PortSwigger Burp Suite Professional Reviews

The primary use case is generally for security compliance on web applications. We provide services to our customers with Burp both on-prem and on cloud. I'm a solutions consultant and we are customers of PortSwigger Burp. 

Their flagship feature would be the active scanner, which carries out an automated look up of any web vulnerabilities reflecting over to one of the main compliance standards, like OWASP. This provides an accurate security audit for their web applications.

One downside of the solution would be their false positive checks. As with most automated security tools, there is still a high false positive issue. Hopefully they will be able to improve on that in the future. It would also be helpful if the solution had the capability of handling larger reports. Another area of improvement would be to have a customizable dashboard. It's currently restricted now to their own interface. If you want to utilize the other features available in their API documentation, then you have to write some code yourself. It would be great if their interface could be somewhat customizable.

I've been using this solution for two years. 

The stability of the solution is generally fine.

The solution is easily scalable, depending on licensing of course. For example, on the cloud set up, you can easily scale the agents and such. But in terms of bandwidth, maybe when it comes to their reporting feature, there are some limitations with the detail that can be downloaded from the report. I've found that the system can crash if you try to download a report with many details.

In my opinion the initial setup is pretty straightforward. The workflow is easy to understand and they have a lot of documentation on how to perform many of the key tasks.

I believe the price is good where it's at right now. They have a very competitive price point although recently they've been incrementally increasing in price. It's still competitive. 

I would definitely recommend PortSwigger as a primary tool for auditing any open vulnerabilities of anything related to web applications. 

I would rate this product an eight out of 10. 

The most valuable feature is the application security. It also has a reasonable price. 

It has an end product and a repeater. Other solutions don't offer options like these. 

The Burp Collaborator needs improvement. There also needs to be improved integration. 

I have been using PortSwigger Burp for the past six years. 

It's not so stable. Some of the security aspects aren't so stable. 

Burp is scalable. 

We have around 150 users using Burp at my company. We use it daily.  

I haven't needed to contact their technical support. 

The initial setup is simple. It only takes two to three minutes. 

We are consultants so we do the implementation ourselves. 

It only requires one person for the implementation and maintenance. 

It costs 39,000 including taxes per year. 

I would recommend this solution to somebody considering Burp. 

I would rate it an eight out of ten. 

The primary use case is security for the development lifecycle. We use the application for security testing.

The solution helps to identify security issues quickly.

The Spider is the most useful feature. It helps to analyze the entire web application and it finds all the passes and offers an automated identification of security issues.

The number of false positives needs to be reduced on the solution.

I'm not sure whether some features need to be added because the product has a specific toolset, and if I do need some additional features, currently I get them in different security products. The solution, however, could better integrate with various other tools.

The solution is very stable.

The solution is not designed to be scalable. You have an individual license, and I use it individually.

I have not needed to use the solution's technical support.

Before Burp I was manually proxying the data myself. I have experience making my own tools for security assessment. Burp is pretty convenient, and it's one of the most popular tools, which is why I began using it.

I also use Wireshark, which is pretty effective too.

The initial setup was straightforward.

We implemented the solution ourselves.

Licensing is paid on a yearly basis. The yearly cost is about $300.

For application security testing, I would suggest Burp. It's probably the leader in this area. It's just like analog tools such as OWASP ZAP, which is open-source. OWASP ZAP is still not as effective as Burp is.

The solution helps to find different security issues, and it helps identify many, many security issues quickly, and that's what makes it such a useful tool.

I would rate the solution seven out of ten.

• Intruder - allows inserting predefined or custom payloads at chosen locations inside requests and analyzing results using custom filters;
• Repeater - allows reissuing requests to manually verify reported issues, changing parameters or issuing a specific sequence of requests to test for logic flaws;
• Extender - allows installing additional modules from the BApp store, created by the community in Java, Python or Ruby;

It provides unique features that help me quickly identify and exploit security vulnerabilities in web applications.

Some extra features are not available in the core product (WSDL parsing, SOAP calls, Error checks, Authorization bypass), but additional modules created by the community can be easily installed from the BApp store through Extender, or you can write your own in Java, Python or Ruby.

I have been using it for two years.

Spidering large websites can use a lot of memory and might result in a crash on systems with lower RAM.

It's better to add only one website per project for the same reason as above.

I didn't use technical support.

I used many solutions but I found the best value, features and documentation in Burp.

Starting Burp only involves running a .jar file. The latest version also comes with a executable installer. Setting up a project can be more complex, involving configuring the proxy, scope and different spidering/scanning options.

I believe it has one of the lowest prices for commercial products ($~350 per user per year).

Before choosing this product, I evaluated free products - Arachni, OWASP ZAP, w3af, Vega - and commercial products - Acunetix, Qualys Web Application Scanner.

If you expect a product in which you input your website and click a scan button, Burp is not for you. Burp Suite Pro can perform an automatic scan, but the real power of the product lies in the modules that aid in manual testing. A few weeks are usually needed to read the documentation and ramp-up on all the features, for someone without previous experience.

• HTTP proxy for packet capture
• Repeater
• Intruder
• Spider
• Decoder
• Comparer

Burp Suite is a versatile tool for manual web application penetration testing; mainly used by skilled ethical hackers to test security of web-based applications. It helps capturing and modifying HTTP packets and variables, and observing the application’s response. It allows fuzzing the variable in an intuitive way, repeating the same method, crawling a web application, and similar functionalities.

The professional edition of Burp Suite provides some automated pen-testing scripts to detect application vulnerabilities, like SQL injection, XSS, etc. However, this component is not extremely useful. The results need to be double-checked manually, and false positives are very common, i.e., the tool detects a vulnerability from the HTTP respond when a vulnerability does not actually exist.

I have been using it for five years.

It is a tool used mostly for manual tasks, it is stable enough for that purpose.

If you attempt to map a large website using the Spider component, it can take a long time, and the tool may crash.

I have not used technical support, but online documentation and Help have always been sufficient.

I have used Charles Proxy, CAT, and Fiddler as well, but found Burp easier to use.

For automated scanning, there are stronger alternatives to Burp, such as Acunetix, IBM AppScan, Nexpose, Qualys, etc.

There is no setup needed. It is a Java app that does not need to be installed.

The free version is one of the best proxy tools for manual testing. For automated testing, it provides the best value for money in the market.

I evaluated Charles Proxy, Fiddler, and Context App Tool (CAT), which are great HTTP proxies. I like CAT and Burp as the best free ones.

To effectively use Burp, you will need someone with enough technical hands on skills in ethical hacking and penetration testing.

I use the solution to intercept requests and scan applications.

The most valuable feature of PortSwigger Burp Suite Professional is the Burp Intruder tool.

The solution’s pricing could be improved.

I have been using PortSwigger Burp Suite Professional for around two to three years.

We have not faced any issues with the solution’s stability.

Over 500 people are using the solution in our organization.

The solution’s initial setup is easy.

PortSwigger Burp Suite Professional is an expensive solution.

I would recommend the solution to other users. Using PortSwigger Burp Suite Professional for the first time is not easy, but you can use it easily after using a demo version. The solution's Intruder tool has helped improve our security testing efficiency. The solution's Repeater tool has helped us with testing for web vulnerabilities.

Overall, I rate the solution a nine out of ten.

We primarily use the solution for security testing - specifically for web-application security. 

The crawling capability is excellent.

The product has very good reporting capabilities. They give you multiple reporting options.

The solution has a variety of different extensions that you can use.

The solution has a pretty simple setup.

The pricing of the solution is quite high. It would be ideal for the customers if they could lower the costs involved in their subscription.

We have new tools in R language programming platforms that are coming up. The solution needs to ensure its compatible with that language.

I've been using the solution for about two years at this point.

We use this solution every day. I don't have any issues with the solution. There aren't bugs or glitches. It doesn't crash or freeze. It's reliable.

I'm a consultant. I tend to use the tool for my clients. I only have one license on my computer. I don't need to scale the product.

The solution is scalable, however. There's a different version for that aspect. You have Community, Professional, and Enterprise editions. Each has different capabilities.

The solution offers good support services. There's also the product team that can assist. Overall, I've been happy with the level of service I've received.

I've worked with other solutions, such as Acutenix. As a consultant, I always have two to three tools for running and validating for testing. There is no plus or minus to each tool, really. The process itself would be more like using multiple tools to find out whether it appears in all the tools or not.

The initial setup is not overly complex. It's easy and straightforward. A company shouldn't have any issues with the implementation process.

The deployment takes a maximum of an hour, actually. If you have to configure some prerequisites, it is one hour tops. There are advanced setups, however, how advanced the implementation depends on the client environment. If a company has an advanced setup, it could take some time. 

Ultimately, the solution is installed directly onto my laptop.

The maintenance process is pretty minimal. The yearly subscription keeps everything updated. They will notify you if there is an upgrade that needs to be addressed.

The pricing of the solution is quite high. Costs are based on their subscription model. The pricing affects whether a client will engage with me and the solution or not. It could be a deal-breaker. Budgets are often tight.

The solution has an annual subscription model, and therefore you'll have to keep updating the new version. It's part of the package. They release a new version and that is covered under your subscription.

I'm a consultant. I buy tools from multiple vendors. I provide development assessment services for my clients.

This is one more product in the suite of tools or applications, which are used for testing. Anyone at any sized company could use this solution.

I'd recommend this solution. It's one more tool to have in your bag.

I would rate the solution at a ten out of ten.

This is a solution for which I provide services to our customers and I also use it personally.

As part of our organization, we build internal applications. Before they are put into production, we run a suite of security tests to ensure that our applications are not vulnerable to any known issues. We use PortSwigger Burp for testing, as well as OSASP Zap. We do similar tests in multiple tools to make sure that we cover the entire set of use cases.

I have this solution deployed as one user on a single machine, which is used by a designated security tester.

The most valuable features are Burp Intruder and Burp Scanner.

The automatic scanning feature is helpful.

The interface for the automatic scan can be improved because it is easy for technical users, but the business users have trouble with it. There is documentation but the interface should be more user-friendly.

There should be a heads up display like the one available in OWASP Zap. I think that it would be a very good addition.

I have worked with PortSwigger Burp for about ten years.

This solution is stable and we have had no major problems.

We have had no issues with scalability, although we are using a standalone installation with only a single user. We may expand usage in the future.

We also have OWASP Zap and we continue to use these two tools.

Zap has a heads up display within its own browser, which is a very good feature. Zap is also completely free, whereas Burp has a free version but it also has licenses available.

For the most part, we use open-source solutions, which are free of charge.

The initial setup is simple and very straightforward. We were not setting up a server, so it took perhaps five minutes to get up to speed and begin using it.

There are different licenses available that include a free version.

We do have problems with some of the add-ons that we install from the marketplace. They may not be available or out of support, so when you want to install them, they are not there.

This is a very nice tool and anybody can use it, from beginner to expert level. There are some simple and straightforward settings with documentation that is very clear. If you follow the steps you can easily get up to speed within five minutes for a single user.

I would rate this solution an eight out of ten.