PortSwigger Burp Suite Professional Reviews

The Repeater and the BApp extensions are particularly useful. Certain extensions, such as the Active Scan extensions and the Autoracer extension, are very good. 

The crawling functionality has improved, but I would say that in the past, the spider mechanism was more efficient than the current crawling method. 

Generally, I don't rely solely on the Burp Scanner, but I utilize BApp extensions to achieve better results than the standard scanner. Mostly, I always rely on external extensions, specifically those that provide better results.

I would like to see the return of the spider mechanism instead of the crawling feature. Burp Suite's earlier version 1.7 had an excellent spider option, and it would be beneficial if Burp incorporated those features into the current version. 

The crawling techniques used in the current version are not as efficient as those used in earlier versions.

We have been using it for seven to eight years now. We have Burp Suite Professional and Burp Suite Enterprise Edition listed in our database.

We use the latest 2023 version. 

I would rate the stability an eight out of ten. If people know how to perfectly use it, it is a stable solution. For freshers, it is tough. 

I would rate the scalability a six out of ten. The primary reason is the high number of false positives compared to actual positives. 

Additionally, understanding the scan configuration can be challenging for newcomers. While experienced users can effectively scale their scanning techniques, those with limited experience may find it difficult to understand the process and identify the root causes of errors. 

Moreover, configuring proxy settings can be complex, leading to difficulties for some users. Overall, there are significant areas for improvement in terms of scalability, particularly in enhancing user understanding and reducing false positives. However, compared to other application security tools, Burp Suite still performs well.

There are around three end users using this solution in our company.

I haven't had the opportunity to interact with their technical team directly. However, the blogs are very informative and provide a wealth of solutions. In most cases, I've been able to resolve issues myself based on the information provided in their documentation. 

For the documentation or web security resources, I would rate it seven out of ten. Burp Suite effectively addresses user concerns and provides clear explanations. The technical blogs are also well-written and address concerns.

I have experience with Burp Suite Professional and Zap Framework. I've used them for a variety of application security testing tasks, including vulnerability scanning, penetration testing, and threat modeling.

I haven't had the need to explore other tools. I've been using Burp Suite since the beginning of my career, and it has consistently met my requirements. I've used other tools in lab settings, but Burp Suite remains my preference.

I would rate my experience with the initial setup of Burp Suite Professional an eight out of ten, with one being difficult and ten being easy.

The deployment was quite quick, only about ten minutes. It requires minimal staff. Anyone can install it on their own requiring administrator privileges. It can be installed on any system and with any version. 

However, the only caveat is that we need to obtain the license from the procurement team. So, it's easy to set up.

I would rate the pricing a one out of ten, with one being cheap and ten being expensive. The pricing is very reasonable and minimal.

First and foremost, I would suggest others thoroughly understand the fundamentals of Burp Suite and how to utilize its extensions effectively. 

Additionally, I would recommend learning about proxy settings and various authentication mechanisms. 

Lastly, I would emphasize the importance of carefully reviewing and configuring scan configurations to minimize false positives and ensure optimal scan performance.

Considering its capabilities and performance compared to other tools, I would give Burp Suite Professional an eight out of ten. 

We use the solution to do VAPT. 

I am impressed with the tool's detailed analysis for penetration testing. AppScan can give only visibility, but it can't do the PT part. But the PortSwigger Burp Application can do both, and it gives much more visibility on the PT rating.

I need the solution to be more user-friendly. The solution needs to be user-friendly.

I have been using the solution for three years.

It is a stable solution. I rate the stability an eight out of ten.

It is a scalable solution but needs to be more user-friendly. I rate the scalability an eight out of ten.

The initial setup was easy. The deployment takes around a week.

I rate the setup an eight out of ten.

I rate the pricing a four out of ten.

I rate the solution an eight out of ten overall.

I was working in internet banking in the Middle East and we used Zap for light testing and we used Burp Suite for more deep protocol and package review of the security.

I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis. You are able to do many different types of scans, such as SQL injection. There are a lot of deep packages analyzing functions that make this solution have more usability.

There needs to be better documentation provided. Currently, we need to buy books, or we need to review online some use cases from other professionals who have been using the solution to find out their experience. It is not easy to find out how to properly do a security assessment. The user interface is pretty basic and if you want to do more advanced operations you need to know more technical details, which are not publicly available. You need to get in touch with different engineers or somebody that publishes their experience in a book to be able to get the knowledge in how to use this solution to its fullest.

I have been using this solution for approximately four years.

This is a stable solution when comparing it to competitors.

I have used Zap and it is lightweight compare to this solution's functions. 

The setup is a bit complex.

This solution requires a license. It is expensive but you receive a lot of functionality for the price.

My advice to others is if you have one small web server and static pages, you can easily use Zap. However, if it is a more complex environment, with a payment system, with a lot of content, and has many defined user rules, it is better to use Burp Suite.

I rate PortSwigger Burp Suite Professional a nine out of ten.

We use the solution for scanning and manual penetration testing. We have a verification and security assessment as a dynamic security assessment for manual application testing.

The solution helps to automate API security assessments. It incorporates features of both black hat and red team engagements. We streamline bug bounty hunts. It helps in API testing, where manual intervention was previously necessary for each payload. With the new deck feature, Burp Suite enables automation accessible in the external tab. This feature allows testers to select specific targets, such as login or registration pages, and apply different attack vectors. It enhances efficiency, saving time and resources, which is beneficial when dealing with larger-scale web applications or numerous APIs.

Manual assessment in the tool is great.

Scanning needs to be improved in enterprise and professional versions. The enterprise version has challenges related to scheduled scans. If a scan fails after two days without notification during offline periods, that time is lost. Sometimes, it took up to 24 hours to realize that certain tests had failed for various reasons. There's significant room for improvement in automating scans.

I have been using PortSwigger Burp Suite Professional for more than 10 years.

The product is a good tool for application assessment.

I rate the solution’s stability an eight-point five out of ten.

The automation features in Burp Suite For vulnerability assessment and penetration testing may not be as extensive as other tools like NetSparker. Other tools may offer more comprehensive capabilities, especially in areas such as source code. Features like capture and OTP testing might be more robustly supported in other tools. There may be limitations in automation with Burp Suite Professional. NetSparker could be more suitable for tasks like two-factor authentication testing.

Four to five are using this solution.

The professional version is not very scalable, whereas the enterprise version is scalable. I can run multiple scans.

Technical support is good.

Positive

We have used Netsparker and WebInspect. WebInspect is very difficult to operate.

The initial setup takes more than a week. The professional version is a plug-and-play.

There is a Java package that you can easily use without installing it.

The product is cheap compared to other products.

I rate the product’s pricing a seven out of ten, where one is expensive and ten is cheap.

We have an infrastructure and DevOps team of eight to ten people for solution maintenance.

Reporting is good and very light. The response is fine.

I recommend the solution for dynamic assessment.

Overall, I rate the solution a nine out of ten.

I used this solution while working with a bank, and while it wasn't much of a DevSecOps tool, it was a good tool for penetration testing.

It is a good manual penetration tool. It was easy to learn.

If your application uses multi-factor authentication, registration management cannot be automated. There are also some session management issues we have found if we want to integrate it into the pipeline. There were also some authentication-related issues we found at the time. These issues were more specific to the enterprise edition. I have worked on a paid version of the standalone solution, which is best for manual penetration testing.

I rate Burp Suite's stability a ten out of ten.

I rate Burp Suite's scalability a seven out of ten. We wanted to have more scalability in my last company, where we wanted the enterprise edition, but there were some challenges we faced. We couldn't find a solution to the problem statements for most of our business use cases back then. We then dropped the idea of using Burp Suite Enterprise and opted for a standard one for manual penetration testing.

There were ten users in my unit working with Burp Suite.

Support-wise, the solution was also very good. Across the globe, all the manual penetration testers use Burp Suite. If we had any questions, we received good support from GitLab and other forums.

Whenever we raised any query, such as if we wanted to file an invoice for reimbursement at the organization level, the support was good at the nontechnical and technical levels.

Positive

The initial setup is easy, not only in the office, since I'm working on my laptop now with the community edition. The configuration is pretty straightforward.

Burp Suite is affordable. Admins can purchase the tool, which is affordable enough that college students can purchase it if they want to learn it.

The solution is not a good candidate for a DevSecOps tool.

I recommend this solution for manual penetration testers. It is the best tool with the best support. PortSwigger has added plugins to efficiently catch bugs, for example, HTTP request smuggling. There are a lot of plugins, such as how to hide the JWT token. These plugins minimize the effort required by manual penetration testers so they can find bugs quickly with the help of these plugins. They have good support if anybody wants to learn how to use and install plugins. There is a lot of documentation available online.

I rate PortSwigger Burp Suite Professional an eight out of ten.

We are the resellers and not the customers. Usually, our customers use the solution's vulnerability scanner to check problems with their websites and web applications. While I cannot disclose specific customer names due to our NDA agreements, they normally use the solution to address issues with their web services.

The solution has a limited range of functions, which is good for small companies. This is because, in small companies, websites are less complex. They also have single services which makes the solution good enough for them. However, the most advantageous aspect of the solution is its affordable price.

The Iran market does not have after-sales support. PortSwigger Burp Suite Professional needs to provide after-sales support.

We have been working with the solution for about three years.

The tool is stable. We haven’t received any complaints so far.

I rate the scalability of the solution as six out of ten.

Nessus is a more expensive solution than Burp Suite, which offers a broader range of services, including network and website scanning features. You can’t compare them.

The initial setup was easy. One doesn't need much knowledge to operate it. The solution can be deployed within ten minutes. 

The pricing of the solution is cost-effective and is best suited for small and medium-sized businesses.

I recommend the solution for small and medium-sized businesses. It’s not suited for large enterprises. Everything depends on the cost. A customer with a high budget should go for solutions like Nessus. However, a more cost-effective solution like Burp Suite is recommended if they have a limited budget. My final recommendation is to use the solution that suits your needs. Overall, I rate the solution a five out of ten.

We use PortSwigger Burp Suite Professional for security. I'm a security tester and I need it for my daily activities, I require it.

PortSwigger Burp Suite Professional has improved the organization by providing the security standards of the applications across the organization.

We can test the weakness or loopholes in the application an attacker can use. We have an internal team that conducts the pen-testing from a hacker's point of view and try to close the issue before it is opened to the internet.

The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools.

PortSwigger Burp Suite Professional can improve by having more features in the free version for beginners to try.

I have been using PortSwigger Burp Suite Professional for approximately two years.

The reliability of PortSwigger Burp Suite Professional is good. It doesn't hang very much, and it doesn't get stuck anywhere, it is reliable.

PortSwigger Burp Suite Professional is scalable. You can add in-scope items, and remove any items that are not on the scope.

We have approximately 30 people using the solution in my organization. We have managers, consultants, and senior consultants using it. If our testers increase the number of users will increase and then we will increase our usage of this solution.

I have not needed to use the support from PortSwigger Burp Suite Professional.

I was previously using OWASP Zap.

The initial setup of PortSwigger Burp Suite Professional was simple. It can be done in approximately three minutes.

I rate the initial setup of PortSwigger Burp Suite Professional a five out of five.

I did the implementation of PortSwigger Burp Suite Professional myself.

If there is a software update it is fairly simple to upgrade. There is a lot of reference material online. 

There are multiple versions available of PortSwigger Burp Suite, such as enterprise, commercial, professional, and beginners.

My company has paid for the license for the solution. The price of the solution could be less expensive.

This is one of the best solutions in the market. I would advise others to try this solution out.

I rate PortSwigger Burp Suite Professional a nine out of ten.

We use it for application security testing purposes. We scan our solutions and then look for issues in them. Upon finding the issues, we send them to the development team who fixes them. However, we use Burp Suite only for a specific client, hence we only have one license and limited use.

The solution is quite helpful for session management and configuration. 

In the Professional version, we cannot link it with the CI/CD process. This feature is included in the enterprise version. Also, it doesn’t have a dashboard to preview the number of issues that were found. A dashboard showing previous issues and their status will be better. These all are enterprise features which are extremely expensive.

I have been using Burp Suite for two years.

It is a stable product. 

It is a scalable solution. We currently have only one to two people using Burp Suite for specific clients.

The customer support is good, however, I haven’t used other tools. It is difficult to compare it and other solutions might provide better support.

I personally don’t use a lot of tools except AWS for general clients.

Burp Suite is easy to set up and takes only five to ten minutes. The installation can be done by one person only. The maintenance isn’t very hard to do.

It is a cheap solution, but it may not be cheaper than other solutions.

I would advise others to also try other tools. As I have only used Burp Suite as an application security solution, I cannot comment on other tools. However, between JAP and Burp Suite, I would surely recommend Burp Suite. Overall, I would rate it an eight out of ten.