PortSwigger Burp Suite Professional Reviews

We use Burp Suite Professional for testing websites and checking some servers, primarily scanning IP addresses and checking which ports are open.

Burp Suite Professional saves time by allowing us to set up scans and then review the results later.

The most valuable feature of Burp Suite Professional is its ability to schedule tasks for scanning websites, which helps in performing regular checks of IP addresses.

It would be beneficial to have privileged access management as a part of Burp Suite Professional.

We have been using Burp Suite Professional for approximately one year.

Burp Suite Professional is stable as we keep it up to date, and it does not have issues.

Burp Suite Professional can be scaled effectively.

The technical support from PortSwigger is excellent, managing response time and quality efficiently without any issues.

Positive

I have experience with Nessus, which is slightly cheaper. It is used for scanning externally, whereas Burp Suite is better for internal scanning.

The initial setup of Burp Suite Professional was simple and completed by myself. It took about one hour, while the configuration took approximately three hours.

The setup and implementation of Burp Suite Professional were handled by myself without requiring third-party consultants.

The pricing for Burp Suite Professional is not very high, however, it could be more flexible for clients.

I use Nessus for some tasks because it is a bit cheaper and better for external scanning.

I would recommend Burp Suite Professional to other users as it is a beneficial tool.

I'd rate the solution nine out of ten.

Clients come to me for an assessment of their web applications to see the risks that they are facing with their applications. They want to ensure that their application is free of being manipulated and also secure, so they reach out to us to do vulnerability assessment and application penetration testing. We make use of PortSwigger's BurpSuite tool carry this out. We look at it more from an application standpoint, what common vulnerabilities there are like the top 10 OWASP vulnerabilities like Injection(OS/SQL/CMD), broken authentication, session management, cross site request forgery, unvalidated redirects/forwards, etc. Those are the primary uses we make use for this tool.

We're an independent IT organization that specializes in vulnerability assessment and penetration testing, and we focus here on application security. This tool really helps me unearth security issues and vulnerabilities that are on the applications shared by my clients. Unearthing these issues really helps me build confidence and relationships with clients on two counts. First part is that, they want a reliable and robust tool with which we are able to unearth security issues in there. The second part of it is, I give them more confidence in their application securedness before they make a decision on going live.

I can't name customers, but I've been working with a US university education platform providing client for the last three years. Earlier we tried different tools but in the last couple of years, we stuck to the Burp Suite tool and year after year, we've been periodically doing the application security for them. The confidence has really leveraged the relationship to build the pipeline of business that I have. At the same time, the confidence that the customer in their platform going live has remained intact. That really helps me build accountability and it helps me put forward my organization as a strong security testing organization space.

I like the way the tool has been designed. Once I capture the proxy, I'm able to transfer across, all the requested information that is there. I can send across the request to the 'Repeater' feature. I put in malicious payloads and then see how the application responds to it.

More than that, the Repeater and Intruder are really awesome features on BurpSuite. For example, if I'm going to test for a SQL injection, I have certain payloads that are trying to break into the application. I make use of these predefined payloads which come as part of the tool are really useful for us to use and see how the application behaves. With the help of the BurpSuite tool, we are very well ahead to see if the application is going to break at any point in time.

So the Repeater and the Intruder, are great features that are there. More than that I think the entire community support is really fabulous. As well as of the number of plug-ins that people have written for the tool. Those have been standouts. Community support is really strong. We see a lot of plug-ins that are made available that work along with the tool.

In the earlier versions what we saw was that the REST API was something that needed to be improved upon but I think that has come in the new edition when I was reading through the release offset available. 

There is a certain amount of lead time for the tickets to get resolved. The biggest improvement that I would like to see from PortSwigger is what many people see as a need in their security testing that coudl be priortized and developed as a feature which can be useful. For example, if they're able to take these kinds of requests, group them, prioritize and show this is how the correct code path is going to be in the future, this is what we're going to focus around in building in the next six months or so. That could be something that will be really valuable for testers to have.

I've been using the solution for about three years.

Burp Suite is quite robust. The good part is that it also comes with an automatic back-up feature in it which automatically saves all the request-responses, alerts, attacks in the systems periodically.In the event of your laptop crashing/going down on power, you still have last saved application state which has saved the recording. Once you power up again, you can launch Burp Suite and go back the last point of save of the complete recording /requests/tests in the system.

With the open edition, it's not a problem to install on any number of machines. When it comes to the professional edition, you need a license and you have to pick a license type. I have to use it against a particular machine on which I would run. From there I would run my scans. Let's say I don't find my laptop or my computer fast enough, and I decide to move my license across to a higher processor, higher memory laptop or computer, I can easily move the license across to the new machine.

As long as I am on that particular license use, I have one license that I'm able to move across to one instance at any given point of time. That is quite stable. I think even more than that, for a top-priced edition you can take multiple contract licenses. Something like a license server where you might have five licenses. You might have 10 installations and you can have different people working on various routes use the tool. Only those five licenses will be needed. In that instance, scalability is definitely a great point for most uses.

Currently, if you look at the users that are linked to roles that we have, one is the security test engineer and one is the security test analyst. At any given point in time, only one person uses the tool for engagement in the professional edition. We have about two to three people working with us on these projects.

I found technical support to be quite responsive. I usually get an email response within three or four hours which is very good. There's plenty of documentation that has relatively good pointers as to the documentation's impact. Also, documentation is a good part of the knowledge base. They have started something that's very awesome by implementing that. They point us to areas in our tickets that have answers within the available knowledge base documentation, which is shared as part of the whole response. It's definitely a good thing.

I've used different tools like Acunetix. 

The first tool that we started with was Acunetix. Acunetix as quite expensive, first and foremost. It's more suitable for web application scanning and penetration. PortSwigger's has a larger play beyond applications, it supports REST API and all that stuff, that kind of support is great with PortSwigger.

The kind of mechanism that's there is you can just capture the flow if the application. They usually have what is called as a flow sequence in proxy history with which all the user actions are captured. That's all that is done by the tool completely. Once that information is there, much you can control exploit requests with the tool. Whatever the tool shows, I have the opportunity to throttle and change payloads and see how the application behaves.

We used the online web scanners with Acunetix. We found it a little difficult and that was one reason why. In fact, when we got the contract with the client and we evaluated multiple tools, that's why we chose PortSwigger's BurpSuite.

The initial setup was straightforward. It's not complex at all. Today it comes along with a job size which makes it much more affordable and easy. I don't think the installation is ever a challenge here. 

In some setups, all I do is this: if I'm setting it up for Windows, I cannot get my path through which I want to set this up. A few clicks and I'll be able to get the entire tool set up. I would say it requires some amount of knowledge to do testing. So also we are able to set up the tool against an application. Let's say there is an application that comes through for testing. Until I get to know the way I have to configure the target URLs and capture the entire traffic flow. That is easy. Now there are jar files also being made available for easier instantiation of the tool.

It is not a challenge in setting up the tool at all because there's plenty of videos and documentation available around in both the PortSwigger website as well as in open forums like YouTube and all that. It's quite easy to set it up. Personally, I haven't had trouble. We haven't had any major challenges in terms of setting up the tool. Not just purely from an installation standpoint, but also from a perspective of beginning to capture traffic across the different applications that we serve. 

The installation takes about less than four to five minutes. It doesn't take more than that.

In terms of security implementation strategy, when we take control of any tests that we do, we set the proxies in place based on the settings that are there on the tool and then set up the same proxy across on a browser for which we will capture the traffic. Once we do that, our implementation strategy is to capture the entire traffic in terms of specifying a target URL, the application or the website and the test. We do a proper login and ensure that all the data captures are there. Then we see that all the requested sponsors are getting logged in properly inside the tool and we are able to capture that. So once we do that, we try to simulate all user flows that would be there on the tool. 

Based on the different tools that are there, we capture the flow and enter a fake login and then we do a scan. The scan helps to unlock issues that are there. That kind of test is to identify all the actions that we do. We particularly do what is called an active scan which is like after you use the browser, make all the user clicks, events, and all that, the tool is able to capture it in the background. It does an active scan, and it gives what are potential issues that are there. So once we are done with that, we look at all the issues that are there, and then we make it run through a boot scan based on the requests that we have captured. Typically this takes a final good amount of time which depends on the amount of traffic that you have captured through the tool.

The one good thing that I would like to highlight is that irrespective of how much traffic is captured from my application flow, the tool is quite robust. I have seen other tools that sometimes the application, or rather the tool, becomes non-responsive. I haven't seen those kinds of issues here.

Then, once we are done with the scan, we pick and choose what are the issues that are there. We look for what are the trouble spots, and what issues are being highlighted. Then we check each of those specific requests, sending them over to another team member, and try them with different payloads, putting them across in the intruder and unearthing issues. So that helps me really test the application using PortSwigger comprehensively, and, more importantly, at the end of the test, it makes it quite easy for me to generate a report which is quite nice and simple which I can forward across to the client. That is essentially the way I go about in my implementation of security testing.

We did the implementation in-house.

In terms of ROI, I'd say it helps with client engagement. The tools in relation to ROI allow me to win back-to-back contracts for application security testing with the customers. I would even say I'd be able to break in on a first engagement itself. 

Licensing costs are about $450/year for one use. For larger organizations, they would be able to test against multiple applications simultaneously while others might have multiple versions of applications which needs to be tested which is why there is an enterprise edition. We might have more than five to six people in the organizations doing security testing. You can give full-base access to them and control who uses your licenses.

It depends on the stream of projects, business pipeline that I get, but security is not something that done all throughout the year. We get it in cycles. We pace it in such a way that from our different customers that we work with, we actually have one project running throughout the year. I might do a project for Client X during the month of let's say January to February. Then for another client, I might have something lined up for April to May. So with a single license, I am able to maximize the usage very well.

The tool comes in three type. First, there is the  Open Community Edition, which is meant for people who use it to learn the tool or use it to secure their system. This edition does not have scanning features enabled to source scan the against application URLs or websites. From the standpoint of learning about security tests or assessing the security of application without scanning, the community edition really helps.

Then you also have a Professional edition which is more meant for doing comprehensive vulnerability assessment and penetration application which is very important. Especially for independent teams like ours who make use of tools based on tech, etc. The good part about the professional edition is that it comes with a term license which is cost-effective. You pay for an annual charge and use it for a year's time and then you can extend it on an as-needed basis.

Apart from these, we also have an Enterprise Edition which has features like scan schedulers unlimited scalability to test across multiple websites in parallel, supporting multiple user access with role based access control and easy integration with CI tools.

The very best way this tool can be used through is to understand the application, identify the various roles that are there in the application. Then capture the user flows, with Port Swigger's BurpSuite, and understand what the requests are making use of the different features in BurpSuite. 

Post this the teams look at and analyze all the requests being sent. Observe the requests, use various roles with the tool using a repeater and intruder, analyze what's breaking through in the application. As you can quickly analyze with the intruder out here how the application's really behaving, how the payload is being sent across the tool. Then you get a quick sense of what's available which could be checked through for false positives and then arrive at the final output along with it.

This is how I would like to handle the implementation of the solution.

I would rate this solution 10 out of 10.

We use the solution for penetration testing, web application testing, etc.

We use the tool to test the application security, like APIs. It is one of the major tool for any security or to test web applications.

The tool provides complimentary services. It allows you to add a lot of extensions, and you can get extensions quite often. It is quite a flexible application.

Reporting could be improved. If you use any AI feature, you can go out and take and provide more in-depth information.

I have been using PortSwigger Burp Suite Professional for over ten years. We are using the latest version of the solution.

The product is highly stable.

I rate the solution’s stability an eight out of ten.

The solution is scalable.

Five users are using this solution.

I rate the solution’s scalability an eight out of ten.

Customer support respond immediately.

Positive

The initial setup is easy and take you around ten minute, provided you have downloaded the application.

I rate the initial setup a nine out of ten, where one is difficult, and ten is easy.

The tool was deployed in-house.

worth the money spent.

Yes, there many tools, and also a free tool i.e ZAP

it does give you ability to run easily  various attack types , such as Sniper, Pitchfork attack, Battering RAM, Cluster bomb and various other attack types, which can be used to test Web application. 
Overall, I rate the solution an eight out of ten.

I have been using this solution for quite a long time. The features and request tampering are different. This solution helps us when testing applications. It is a flexible tool.

It is useful for scanning and tracing activities.

Improvement should be done as per the requirements of customers. 

I would rate the stability an eight out of ten. 

The solution is reasonably priced. 

Overall, I would rate the solution a nine out of ten. 

The solution is used for penetration testing of any kind of application. We use it for security testing workflow daily.

PortSwigger Burp Suite Professional is a very good tool. The solution helped us discover vulnerabilities in our applications. Vulnerability elimination is the most important feature.

The intercept feature is valuable. It helps us intercept the traffic and make manual changes. We can find vulnerabilities that are not detected by other products. Burp Intruder is applicable only when there are no blockers on the websites. Burp Repeater impacts the testing outcomes. We use it if we have multiple visits for a specific request. Everything is well-defined.

The tool is very expensive.

I have been using the solution for five years. I am using the 2023 version.

The tool is highly stable. I rate the stability a ten out of ten.

The tool is highly scalable. I rate the scalability a nine out of ten. We have four to five customers. We work with medium-sized businesses.

The setup can be done easily. I rate the ease of setup a ten out of ten. It is a stress-free process. The deployment takes two to three days. The deployment process is very simple. We just do the installation setup and install the key.

I rate the pricing a ten out of ten. There are no additional costs associated with the product.

Burp Intruder does not work if there are multiple requests for a single API. I will recommend the tool to others. Overall, I rate the solution a ten out of ten.

I am a penetration tester working for a private organization. I evaluate the security of applications companies develop. I check for security vulnerabilities in web applications, Android and iOS devices, and thick and thin clients using Burp Suite. I use it to prevent applications from being hacked by outsiders.

Burp Suite has been very useful in reducing the time needed for testing applications. Without using Burp Suite, testing could extend up to ten days or more. It provides a flexible way to evaluate vulnerabilities and mistakes developers make while developing applications.

Burp Suite is valuable since it provides automated scan facilities, including authenticated and unauthenticated scanning. It offers flexibility, macros, and features to reduce the effort required for authenticated sessions. It also makes it easy to find blind SQL injection and OOB attacks.

Integration is a big problem. Currently, it's more challenging to integrate Burp Suite into the CI/CD pipeline compared to SAP (which is open source with many plugins available). More technical knowledge is required for integration.

I have nearly more than five years of experience with Burp Suite.

I would rate stability an eight out of ten.

I am 100% confident in Burp Suite, so I would rate its scalability a ten out of ten.

Whenever we email, they respond back on time. The support is brilliant.

Positive

The setup is simple. You need Java JDK support of 11 or more and sufficient memory and space.

I would rate the pricing a six out of ten. It's not as flexible here as it might be in European or American markets.

SAP is a good alternative as a free version.

Burp Suite has started a certification called Burp Suite Certified Professional (BSCP) that I recommend to pursue as it provides good documentation.

I'd rate the solution nine out of ten.

The solution has improved the organisation as it helps with scanning and doing the reports for the developers. The solution also helps with communicating the everyday issues and delivering high security and web applications to the customers.

The intercepting feature is the most valuable.

Mitigating the issues and low confluence issues needs some improvement. Implementing demand with the ChatGPT under the web solution is an additional feature I would like to see in the next release.

The solution is used for scanning and doing reports for the developers.

It is a stable solution.

It is a scalable solution. Ten specialists are working with Burp Suite Professional currently. We plan to increase the usage in the future. I rate the scalability an eight out of ten.

The solution is implemented through a third-party team.

Positive

I have used Nessus, previously. Nessus helped with only OS and analysis but Burp Suite helps with application scanning, detecting vulnerabilities and expertisation.

The initial setup is easy. The deployment is done under a professional, and it takes one hour to be deployed. We have to add our information to get our code directly into the box and then we scan their applications. A single person is required for the deployment. I rate the initial setup a ten out of ten.

The solution is implemented through a third-party team.

The pricing of the solution is reasonable. We only need to pay for the annual subscription. I rate the pricing five out of ten.

All the security issues and the integration of the vulnerabilities will happen automatically and manually in the website. So the solution will be very helpful for the website. I rate the overall solution a nine out of ten.

I mainly use Burp Suite for manual testing, using it as a proxy to do my manual pen test.

Burp Suite gives you a very good automated scanning tool, which gives you around sixty to seventy percent security coverage without having to use a security resource. Once the developer gets the report, they've got the PortSwigger lab to explain the vulnerability and have a POC right there, so it's very beneficial for developers.

The most valuable feature is Burp Collaborator.

BurpSuite has some issues regarding authentication with OAT tokens that need to be improved.

I've been using this solution for around seven years.

The Professional version is not very scalable because you need to buy licenses for each user, but the Enterprise version takes care of that.

The support for the Enterprise solution isn't the best (I'd rate it as three out of five), but the Professional version provides all the documentation and the PortSwigger labs, so it's much better.

Positive

I previously used OS SAP, but I switched to Burp Suite when the support for that solution stopped.

The initial setup is very easy because Burp Suite has very good documentation. Setup took less than an hour, though it might take a less-experienced person longer to install a mobile application because of the application-level security.

I would say Burp Suite has now surpassed SAP as a tool. The main aspect of Burp Suite is that it's like an army knife for a hacker, it's not just the automation or the scanning that it brings. For a person with 80-90% knowledge of application security, this tool is a must-have. I would rate Burp Suite nine out of ten.