The most valuable feature is the application security. It also has a reasonable price.
It has an end product and a repeater. Other solutions don't offer options like these.
The most valuable feature is the application security. It also has a reasonable price.
It has an end product and a repeater. Other solutions don't offer options like these.
The Burp Collaborator needs improvement. There also needs to be improved integration.
I have been using PortSwigger Burp for the past six years.
It's not so stable. Some of the security aspects aren't so stable.
Burp is scalable.
We have around 150 users using Burp at my company. We use it daily.
I haven't needed to contact their technical support.
The initial setup is simple. It only takes two to three minutes.
We are consultants so we do the implementation ourselves.
It only requires one person for the implementation and maintenance.
It costs 39,000 including taxes per year.
I would recommend this solution to somebody considering Burp.
I would rate it an eight out of ten.
It provides unique features that help me quickly identify and exploit security vulnerabilities in web applications.
Some extra features are not available in the core product (WSDL parsing, SOAP calls, Error checks, Authorization bypass), but additional modules created by the community can be easily installed from the BApp store through Extender, or you can write your own in Java, Python or Ruby.
I have been using it for two years.
Spidering large websites can use a lot of memory and might result in a crash on systems with lower RAM.
It's better to add only one website per project for the same reason as above.
I didn't use technical support.
I used many solutions but I found the best value, features and documentation in Burp.
Starting Burp only involves running a .jar file. The latest version also comes with a executable installer. Setting up a project can be more complex, involving configuring the proxy, scope and different spidering/scanning options.
I believe it has one of the lowest prices for commercial products ($~350 per user per year).
Before choosing this product, I evaluated free products - Arachni, OWASP ZAP, w3af, Vega - and commercial products - Acunetix, Qualys Web Application Scanner.
If you expect a product in which you input your website and click a scan button, Burp is not for you. Burp Suite Pro can perform an automatic scan, but the real power of the product lies in the modules that aid in manual testing. A few weeks are usually needed to read the documentation and ramp-up on all the features, for someone without previous experience.
Burp Suite is a versatile tool for manual web application penetration testing; mainly used by skilled ethical hackers to test security of web-based applications. It helps capturing and modifying HTTP packets and variables, and observing the application’s response. It allows fuzzing the variable in an intuitive way, repeating the same method, crawling a web application, and similar functionalities.
The professional edition of Burp Suite provides some automated pen-testing scripts to detect application vulnerabilities, like SQL injection, XSS, etc. However, this component is not extremely useful. The results need to be double-checked manually, and false positives are very common, i.e., the tool detects a vulnerability from the HTTP respond when a vulnerability does not actually exist.
I have been using it for five years.
It is a tool used mostly for manual tasks, it is stable enough for that purpose.
If you attempt to map a large website using the Spider component, it can take a long time, and the tool may crash.
I have not used technical support, but online documentation and Help have always been sufficient.
I have used Charles Proxy, CAT, and Fiddler as well, but found Burp easier to use.
For automated scanning, there are stronger alternatives to Burp, such as Acunetix, IBM AppScan, Nexpose, Qualys, etc.
There is no setup needed. It is a Java app that does not need to be installed.
The free version is one of the best proxy tools for manual testing. For automated testing, it provides the best value for money in the market.
I evaluated Charles Proxy, Fiddler, and Context App Tool (CAT), which are great HTTP proxies. I like CAT and Burp as the best free ones.
To effectively use Burp, you will need someone with enough technical hands on skills in ethical hacking and penetration testing.
I use the solution to intercept requests and scan applications.
The most valuable feature of PortSwigger Burp Suite Professional is the Burp Intruder tool.
The solution’s pricing could be improved.
I have been using PortSwigger Burp Suite Professional for around two to three years.
We have not faced any issues with the solution’s stability.
Over 500 people are using the solution in our organization.
The solution’s initial setup is easy.
PortSwigger Burp Suite Professional is an expensive solution.
I would recommend the solution to other users. Using PortSwigger Burp Suite Professional for the first time is not easy, but you can use it easily after using a demo version. The solution's Intruder tool has helped improve our security testing efficiency. The solution's Repeater tool has helped us with testing for web vulnerabilities.
Overall, I rate the solution a nine out of ten.
This is a solution for which I provide services to our customers and I also use it personally.
As part of our organization, we build internal applications. Before they are put into production, we run a suite of security tests to ensure that our applications are not vulnerable to any known issues. We use PortSwigger Burp for testing, as well as OSASP Zap. We do similar tests in multiple tools to make sure that we cover the entire set of use cases.
I have this solution deployed as one user on a single machine, which is used by a designated security tester.
The most valuable features are Burp Intruder and Burp Scanner.
The automatic scanning feature is helpful.
The interface for the automatic scan can be improved because it is easy for technical users, but the business users have trouble with it. There is documentation but the interface should be more user-friendly.
There should be a heads up display like the one available in OWASP Zap. I think that it would be a very good addition.
I have worked with PortSwigger Burp for about ten years.
This solution is stable and we have had no major problems.
We have had no issues with scalability, although we are using a standalone installation with only a single user. We may expand usage in the future.
We also have OWASP Zap and we continue to use these two tools.
Zap has a heads up display within its own browser, which is a very good feature. Zap is also completely free, whereas Burp has a free version but it also has licenses available.
For the most part, we use open-source solutions, which are free of charge.
The initial setup is simple and very straightforward. We were not setting up a server, so it took perhaps five minutes to get up to speed and begin using it.
There are different licenses available that include a free version.
We do have problems with some of the add-ons that we install from the marketplace. They may not be available or out of support, so when you want to install them, they are not there.
This is a very nice tool and anybody can use it, from beginner to expert level. There are some simple and straightforward settings with documentation that is very clear. If you follow the steps you can easily get up to speed within five minutes for a single user.
I would rate this solution an eight out of ten.
We use this solution for the security assessment of web applications before their release to the internet. The security assessment team uses this product to identify vulnerabilities and vulnerable code that developers may introduce. We host all of the beta applications in our internal web servers and then the security team starts assessments when the development freezes.
In the early years, we did not check our web applications for security vulnerabilities before releasing them to customers. Since we began this practice for every application, our clients are really happy and value our work.
BurpSuite helps us to identify and fix silly mistakes that are sometimes introduced by our developers in their coding.
The auto scanning feature provides really good details about issues that it finds.
Crawling web applications using Burp Spider, Target Site Map, automating customized attack with Burp Intruder, and manipulating parameters with Burp Repeater are the most useful and used features.
The Auto Scanning features should be updated more frequently and should include the latest attack vectors.
It would be really helpful if the issue details contained example recommendations on how to fix the issues identified, or perhaps point to external recommendations for reference.
I have never had issues running this application, so I would say it is stable.
Scalability is very simple and easy.
We have not needed to contact technical support, although there is a very big community of users.
Prior to this solution, we used various open-source or free applications. We wanted to streamline and improve productivity by standardizing the products that we use.
The initial setup of this solution is very straightforward and easy.
We performed the deployment in-house. There were no complicated steps.
Our ROI is above two hundred percent.
There is no setup cost and the cost of licensing is affordable.
We tested all of the free apps and could not find a stable all-in-one solution other than BurpSuite.
All application development organizations should purchase BurpSuite and train their developers on how to use this solution to identify security flaws. This will help to ensure that the applications released to the public internet will have better protection from malicious attackers.
I'm a junior cybersecurity analyst, and I'm helping the seniors to do some testing. Meanwhile, I'm also getting trained with the tool. I mostly use it for vulnerable apps assessment and some auditing. Other analysts use it for penetration testing.
We are using the latest version. We downloaded it three days ago.
I find the attack model quite amazing, where I can write my scripts and load my scripts as well, which helps quite a bit. All the active scanning that it can do is also quite a lot helpful. It speeds up our vulnerability assessment and penetration testing. Right now, I am enjoying its in-browser, which also helps quite a bit. I'm always confused about setting up some proxy, but it really is the big solution we all want.
I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us.
I have been using PortSwigger Burp for six months now.
I have found no issues so far with its stability. I can't complain anything about it.
I can't say much about that because we are going to transition to cloud management. I don't know for sure how it is going to scale up. We are still in the testing and planning stages. We currently have approximately five users, and our team is still growing.
I haven't yet used their technical support.
The initial setup is completely easy. It took a day to deploy.
It is expensive for us in Brazil because the currency exchange rate from a dollar to a Brazilian Real is quite steep.
It is a really big solution. There are so many modules. You got to have some training to do it properly and go through a lot of documentation.
I would rate PortSwigger Burp a nine out of ten. I haven't found anything to complain about, but there is always some room for improvement.
Primarily, I use it for scanning the applications and as a proxy to capture and manipulate the application traffic. That is the most useful set of features I have seen in this tool.
The customer is almost all the time results-oriented and they want them real quick.
Burp gives my organization a great authentic source of information on the security posture of web infrastructure.
PortSwigger launched a feature called Burp Extender, which enables organizations to use their own third-party code and integrate with Burp to use its capabilities and create their own customized results. This way, organizations do not need to worry about changing the reporting format and all. They will just get better results.
Burp is the best web application penetration testing tool that I have ever used.
Although all the features of Burp are very useful, I personally love its capability to automatically and accurately detect vulnerabilities. So, I would say it is the Burp scanner that is THE most powerful, valuable, and an awesome feature.
Another, very interesting and quite extensible feature is Intruder. The way you can customize your payloads to suit your penetration testing needs is simply outstanding.
The best thing is that all features are available just out-of-the-box and at a very nominal price.
The one feature that I would like to see in Burp is active scanning of REST based web services. A lot of organizations are providing APIs to access their services to support different business models like SaaS. Scanning these APIs is still a challenge for many security product companies. Even Burp does not have a direct and easy way of scanning REST based web services.
There is a capability to scan SOAP based web services provided there is a WSDL available. So, to conclude active web services scanning is something that I would like to see as an improvement in Burp.
No. Quite stable. The executable JAR file is quite better since there is no installation required.
I have only used it as a single user. But many of my colleagues use it and I have never heard of any such issues.
Apologies. Never Tried.
I have used a lot of tools for web application scanning and penetration testing -- like Qualys WAS, Nikto, OWASP ZAP proxy, Paros Proxy, DirBuster, Burp, etc.
The reason for switching to Burp is the capabilities of this tool. The scanner is very powerful and the way it integrates with third-party code is really cool. Other tools simply do not have these capabilities.
Quite straightforward. Thanks to the availability in executable JAR format -- this makes it a highly portable solution.
I have implemented as an inhouse one. There is no installation as such since the solution is an executable jar file. User just need to double click and start using it.
This is a value for money product.
I am a consistent user of web application scanners and penetration testing solutions.
I have used Qualys WAS, OWASP ZAP, sqlmap, Paros Proxy, and Nikto. But nothing stands close to Burp, because this tool has everything in one single portable powerful package.
If you are looking for a single web application penetration testing solution at low cost, definitely give it a try. You can request a trial of the pro version from PortSwigger if you would like to see the scanner capability in action.
They will, of course, require organizational contacts. Almost all the other features are available in the free version, also.