PortSwigger Burp Suite Professional Room for Improvement
We have found that so many times, false positive bugs are there, and then we spend a lot of time basically separating them from real bugs. So that's the reason we are looking for some other tool. So we were in discussion with Acunetix.
Therefore, the false positive rate is, like, something that we would like to improve.
What we are looking for is if this false positive rate goes down because we were OWASP Zap tool users, which was free anyway. But there were a lot of false positives there, and we used to spend a lot of time, like, for security reasons, reproducing those bugs for the development team to fix it.
So then we thought, okay, why not we go with the tool? Even if it is not very expensive. But still, every year, we have to renew the license. And we got this tool. Again, we found that in this tool also, even if it is less, there are still a lot of false positive bugs out there. So we again have to spend so much time.
So we hired a security tester, who was basically using Acunetix in his previous company for almost three years, and then you said that in that scanning is very slow. The scanning is also slow. Like, sometimes the site scan takes eight hours, six to eight hours. Yeah. And whereas in Acunetix, it took three to four hours.
And plus, there are no false positives. I'm not saying none but there's very little. But here, the rate sometimes is very high. These are the two features I think we would like to improve further.
View full review »From a security perspective, I have only found defects related to cookies. It would be good if the solution could give us more details about what exactly is defective, and it would be more helpful if it explored more to catch as many defects as possible, apart from cookie-related defects.
View full review »PL
Pierre Lend
Cyber Security Consultant at Accenture
You can have many false positives in Burp Suite. It depends on the scale of the penetration testing. If you have experience, you can quickly determine the false positive.
PortSwigger Burp Suite Professional lacks an authentication feature for handling certain applications. For example, consider applications that utilize authentication, where tokens typically expire after one hour. Burp does not automatically handle reauthentication in such scenarios. While it does offer a feature to set rules for automatically renewing authentication, it's specific to particular applications. However, the process for applications with token-based authentication has become more complicated. When running a web scanner, authentication may fail due to expired tokens after one hour, rendering the scanner unable to authenticate with the application.
Buyer's Guide
PortSwigger Burp Suite Professional
April 2024
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
768,246 professionals have used our research since 2012.
The solution’s pricing could be improved.
View full review »There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI.
In a future release, if there could be some kind of autonomous function, or user behavior prediction that would be beneficial.
View full review »The price could be better. The rest is fine.
View full review »I need the solution to be more user-friendly. The solution needs to be user-friendly.
The Iran market does not have after-sales support. PortSwigger Burp Suite Professional needs to provide after-sales support.
It's already great. There isn't anything needed for improvement.
The initial setup is a bit complex.
View full review »PortSwigger Burp Suite Professional can improve by having more features in the free version for beginners to try.
View full review »The technical support team's response time is mostly delayed and should be improved.
View full review »In the Professional version, we cannot link it with the CI/CD process. This feature is included in the enterprise version. Also, it doesn’t have a dashboard to preview the number of issues that were found. A dashboard showing previous issues and their status will be better. These all are enterprise features which are extremely expensive.
View full review »
In general, there's not much to complain about but the stability of the tool is not good enough. I know that the RAM utilization is something they're working on but using a scan currently takes up too much memory. Resource utilization is an issue because when you're application testing, there are multiple threats and multiple application requests that are going in the backend.
View full review »DC
Dhaba C
Team Lead at dhabsc
I would like to see the return of the spider mechanism instead of the crawling feature. Burp Suite's earlier version 1.7 had an excellent spider option, and it would be beneficial if Burp incorporated those features into the current version.
The crawling techniques used in the current version are not as efficient as those used in earlier versions.
View full review »EA
Eldar Aydayev
President & Owner at Aydayev's Investment Business Group
There needs to be better documentation provided. Currently, we need to buy books, or we need to review online some use cases from other professionals who have been using the solution to find out their experience. It is not easy to find out how to properly do a security assessment. The user interface is pretty basic and if you want to do more advanced operations you need to know more technical details, which are not publicly available. You need to get in touch with different engineers or somebody that publishes their experience in a book to be able to get the knowledge in how to use this solution to its fullest.
View full review »RP
Rahul Singh Patel
Cyber security Lead at PCS
Scanning needs to be improved in enterprise and professional versions. The enterprise version has challenges related to scheduled scans. If a scan fails after two days without notification during offline periods, that time is lost. Sometimes, it took up to 24 hours to realize that certain tests had failed for various reasons. There's significant room for improvement in automating scans.
AM
reviewer2303070
Test Lead at a financial services firm with 10,001+ employees
If your application uses multi-factor authentication, registration management cannot be automated. There are also some session management issues we have found if we want to integrate it into the pipeline. There were also some authentication-related issues we found at the time. These issues were more specific to the enterprise edition. I have worked on a paid version of the standalone solution, which is best for manual penetration testing.
View full review »MN
Manikantha Nagireddy
Security Tester at Ray Business Technologies Private Limited
Mitigating the issues and low confluence issues needs some improvement. Implementing demand with the ChatGPT under the web solution is an additional feature I would like to see in the next release.
NS
reviewer1753959
Cyber Security Engineer at a transportation company with 10,001+ employees
BurpSuite has some issues regarding authentication with OAT tokens that need to be improved.
View full review »Sometimes the solution can run a little slow. When we’re cracking passwords, we have issues with responsiveness.
View full review »VN
Vijayanathan Naganathan
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
In the earlier versions what we saw was that the REST API was something that needed to be improved upon but I think that has come in the new edition when I was reading through the release offset available.
There is a certain amount of lead time for the tickets to get resolved. The biggest improvement that I would like to see from PortSwigger is what many people see as a need in their security testing that coudl be priortized and developed as a feature which can be useful. For example, if they're able to take these kinds of requests, group them, prioritize and show this is how the correct code path is going to be in the future, this is what we're going to focus around in building in the next six months or so. That could be something that will be really valuable for testers to have.
View full review »The tool is very expensive.
View full review »SB
Sajda Bano
Quality Analyst at Hiup Solution
It works for me. I don't see any missing features.
The solution is not easy to set it up. You need a lot of knowledge. I'd like to see more documentation. They need to provide more videos and more information about the solution. The website isn't as helpful as it could be. They need to provide more information and maybe provide courses to help people get the most out of it.
For smaller organizations, the solution is expensive.
View full review »VD
reviewer1526550
Lead Security Architect at a comms service provider with 1,001-5,000 employees
Although it provides great writeup for the identified vulnerabilities but reporting needs to improve with various reporting templates based on standards like OWASP, SANS Top 25, etc. The tools needs to expand its scope for mobile application security testing, where native mobile apps can be tested and can provide interface to integrate with mobile device platform or mobile simulator's. Burp suite has great ability to integrate with Jenkins, Jira, Teamcity into CI/CD pipeline and should provide better ways of integration with other such similar platforms.
View full review »Scanning APIs using PortSwigger Burp Suite Professional takes a lot of time.
View full review »NS
Nagaraj Sheshachalam
Lead Cyber Security engineer at a manufacturing company with 10,001+ employees
The reporting needs to be improved; it is very bad.
The dashboard feature or the front-end of the tool does not look good and is not very creative or user-friendly. It looks complicated when we log in to the tool. It looks boring and outdated.
View full review »SS
SivaPrakash
Senior Test Engineer II at a financial services firm with 201-500 employees
One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that.
One more thing they can improve is that despite having a good architecture, it needs a lot of specification. So when you start a project, because it requires a high configuration, the instructor costs more than the project. So it's not cost efficient if it's a big project.
View full review »There is a lot to this product, and it would be good if when you purchase the tool, they can provide us with a more extensive user manual. This would help us to better understand the product, and we would not need to buy a separate book.
In the next release, I want to see it more interactive and have more multitasking with some faster features. Sometimes scanning takes a long time, so they need to add more tricks to reduce the time spent in security testing.
View full review »RO
CyberSecAn08987
Cyber Security Analyst at a tech vendor with 1,001-5,000 employees
The number of false positives needs to be reduced on the solution.
I'm not sure whether some features need to be added because the product has a specific toolset, and if I do need some additional features, currently I get them in different security products. The solution, however, could better integrate with various other tools.
View full review »MM
reviewer1966164
Cyber Security Specialist at a university with 10,001+ employees
PortSwigger Burp Suite Professional could improve the static code review.
In an upcoming release, PortSwigger Burp Suite Professional can give some possible remedies for any issues it has discovered after a scan of an application. At this time it provides vulnerabilities, having the possible remedies would be a benefit. It would be useful for the developers, to fix the issue immediately.
View full review »AJ
reviewer1871559
Cyber Security Analyst at a comms service provider with 10,001+ employees
In some cases, we got a few file postings while doing it by the automatic scan. If that could be better, that would be ideal. The scanner could just be updated a bit more.
We'd like to have more integration potential across all versions of the product. The enterprise version seems to have better integration services than others.
View full review »NA
Nirosh Anda
Chief Info Sec Engineer at Sri Lanka CERT
We wish that the Spider feature would appear in the same shape that it does in previous versions.
I believe we have developmental tools such Accuratix. It would be nice if the report that was accepted upon scanning would highlight all the weaknesses from the perspective of my application.
View full review »SS
Shrey Sethi
Penetration Tester at a tech services company with 1,001-5,000 employees
There is not much automation in the tool.
View full review »NC
reviewer1112304
IT Manager at a manufacturing company with 10,001+ employees
We've faced lots of challenges, including slowing down of the tool, and a lot of error messages, sometimes because of the interface. If we're running a huge number of scans regularly, I think that also slows down the tool so I'm not sure if it is good for lots of scans. I hope they will work on the amount of scans they can handle. There have been improvements in the interface and the reporting structure, but they need to do more. They have a long way to go. For now, if we use the interface directly, we need to use an integration with our web application. We're after value for money.
NC
reviewer1112304
IT Manager at a manufacturing company with 10,001+ employees
The biggest drawback is reporting. It's not so good. I can download reports, but they're not so informative.
For example, they are providing very good information about vulnerabilities, but when you are scanning the whole pathway, we want to see information like percentages, how much is finishing, and how much it is not, etc. If the scan fails, they should tell us when or how it stopped, if it failed, why it has failed, and how to avoid something like this from happening again. They need something more in-depth and more technical.
I would like to have some more features, which I can play around with. It's not so flexible.
View full review »AA
reviewer1508730
Founder and Director at a financial services firm with 1-10 employees
The pricing of the solution is quite high. It would be ideal for the customers if they could lower the costs involved in their subscription.
We have new tools in R language programming platforms that are coming up. The solution needs to ensure its compatible with that language.
View full review »YC
reviewer1110963
Security consultant at a manufacturing company with 10,001+ employees
One downside of the solution would be their false positive checks. As with most automated security tools, there is still a high false positive issue. Hopefully they will be able to improve on that in the future. It would also be helpful if the solution had the capability of handling larger reports. Another area of improvement would be to have a customizable dashboard. It's currently restricted now to their own interface. If you want to utilize the other features available in their API documentation, then you have to write some code yourself. It would be great if their interface could be somewhat customizable.
VR
reviewer1170114
Director at a consultancy with 10,001+ employees
The Burp Collaborator needs improvement. There also needs to be improved integration.
View full review »Some extra features are not available in the core product (WSDL parsing, SOAP calls, Error checks, Authorization bypass), but additional modules created by the community can be easily installed from the BApp store through Extender, or you can write your own in Java, Python or Ruby.
View full review »The professional edition of Burp Suite provides some automated pen-testing scripts to detect application vulnerabilities, like SQL injection, XSS, etc. However, this component is not extremely useful. The results need to be double-checked manually, and false positives are very common, i.e., the tool detects a vulnerability from the HTTP respond when a vulnerability does not actually exist.
View full review »VC
reviewer2378706
Senior Cyber Security Analyst at a tech services company with 501-1,000 employees
The solution’s pricing could be improved.
View full review »MM
reviewer1223976
Cyber Security Specialist at a university with 10,001+ employees
The interface for the automatic scan can be improved because it is easy for technical users, but the business users have trouble with it. There is documentation but the interface should be more user-friendly.
There should be a heads up display like the one available in OWASP Zap. I think that it would be a very good addition.
View full review »The Auto Scanning features should be updated more frequently and should include the latest attack vectors.
It would be really helpful if the issue details contained example recommendations on how to fix the issues identified, or perhaps point to external recommendations for reference.
View full review »KM
reviewer1293489
IT Security Analyst at a tech services company with 11-50 employees
I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us.
View full review »The one feature that I would like to see in Burp is active scanning of REST based web services. A lot of organizations are providing APIs to access their services to support different business models like SaaS. Scanning these APIs is still a challenge for many security product companies. Even Burp does not have a direct and easy way of scanning REST based web services.
There is a capability to scan SOAP based web services provided there is a WSDL available. So, to conclude active web services scanning is something that I would like to see as an improvement in Burp.
SD
reviewer1471662
Lead Software Architect at a tech services company with 201-500 employees
The interface for external clients needs improvement.
Currently, the scanning is only available in the full version of Burp, and not in the Community version.
I would like the scanning included for free also.
View full review »SJ
Saminda Jayawardene
Compliance Manager at a tech services company with 201-500 employees
A lot of our interns find it difficult to get used to PortSwigger Burp's environment. The environment should be improved a little bit. Once you get used to it, it's fine, but it should be more simplified for newcomers. This would save us from constantly having to brief our interns.
View full review »AB
Ashutosh Barot
Security Researcher at a financial services firm with 5,001-10,000 employees
The use of system memory is an area that can be improved because it uses a lot. They need to reduce the amount of system memory it uses.
View full review »AS
reviewer939417
IT Auditor & Compliance Officer at a tech vendor with 51-200 employees
I would like to see a more optimized solution, as it currently uses a lot of CPU power and memory. Sometimes, the application is blocking.
The reporting also needs improvement. Specifically, if there is an issue that exists on many pages, then I do not want to see the same thing repeated many times throughout the report. Rather, it should be pointed out as a global error, and only shown the one time.
In the next version, I would like an option to scan the environment where the application is installed. I would also like a better cryptographic study, with more controls.
View full review »AG
reviewer1458246
Cyber Security Analyst at a tech services company with 11-50 employees
One thing that is not up to the mark in PortSwigger is web application testing. I found some issues with its performance and reporting. They should work on these and give us a better outcome.
IB
Ivan Biagi
Security Specialist at Alfa-A IT
The scanner and crawler need to be improved.
View full review »JA
Securitydbe0
Security Analyst at a tech services company with 201-500 employees
The product is very good just the way it is; It has everything already well established and functions great. I can't see any way for this current version to be improved.
View full review »AR
reviewer1261914
AVP - Software Quality Assurance at a tech services company with 201-500 employees
The solution isn't too stable. The fundamentals of it make it difficult to use. Sometimes it takes me to other applications that are being run.
The scalability capabilities of the solution could be improved.
View full review »Buyer's Guide
PortSwigger Burp Suite Professional
April 2024
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
768,246 professionals have used our research since 2012.