulnerability assessment in respect of the application and the sites. We use the intruder part, which is essentially the Proxy part, to check whether any brute-force attacks can be undertaken. 

We wish that the Spider feature would appear in the same shape that it does in previous versions. 

I believe we have developmental tools such Accuratix. It would be nice if the report that was accepted upon scanning would highlight all the weaknesses from the perspective of my application. 

We have been using PortSwigger Burp Suite Professional for the last three years.

We have had no issues with the stability. 

As we only have a couple of licenses, we have not encountered any issues concerning the scalability. 

The technical support is all right. 

This said, we have requested support on a couple of occasions, specifically one concerning training relating to the new features and add-ons coming onto the application, and this is still outstanding. 

The initial setup is not very complex. Rather, it is easy and straightforward. 

For a country such as Sri Lanka, the pricing is not reasonable. 

There are around 10 people using the solution in our organization.

I don't have any advice off the cuff. When it comes to the web crawling features, it does not need to be in the same shape as before, but it would be nice if it allowed us to index associated things in the manner that we did so in the past. 

I rate PortSwigger Burp Suite Professional as a nine out of ten.