PortSwigger Burp Suite Professional Reviews

This is a solution for which I provide services to our customers and I also use it personally.

As part of our organization, we build internal applications. Before they are put into production, we run a suite of security tests to ensure that our applications are not vulnerable to any known issues. We use PortSwigger Burp for testing, as well as OSASP Zap. We do similar tests in multiple tools to make sure that we cover the entire set of use cases.

I have this solution deployed as one user on a single machine, which is used by a designated security tester.

The most valuable features are Burp Intruder and Burp Scanner.

The automatic scanning feature is helpful.

The interface for the automatic scan can be improved because it is easy for technical users, but the business users have trouble with it. There is documentation but the interface should be more user-friendly.

There should be a heads up display like the one available in OWASP Zap. I think that it would be a very good addition.

I have worked with PortSwigger Burp for about ten years.

This solution is stable and we have had no major problems.

We have had no issues with scalability, although we are using a standalone installation with only a single user. We may expand usage in the future.

We also have OWASP Zap and we continue to use these two tools.

Zap has a heads up display within its own browser, which is a very good feature. Zap is also completely free, whereas Burp has a free version but it also has licenses available.

For the most part, we use open-source solutions, which are free of charge.

The initial setup is simple and very straightforward. We were not setting up a server, so it took perhaps five minutes to get up to speed and begin using it.

There are different licenses available that include a free version.

We do have problems with some of the add-ons that we install from the marketplace. They may not be available or out of support, so when you want to install them, they are not there.

This is a very nice tool and anybody can use it, from beginner to expert level. There are some simple and straightforward settings with documentation that is very clear. If you follow the steps you can easily get up to speed within five minutes for a single user.

I would rate this solution an eight out of ten.

We use this solution for the security assessment of web applications before their release to the internet. The security assessment team uses this product to identify vulnerabilities and vulnerable code that developers may introduce. We host all of the beta applications in our internal web servers and then the security team starts assessments when the development freezes.

In the early years, we did not check our web applications for security vulnerabilities before releasing them to customers. Since we began this practice for every application, our clients are really happy and value our work.

BurpSuite helps us to identify and fix silly mistakes that are sometimes introduced by our developers in their coding. 

The auto scanning feature provides really good details about issues that it finds.

Crawling web applications using Burp Spider, Target Site Map, automating customized attack with Burp Intruder, and manipulating parameters with Burp Repeater are the most useful and used features.

The Auto Scanning features should be updated more frequently and should include the latest attack vectors.

It would be really helpful if the issue details contained example recommendations on how to fix the issues identified, or perhaps point to external recommendations for reference. 

I have never had issues running this application, so I would say it is stable.

Scalability is very simple and easy.

We have not needed to contact technical support, although there is a very big community of users.

Prior to this solution, we used various open-source or free applications. We wanted to streamline and improve productivity by standardizing the products that we use.

The initial setup of this solution is very straightforward and easy.

We performed the deployment in-house. There were no complicated steps.

Our ROI is above two hundred percent.

There is no setup cost and the cost of licensing is affordable.

We tested all of the free apps and could not find a stable all-in-one solution other than BurpSuite.

All application development organizations should purchase BurpSuite and train their developers on how to use this solution to identify security flaws. This will help to ensure that the applications released to the public internet will have better protection from malicious attackers.

I'm a junior cybersecurity analyst, and I'm helping the seniors to do some testing. Meanwhile, I'm also getting trained with the tool. I mostly use it for vulnerable apps assessment and some auditing. Other analysts use it for penetration testing.

We are using the latest version. We downloaded it three days ago.

I find the attack model quite amazing, where I can write my scripts and load my scripts as well, which helps quite a bit. All the active scanning that it can do is also quite a lot helpful. It speeds up our vulnerability assessment and penetration testing. Right now, I am enjoying its in-browser, which also helps quite a bit. I'm always confused about setting up some proxy, but it really is the big solution we all want.

I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us. 

I have been using PortSwigger Burp for six months now.

I have found no issues so far with its stability. I can't complain anything about it.

I can't say much about that because we are going to transition to cloud management. I don't know for sure how it is going to scale up. We are still in the testing and planning stages. We currently have approximately five users, and our team is still growing.

I haven't yet used their technical support.

The initial setup is completely easy. It took a day to deploy.

It is expensive for us in Brazil because the currency exchange rate from a dollar to a Brazilian Real is quite steep.

It is a really big solution. There are so many modules. You got to have some training to do it properly and go through a lot of documentation.

I would rate PortSwigger Burp a nine out of ten. I haven't found anything to complain about, but there is always some room for improvement.

Primarily, I use it for scanning the applications and as a proxy to capture and manipulate the application traffic. That is the most useful set of features I have seen in this tool.

The customer is almost all the time results-oriented and they want them real quick.

Burp gives my organization a great authentic source of information on the security posture of web infrastructure.

PortSwigger launched a feature called Burp Extender, which enables organizations to use their own third-party code and integrate with Burp to use its capabilities and create their own customized results. This way, organizations do not need to worry about changing the reporting format and all. They will just get better results.

Burp is the best web application penetration testing tool that I have ever used.

Although all the features of Burp are very useful, I personally love its capability to automatically and accurately detect vulnerabilities. So, I would say it is the Burp scanner that is THE most powerful, valuable, and an awesome feature.

Another, very interesting and quite extensible feature is Intruder. The way you can customize your payloads to suit your penetration testing needs is simply outstanding.

The best thing is that all features are available just out-of-the-box and at a very nominal price.

The one feature that I would like to see in Burp is active scanning of REST based web services. A lot of organizations are providing APIs to access their services to support different business models like SaaS. Scanning these APIs is still a challenge for many security product companies. Even Burp does not have a direct and easy way of scanning REST based web services.

There is a capability to scan SOAP based web services provided there is a WSDL available. So, to conclude active web services scanning is something that I would like to see as an improvement in Burp.

No. Quite stable. The executable JAR file is quite better since there is no installation required.

I have only used it as a single user. But many of my colleagues use it and I have never heard of any such issues.

Apologies. Never Tried.

I have used a lot of tools for web application scanning and penetration testing -- like Qualys WAS, Nikto, OWASP ZAP proxy, Paros Proxy, DirBuster, Burp, etc.

The reason for switching to Burp is the capabilities of this tool. The scanner is very powerful and the way it integrates with third-party code is really cool. Other tools simply do not have these capabilities.

Quite straightforward. Thanks to the availability in executable JAR format -- this makes it a highly portable solution.

I have implemented as an inhouse one. There is no installation as such since the solution is an executable jar file. User just need to double click and start using it.

This is a value for money product.

I am a consistent user of web application scanners and penetration testing solutions.

I have used Qualys WAS, OWASP ZAP, sqlmap, Paros Proxy, and Nikto. But nothing stands close to Burp, because this tool has everything in one single portable powerful package.

If you are looking for a single web application penetration testing solution at low cost, definitely give it a try. You can request a trial of the pro version from PortSwigger if you would like to see the scanner capability in action.

They will, of course, require organizational contacts. Almost all the other features are available in the free version, also.

Mainly, the solution is a proxy. It also contains different tools, including intruder tools for customized automated attacks and tools for repeating requests, or decoding, et cetera. Many tools are there that can perform different tasks for different use cases. Apart from that, we have the BApp Store which contains a lot of tools as well. This Burb Suite is an application where we have all the tools. 

It is mainly used for pen testing.

Features such as the Intruder, Repeater, and Proxy have helped our organization a lot.

The Intruder, Repeater, and Proxy features have been great.

The initial setup is simple.

It is an easily scalable product.

The solution is very stable. 

In some cases, we got a few file postings while doing it by the automatic scan. If that could be better, that would be ideal. The scanner could just be updated a bit more. 

We'd like to have more integration potential across all versions of the product. The enterprise version seems to have better integration services than others. 

I've been working with the solution for six years. 

The solution is quite stable. There are no bugs or glitches and it doesn't crash or freeze. It is reliable. 

The solution scales well. It's not an issue.

I have also had some queries and I have used their support services. It was like all solutions out there. They are quite good in general.

Positive

I have used many other tools. This is one of the best tools that I'm using. I found this one much better. 

We have found the initial setup to be very simple and straightforward. It's not overly complex or difficult. 

For any configuration for deployment in our project, we assign two people. We have a small team of two aligned with our project. They will handle everything related to implementation. The setup doesn't take longer than one day.

In terms of maintenance, for the customers, what we are doing is we have an internal cyber security team, in which there are people doing the pen test. There are people who are doing the vulnerability assessment for the WASP scan, SaaS. For each, we have a separate team, and based on that, most of the deployments are done by these pen testers only. We do not provide maintenance for customers, however, we do provide reporting and technical support.

Before Burb Suite, we had our own technical team there for everything, including deployment. We have a separate network team and they will manage everything - including installation. It is very simple. You can download that directly. It's all very easy to do in-house.

I don't deal with any aspect of the licensing at this time. I can't speak to the exact pricing. 

I'm just a customer and an end-user.

We're using the latest version of the solution. We usually give an auto-update functionality. All the updates came automatically. We are updating it automatically.

We actually have an .EXE file in our system. We have the professional version. We've downloaded and given out the access key. It's on-premises, not the cloud. 

Overall, I've been very happy with the solution. I'd rate it nine out of ten.

We use this solution when we develop any of our software applications and host it with the website for external clients. All of the applications go through the vulnerability scanner.

Burp Suite is very helpful. The extension that it provides with the community version for the skills mapping is excellent.

The interface for external clients needs improvement.

Currently, the scanning is only available in the full version of Burp, and not in the Community version.

I would like the scanning included for free also.

We have been using this solution for a year and a half.

It's a stable solution. We have not had any issues.

I have not contacted technical support. 

We have not experienced any issues where we couldn't resolve them using our internal team.

We have not required any technical support.

When we compare it to other programs that we have such as OWAP Zap, we found Burp to be more suitable.

The initial setup is straightforward.

It is very easy to automate. It requires some configuration that has you follow step by step instructions. 

It can take four to five hours to go live.

Anyone with minimal knowledge and training can use this tool.

We are using the community version, which is free.

We evaluated OWASP Zap, which was fully open-source.

We use the community version and found that Burp was easier and more useful.

The interface is better in PortSwigger Burp.

I would rate PortSwigger Burp an eight out of ten.

• Proxy
• Repeater
• Intruder
• Extender API (and plug-ins)
• CSRF generator

This is by far the best application assessment tool I have used. It is more usable and has more features than most of the enterprise tools that cost 10-100 times as much.

I've used it for five years.

No issues encountered.

There are some memory issues, where the application runs out of memory and crashes. This is directly related to Java. This was improved after switching to 64-bit Java, but it still creeps up once in a while.

No issues encountered.

It's excellent.

It's very good.

I use many projects, but Burp is the best all round solution for manual application testing.

It's very straightforward, you just have to double-click a Jar file.

You get many features with the free product, but the real power is unlocked with the Pro version. The intruder is an amazing tool and makes the entire product worth purchasing, and the ability to perform automatic backups is well worth the small price of this product as well.

We're a software development company. We specialize in ensuring application security for our customers. For each and every application we release, we issue a certificate explaining that the application is up to date and that all security testing has been successfully completed. In that certificate, we also mention that PortSwigger is one of the tools that we used to test the application.

Presently, we have three users. In the future, regarding product testing, I am thinking of hiring another two people, which will make us a team of five. Currently, we're releasing a lot of applications. 

Primarily we have three users, but keep in mind, we only have a single environment, which we need to improve and expand. 

The traffic interception capabilities are great. Spidering also produced some good results for us.

A lot of our interns find it difficult to get used to PortSwigger Burp's environment. The environment should be improved a little bit. Once you get used to it, it's fine, but it should be more simplified for newcomers. This would save us from constantly having to brief our interns. 

The stability is good; so far, we haven't come across any bugs.

We use some different tools for web application testing, like Nmap and others. If PortSwigger Burp could actually scale up for web application scanning, that would be really good. This way, instead of using different tools, we could easily rely on one tool for all testing.

We haven't had any reason yet to contact technical support. Aside from support, they should hold consistent webinars and offer updates, briefings, and panel discussions. This would greatly enhance our knowledge.

Otherwise, the technical support is good enough. We haven't required their assistance yet, but soon we'll be needing assistance and information surrounding the latest improvements and updates.

The initial setup can be complex. It needs to be deployed in between the traffic. They should include some case-scenarios to help, like a scenario-based briefing, that would really help and add a lot of value for the initial application tester. 

It's a very unique way of pricing. It varies depending on the type of testing you are performing. Manual testing is expensive, but as we don't have another option, it seems to be fair.

I would definitely recommend PortSwigger Burp. I've actually recommended it to some of my colleagues, students, and interns. I'm really comfortable and happy with it; besides, there are no other products to compare it to. 

On a scale from one to ten, I would give this solution a rating of eight.

If they included example scenarios and hosted educational webinars, I would give this solution a rating of ten.

In my area of expertise, I feel like it has almost everything I could possibly require at this moment. Generally, I don't come across situations like that, so I am very happy with it.