PortSwigger Burp Review

Thanks to the availability in executable JAR format -- this makes it a highly portable solution


What is our primary use case?

Primarily, I use it for scanning the applications and as a proxy to capture and manipulate the application traffic. That is the most useful set of features I have seen in this tool.

How has it helped my organization?

The customer is almost all the time results-oriented and they want them real quick.

Burp gives my organization a great authentic source of information on the security posture of web infrastructure.

PortSwigger launched a feature called Burp Extender, which enables organizations to use their own third-party code and integrate with Burp to use its capabilities and create their own customized results. This way, organizations do not need to worry about changing the reporting format and all. They will just get better results.

What is most valuable?

Burp is the best web application penetration testing tool that I have ever used.

Although all the features of Burp are very useful, I personally love its capability to automatically and accurately detect vulnerabilities. So, I would say it is the Burp scanner that is THE most powerful, valuable, and an awesome feature.

Another, very interesting and quite extensible feature is Intruder. The way you can customize your payloads to suit your penetration testing needs is simply outstanding.

The best thing is that all features are available just out-of-the-box and at a very nominal price.

What needs improvement?

The one feature that I would like to see in Burp is active scanning of REST based web services. A lot of organizations are providing APIs to access their services to support different business models like SaaS. Scanning these APIs is still a challenge for many security product companies. Even Burp does not have a direct and easy way of scanning REST based web services.

There is a capability to scan SOAP based web services provided there is a WSDL available. So, to conclude active web services scanning is something that I would like to see as an improvement in Burp.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

No. Quite stable. The executable JAR file is quite better since there is no installation required.

What do I think about the scalability of the solution?

I have only used it as a single user. But many of my colleagues use it and I have never heard of any such issues.

How are customer service and technical support?

Apologies. Never Tried.

Which solution did I use previously and why did I switch?

I have used a lot of tools for web application scanning and penetration testing -- like Qualys WAS, Nikto, OWASP ZAP proxy, Paros Proxy, DirBuster, Burp, etc.

The reason for switching to Burp is the capabilities of this tool. The scanner is very powerful and the way it integrates with third-party code is really cool. Other tools simply do not have these capabilities.

How was the initial setup?

Quite straightforward. Thanks to the availability in executable JAR format -- this makes it a highly portable solution.

What about the implementation team?

I have implemented as an inhouse one. There is no installation as such since the solution is an executable jar file. User just need to double click and start using it.

What's my experience with pricing, setup cost, and licensing?

This is a value for money product.

Which other solutions did I evaluate?

I am a consistent user of web application scanners and penetration testing solutions.

I have used Qualys WAS, OWASP ZAP, sqlmap, Paros Proxy, and Nikto. But nothing stands close to Burp, because this tool has everything in one single portable powerful package.

What other advice do I have?

If you are looking for a single web application penetration testing solution at low cost, definitely give it a try. You can request a trial of the pro version from PortSwigger if you would like to see the scanner capability in action.

They will, of course, require organizational contacts. Almost all the other features are available in the free version, also.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More PortSwigger Burp reviews from users
...who compared it with OWASP Zap
Add a Comment
Guest