PortSwigger Burp Suite Professional Reviews

We are using the solution for web application testing. From Burp Suite, we can test the application security. We have a team of system auditors, and our auditors use Burp Suite.

We are working with the community version, and it provides all the features we need.

It's good testing software. 

For application security, Burp Suite is one of the best solutions. It has all the proxy and all the features so that we can test all the application's vulnerabilities. 

They have an extension feature, so at intervals, they provide extensions that provide some helpful updates. They continuously update the product, and they continuously provide extensions. Through the extensions, we get new features at regular intervals.

The pricing is fine. 

We can customize and configure as needed.

We found the product to be quite stable. 

It's already great. There isn't anything needed for improvement. 

The initial setup is a bit complex. 

I've used the solution for three years. 

The solution is very stable and reliable. There are no bugs or glitches. It doesn't crash or freeze. 

The solution can scale. It's per system. If you are using it on 100 systems, you must install it on all 100 systems. It's not like you install a central product, and you scale. It's not the client-server architecture; you must install it on every system if you want to test.

We have two or three users on the solution.

We've never escalated any issues to technical support. I've never directly dealt with them.

This is among the best in comparison to all other tools. If we compare it to Zap, et cetera, Burp Suite is the best among those. There's also Nikto and lots of tools available. We prefer to work with Burp as Burp Suite is like a framework. It has lots of tools in-built. Therefore, we can do multiple tasks on a single platform from a single framework. It's like a one-stop shop.

The solution is a little bit complex. It's not exactly straightforward. 

The deployment itself was a pretty easy process. It was quick.

We do not find it difficult to maintain the solution.

We handled the initial setup ourselves in-house. 

We use the community version. It's free.

Pricing is not very high. It was around $200.

They have some licenses, and features and they have some different categories. I need to go through the sites, however, I know they have different versions.

We are using Burp Suite. We are not selling Burp Suite.

At this time, we're using the most up-to-date version of the product.

I'd recommend the solution to others. I would rate it ten out of ten.

We use the solution for scanning and manual penetration testing. We have a verification and security assessment as a dynamic security assessment for manual application testing.

The solution helps to automate API security assessments. It incorporates features of both black hat and red team engagements. We streamline bug bounty hunts. It helps in API testing, where manual intervention was previously necessary for each payload. With the new deck feature, Burp Suite enables automation accessible in the external tab. This feature allows testers to select specific targets, such as login or registration pages, and apply different attack vectors. It enhances efficiency, saving time and resources, which is beneficial when dealing with larger-scale web applications or numerous APIs.

Manual assessment in the tool is great.

Scanning needs to be improved in enterprise and professional versions. The enterprise version has challenges related to scheduled scans. If a scan fails after two days without notification during offline periods, that time is lost. Sometimes, it took up to 24 hours to realize that certain tests had failed for various reasons. There's significant room for improvement in automating scans.

I have been using PortSwigger Burp Suite Professional for more than 10 years.

The product is a good tool for application assessment.

I rate the solution’s stability an eight-point five out of ten.

The automation features in Burp Suite For vulnerability assessment and penetration testing may not be as extensive as other tools like NetSparker. Other tools may offer more comprehensive capabilities, especially in areas such as source code. Features like capture and OTP testing might be more robustly supported in other tools. There may be limitations in automation with Burp Suite Professional. NetSparker could be more suitable for tasks like two-factor authentication testing.

Four to five are using this solution.

The professional version is not very scalable, whereas the enterprise version is scalable. I can run multiple scans.

Technical support is good.

Positive

We have used Netsparker and WebInspect. WebInspect is very difficult to operate.

The initial setup takes more than a week. The professional version is a plug-and-play.

There is a Java package that you can easily use without installing it.

The product is cheap compared to other products.

I rate the product’s pricing a seven out of ten, where one is expensive and ten is cheap.

We have an infrastructure and DevOps team of eight to ten people for solution maintenance.

Reporting is good and very light. The response is fine.

I recommend the solution for dynamic assessment.

Overall, I rate the solution a nine out of ten.

We are the resellers and not the customers. Usually, our customers use the solution's vulnerability scanner to check problems with their websites and web applications. While I cannot disclose specific customer names due to our NDA agreements, they normally use the solution to address issues with their web services.

The solution has a limited range of functions, which is good for small companies. This is because, in small companies, websites are less complex. They also have single services which makes the solution good enough for them. However, the most advantageous aspect of the solution is its affordable price.

The Iran market does not have after-sales support. PortSwigger Burp Suite Professional needs to provide after-sales support.

We have been working with the solution for about three years.

The tool is stable. We haven’t received any complaints so far.

I rate the scalability of the solution as six out of ten.

Nessus is a more expensive solution than Burp Suite, which offers a broader range of services, including network and website scanning features. You can’t compare them.

The initial setup was easy. One doesn't need much knowledge to operate it. The solution can be deployed within ten minutes. 

The pricing of the solution is cost-effective and is best suited for small and medium-sized businesses.

I recommend the solution for small and medium-sized businesses. It’s not suited for large enterprises. Everything depends on the cost. A customer with a high budget should go for solutions like Nessus. However, a more cost-effective solution like Burp Suite is recommended if they have a limited budget. My final recommendation is to use the solution that suits your needs. Overall, I rate the solution a five out of ten.

We use PortSwigger Burp Suite Professional for security. I'm a security tester and I need it for my daily activities, I require it.

PortSwigger Burp Suite Professional has improved the organization by providing the security standards of the applications across the organization.

We can test the weakness or loopholes in the application an attacker can use. We have an internal team that conducts the pen-testing from a hacker's point of view and try to close the issue before it is opened to the internet.

The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools.

PortSwigger Burp Suite Professional can improve by having more features in the free version for beginners to try.

I have been using PortSwigger Burp Suite Professional for approximately two years.

The reliability of PortSwigger Burp Suite Professional is good. It doesn't hang very much, and it doesn't get stuck anywhere, it is reliable.

PortSwigger Burp Suite Professional is scalable. You can add in-scope items, and remove any items that are not on the scope.

We have approximately 30 people using the solution in my organization. We have managers, consultants, and senior consultants using it. If our testers increase the number of users will increase and then we will increase our usage of this solution.

I have not needed to use the support from PortSwigger Burp Suite Professional.

I was previously using OWASP Zap.

The initial setup of PortSwigger Burp Suite Professional was simple. It can be done in approximately three minutes.

I rate the initial setup of PortSwigger Burp Suite Professional a five out of five.

I did the implementation of PortSwigger Burp Suite Professional myself.

If there is a software update it is fairly simple to upgrade. There is a lot of reference material online. 

There are multiple versions available of PortSwigger Burp Suite, such as enterprise, commercial, professional, and beginners.

My company has paid for the license for the solution. The price of the solution could be less expensive.

This is one of the best solutions in the market. I would advise others to try this solution out.

I rate PortSwigger Burp Suite Professional a nine out of ten.

I use PortSwigger Burp Suite Professional for penetration testing.

Burp has strong suite features. I especially value the features for penetration testing.

There is room for improvement in composition and improvements could be made. Some AI features might be added.

I have been using Burp Suite Professional for six years.

PortSwigger Burp Suite Professional is very stable, even more so than Aquentix, which is ninety-eight percent stable.

The support from PortSwigger is passable.

Positive

Installation of Burp Suite is easy, and one person is enough to conduct it.

Maintenance is not needed here; it is all automatic.

The pricing for PortSwigger is very cheap, and there are benefits in terms of time and cost savings.

I rate PortSwigger Burp Suite Professional ten points out of ten.

Clients come to me for an assessment of their web applications to see the risks that they are facing with their applications. They want to ensure that their application is free of being manipulated and also secure, so they reach out to us to do vulnerability assessment and application penetration testing. We make use of PortSwigger's BurpSuite tool carry this out. We look at it more from an application standpoint, what common vulnerabilities there are like the top 10 OWASP vulnerabilities like Injection(OS/SQL/CMD), broken authentication, session management, cross site request forgery, unvalidated redirects/forwards, etc. Those are the primary uses we make use for this tool.

We're an independent IT organization that specializes in vulnerability assessment and penetration testing, and we focus here on application security. This tool really helps me unearth security issues and vulnerabilities that are on the applications shared by my clients. Unearthing these issues really helps me build confidence and relationships with clients on two counts. First part is that, they want a reliable and robust tool with which we are able to unearth security issues in there. The second part of it is, I give them more confidence in their application securedness before they make a decision on going live.

I can't name customers, but I've been working with a US university education platform providing client for the last three years. Earlier we tried different tools but in the last couple of years, we stuck to the Burp Suite tool and year after year, we've been periodically doing the application security for them. The confidence has really leveraged the relationship to build the pipeline of business that I have. At the same time, the confidence that the customer in their platform going live has remained intact. That really helps me build accountability and it helps me put forward my organization as a strong security testing organization space.

I like the way the tool has been designed. Once I capture the proxy, I'm able to transfer across, all the requested information that is there. I can send across the request to the 'Repeater' feature. I put in malicious payloads and then see how the application responds to it.

More than that, the Repeater and Intruder are really awesome features on BurpSuite. For example, if I'm going to test for a SQL injection, I have certain payloads that are trying to break into the application. I make use of these predefined payloads which come as part of the tool are really useful for us to use and see how the application behaves. With the help of the BurpSuite tool, we are very well ahead to see if the application is going to break at any point in time.

So the Repeater and the Intruder, are great features that are there. More than that I think the entire community support is really fabulous. As well as of the number of plug-ins that people have written for the tool. Those have been standouts. Community support is really strong. We see a lot of plug-ins that are made available that work along with the tool.

In the earlier versions what we saw was that the REST API was something that needed to be improved upon but I think that has come in the new edition when I was reading through the release offset available. 

There is a certain amount of lead time for the tickets to get resolved. The biggest improvement that I would like to see from PortSwigger is what many people see as a need in their security testing that coudl be priortized and developed as a feature which can be useful. For example, if they're able to take these kinds of requests, group them, prioritize and show this is how the correct code path is going to be in the future, this is what we're going to focus around in building in the next six months or so. That could be something that will be really valuable for testers to have.

I've been using the solution for about three years.

Burp Suite is quite robust. The good part is that it also comes with an automatic back-up feature in it which automatically saves all the request-responses, alerts, attacks in the systems periodically.In the event of your laptop crashing/going down on power, you still have last saved application state which has saved the recording. Once you power up again, you can launch Burp Suite and go back the last point of save of the complete recording /requests/tests in the system.

With the open edition, it's not a problem to install on any number of machines. When it comes to the professional edition, you need a license and you have to pick a license type. I have to use it against a particular machine on which I would run. From there I would run my scans. Let's say I don't find my laptop or my computer fast enough, and I decide to move my license across to a higher processor, higher memory laptop or computer, I can easily move the license across to the new machine.

As long as I am on that particular license use, I have one license that I'm able to move across to one instance at any given point of time. That is quite stable. I think even more than that, for a top-priced edition you can take multiple contract licenses. Something like a license server where you might have five licenses. You might have 10 installations and you can have different people working on various routes use the tool. Only those five licenses will be needed. In that instance, scalability is definitely a great point for most uses.

Currently, if you look at the users that are linked to roles that we have, one is the security test engineer and one is the security test analyst. At any given point in time, only one person uses the tool for engagement in the professional edition. We have about two to three people working with us on these projects.

I found technical support to be quite responsive. I usually get an email response within three or four hours which is very good. There's plenty of documentation that has relatively good pointers as to the documentation's impact. Also, documentation is a good part of the knowledge base. They have started something that's very awesome by implementing that. They point us to areas in our tickets that have answers within the available knowledge base documentation, which is shared as part of the whole response. It's definitely a good thing.

I've used different tools like Acunetix. 

The first tool that we started with was Acunetix. Acunetix as quite expensive, first and foremost. It's more suitable for web application scanning and penetration. PortSwigger's has a larger play beyond applications, it supports REST API and all that stuff, that kind of support is great with PortSwigger.

The kind of mechanism that's there is you can just capture the flow if the application. They usually have what is called as a flow sequence in proxy history with which all the user actions are captured. That's all that is done by the tool completely. Once that information is there, much you can control exploit requests with the tool. Whatever the tool shows, I have the opportunity to throttle and change payloads and see how the application behaves.

We used the online web scanners with Acunetix. We found it a little difficult and that was one reason why. In fact, when we got the contract with the client and we evaluated multiple tools, that's why we chose PortSwigger's BurpSuite.

The initial setup was straightforward. It's not complex at all. Today it comes along with a job size which makes it much more affordable and easy. I don't think the installation is ever a challenge here. 

In some setups, all I do is this: if I'm setting it up for Windows, I cannot get my path through which I want to set this up. A few clicks and I'll be able to get the entire tool set up. I would say it requires some amount of knowledge to do testing. So also we are able to set up the tool against an application. Let's say there is an application that comes through for testing. Until I get to know the way I have to configure the target URLs and capture the entire traffic flow. That is easy. Now there are jar files also being made available for easier instantiation of the tool.

It is not a challenge in setting up the tool at all because there's plenty of videos and documentation available around in both the PortSwigger website as well as in open forums like YouTube and all that. It's quite easy to set it up. Personally, I haven't had trouble. We haven't had any major challenges in terms of setting up the tool. Not just purely from an installation standpoint, but also from a perspective of beginning to capture traffic across the different applications that we serve. 

The installation takes about less than four to five minutes. It doesn't take more than that.

In terms of security implementation strategy, when we take control of any tests that we do, we set the proxies in place based on the settings that are there on the tool and then set up the same proxy across on a browser for which we will capture the traffic. Once we do that, our implementation strategy is to capture the entire traffic in terms of specifying a target URL, the application or the website and the test. We do a proper login and ensure that all the data captures are there. Then we see that all the requested sponsors are getting logged in properly inside the tool and we are able to capture that. So once we do that, we try to simulate all user flows that would be there on the tool. 

Based on the different tools that are there, we capture the flow and enter a fake login and then we do a scan. The scan helps to unlock issues that are there. That kind of test is to identify all the actions that we do. We particularly do what is called an active scan which is like after you use the browser, make all the user clicks, events, and all that, the tool is able to capture it in the background. It does an active scan, and it gives what are potential issues that are there. So once we are done with that, we look at all the issues that are there, and then we make it run through a boot scan based on the requests that we have captured. Typically this takes a final good amount of time which depends on the amount of traffic that you have captured through the tool.

The one good thing that I would like to highlight is that irrespective of how much traffic is captured from my application flow, the tool is quite robust. I have seen other tools that sometimes the application, or rather the tool, becomes non-responsive. I haven't seen those kinds of issues here.

Then, once we are done with the scan, we pick and choose what are the issues that are there. We look for what are the trouble spots, and what issues are being highlighted. Then we check each of those specific requests, sending them over to another team member, and try them with different payloads, putting them across in the intruder and unearthing issues. So that helps me really test the application using PortSwigger comprehensively, and, more importantly, at the end of the test, it makes it quite easy for me to generate a report which is quite nice and simple which I can forward across to the client. That is essentially the way I go about in my implementation of security testing.

We did the implementation in-house.

In terms of ROI, I'd say it helps with client engagement. The tools in relation to ROI allow me to win back-to-back contracts for application security testing with the customers. I would even say I'd be able to break in on a first engagement itself. 

Licensing costs are about $450/year for one use. For larger organizations, they would be able to test against multiple applications simultaneously while others might have multiple versions of applications which needs to be tested which is why there is an enterprise edition. We might have more than five to six people in the organizations doing security testing. You can give full-base access to them and control who uses your licenses.

It depends on the stream of projects, business pipeline that I get, but security is not something that done all throughout the year. We get it in cycles. We pace it in such a way that from our different customers that we work with, we actually have one project running throughout the year. I might do a project for Client X during the month of let's say January to February. Then for another client, I might have something lined up for April to May. So with a single license, I am able to maximize the usage very well.

The tool comes in three type. First, there is the  Open Community Edition, which is meant for people who use it to learn the tool or use it to secure their system. This edition does not have scanning features enabled to source scan the against application URLs or websites. From the standpoint of learning about security tests or assessing the security of application without scanning, the community edition really helps.

Then you also have a Professional edition which is more meant for doing comprehensive vulnerability assessment and penetration application which is very important. Especially for independent teams like ours who make use of tools based on tech, etc. The good part about the professional edition is that it comes with a term license which is cost-effective. You pay for an annual charge and use it for a year's time and then you can extend it on an as-needed basis.

Apart from these, we also have an Enterprise Edition which has features like scan schedulers unlimited scalability to test across multiple websites in parallel, supporting multiple user access with role based access control and easy integration with CI tools.

The very best way this tool can be used through is to understand the application, identify the various roles that are there in the application. Then capture the user flows, with Port Swigger's BurpSuite, and understand what the requests are making use of the different features in BurpSuite. 

Post this the teams look at and analyze all the requests being sent. Observe the requests, use various roles with the tool using a repeater and intruder, analyze what's breaking through in the application. As you can quickly analyze with the intruder out here how the application's really behaving, how the payload is being sent across the tool. Then you get a quick sense of what's available which could be checked through for false positives and then arrive at the final output along with it.

This is how I would like to handle the implementation of the solution.

I would rate this solution 10 out of 10.

The Repeater and the BApp extensions are particularly useful. Certain extensions, such as the Active Scan extensions and the Autoracer extension, are very good. 

The crawling functionality has improved, but I would say that in the past, the spider mechanism was more efficient than the current crawling method. 

Generally, I don't rely solely on the Burp Scanner, but I utilize BApp extensions to achieve better results than the standard scanner. Mostly, I always rely on external extensions, specifically those that provide better results.

I would like to see the return of the spider mechanism instead of the crawling feature. Burp Suite's earlier version 1.7 had an excellent spider option, and it would be beneficial if Burp incorporated those features into the current version. 

The crawling techniques used in the current version are not as efficient as those used in earlier versions.

We have been using it for seven to eight years now. We have Burp Suite Professional and Burp Suite Enterprise Edition listed in our database.

We use the latest 2023 version. 

I would rate the stability an eight out of ten. If people know how to perfectly use it, it is a stable solution. For freshers, it is tough. 

I would rate the scalability a six out of ten. The primary reason is the high number of false positives compared to actual positives. 

Additionally, understanding the scan configuration can be challenging for newcomers. While experienced users can effectively scale their scanning techniques, those with limited experience may find it difficult to understand the process and identify the root causes of errors. 

Moreover, configuring proxy settings can be complex, leading to difficulties for some users. Overall, there are significant areas for improvement in terms of scalability, particularly in enhancing user understanding and reducing false positives. However, compared to other application security tools, Burp Suite still performs well.

There are around three end users using this solution in our company.

I haven't had the opportunity to interact with their technical team directly. However, the blogs are very informative and provide a wealth of solutions. In most cases, I've been able to resolve issues myself based on the information provided in their documentation. 

For the documentation or web security resources, I would rate it seven out of ten. Burp Suite effectively addresses user concerns and provides clear explanations. The technical blogs are also well-written and address concerns.

I have experience with Burp Suite Professional and Zap Framework. I've used them for a variety of application security testing tasks, including vulnerability scanning, penetration testing, and threat modeling.

I haven't had the need to explore other tools. I've been using Burp Suite since the beginning of my career, and it has consistently met my requirements. I've used other tools in lab settings, but Burp Suite remains my preference.

I would rate my experience with the initial setup of Burp Suite Professional an eight out of ten, with one being difficult and ten being easy.

The deployment was quite quick, only about ten minutes. It requires minimal staff. Anyone can install it on their own requiring administrator privileges. It can be installed on any system and with any version. 

However, the only caveat is that we need to obtain the license from the procurement team. So, it's easy to set up.

I would rate the pricing a one out of ten, with one being cheap and ten being expensive. The pricing is very reasonable and minimal.

First and foremost, I would suggest others thoroughly understand the fundamentals of Burp Suite and how to utilize its extensions effectively. 

Additionally, I would recommend learning about proxy settings and various authentication mechanisms. 

Lastly, I would emphasize the importance of carefully reviewing and configuring scan configurations to minimize false positives and ensure optimal scan performance.

Considering its capabilities and performance compared to other tools, I would give Burp Suite Professional an eight out of ten. 

We use it for application security testing purposes. We scan our solutions and then look for issues in them. Upon finding the issues, we send them to the development team who fixes them. However, we use Burp Suite only for a specific client, hence we only have one license and limited use.

The solution is quite helpful for session management and configuration. 

In the Professional version, we cannot link it with the CI/CD process. This feature is included in the enterprise version. Also, it doesn’t have a dashboard to preview the number of issues that were found. A dashboard showing previous issues and their status will be better. These all are enterprise features which are extremely expensive.

I have been using Burp Suite for two years.

It is a stable product. 

It is a scalable solution. We currently have only one to two people using Burp Suite for specific clients.

The customer support is good, however, I haven’t used other tools. It is difficult to compare it and other solutions might provide better support.

I personally don’t use a lot of tools except AWS for general clients.

Burp Suite is easy to set up and takes only five to ten minutes. The installation can be done by one person only. The maintenance isn’t very hard to do.

It is a cheap solution, but it may not be cheaper than other solutions.

I would advise others to also try other tools. As I have only used Burp Suite as an application security solution, I cannot comment on other tools. However, between JAP and Burp Suite, I would surely recommend Burp Suite. Overall, I would rate it an eight out of ten.