TrustRadius: an HG Insights company
Back to Overview
PortSwigger Burp Suite Logo

PortSwigger Burp Suite Reviews and Ratings

Rating: 9.4 out of 10
Score
9.4 out of 10

Community insights

TrustRadius Insights for PortSwigger Burp Suite are summaries of user sentiment data from TrustRadius reviews and, when necessary, third party data sources.

Business Problems Solved

Burp Suite is widely used by various teams and departments within organizations for conducting dynamic security testing, or DAST, on websites and web applications. With its quick and efficient security review process, the software has proven to be a valuable tool in identifying and resolving security issues before they are moved to production. Users have found that Burp Suite produces easily understandable reports, allowing developers to identify and address vulnerabilities effectively.

Security consultants rely on Burp Suite for comprehensive security testing of both internal and external-facing web applications. The software consistently helps in finding valid and relevant bugs, enabling the consultants to provide accurate vulnerability assessments. Additionally, the vulnerability assessment team utilizes Burp Suite extensively as one of their primary tools for evaluating the security of over 300 public-facing websites.

One of the key benefits of Burp Suite is its ability to proactively identify security defects before they can be exploited. By using the software, teams can discover vulnerabilities early on and implement necessary fixes promptly. This approach ensures that applications are secure and protected from potential attacks.

Another advantage of Burp Suite is its wide range of tools for testing different types of attacks in web applications. Whether it's running automated scans for common bugs or performing manual inspections and manipulations of HTTP requests, users find Burp Suite to be reliable and effective. The software's lightweight nature allows it to be easily installed on various systems, making it accessible for testing both internal and external-facing applications.

While not intended for use by the entire organization due to its potential impact on production environments, Burp Suite is highly regarded by cybersecurity departments for its effectiveness in exploiting applications. Security professionals and application developers also utilize the software to test security features and intercept HTTP requests for inspection and manipulation.

In summary, Burp Suite plays a vital role in conducting dynamic security testing and vulnerability assessments for websites and web applications. Its user-friendly reports, comprehensive bug detection capabilities, proactive defect identification, wide range of tools, and accessibility make it a preferred choice for security consultants and teams across organizations.

Reviews

12 Reviews

PortSwigger Burp Suite A Must-Have Tool for Web App Security

Rating: 9 out of 10
Incentivized

Use Cases and Deployment Scope

We use PortSwigger Burp Suite professional mainly for testing the security of web application and APIs. it's an essential tool for our cybersecurity team during vulnerability and penetration testing. We also use it to test APIs making sure data is handled securely and only the right users have access to sensitive functions.

Pros

  • One of the best features is the intercepting proxy, Which lets us see and change what's being sent between our browser and the website.
  • The repeater is great for manual testing.

Likelihood to Recommend

It's great for intercepting and changing login request. For one client i had done testing of their website, and after intercepting and changing the request, I got IDOR vulnerability and it's a very high vulnerability i gave it in the report, and with the BAPP store, I downloaded the IIS TILDE enumeration and got a vulnerability.

VU
Verified User
Analyst in Corporate (201-500 employees)
Vetted Review
PortSwigger Burp Suite
1 year of experience

PortSwigger Burp Suite should be part of every app sec professionals toolkit

Rating: 9 out of 10
Incentivized

Use Cases and Deployment Scope

We utilize PortSwigger Burp Suite for multiple aspects including our application security testing, internal red teaming exercises, and vulnerability management.

As part of our secure SDLC, we utilize PortSwigger Burp Suite for Interactive Application Security Testing (IAST) to ensure no code vulnerabilities are present.

We also utilize PortSwigger Burp Suite to validate CVE's and attempt exploitation of publicly released vulnerabilities. This provides a first hand view of what the attack is capable of.

Pros

  • Web proxy for application security testing
  • Extensive list of integrations to enrich capabilities for scenario specific use cases
  • Automate common attack types using burp intruder

Cons

  • The user interface is pretty bland but easy to use once you learn it.
  • Billing support is limited. For enterprise customers, it would be ideal if it could be purchased through a PO and invoice rather than credit card.
  • Limited product support

Likelihood to Recommend

PortSwigger Burp Suite is top notch for environments with a dedicated application security team or resource. It should be part of the standard toolset for any application security program.

PortSwigger Burp Suite does require some specialized skillsets and knowledge to utilize making it not ideal for companies lacking in dedicated security staff or software engineers.

VU
Verified User
Director in Information Technology (51-200 employees)
Vetted Review
PortSwigger Burp Suite
3 years of experience

Corporate loves PortSwigger Burp Suite

Rating: 10 out of 10
Incentivized

Use Cases and Deployment Scope

The PortSwigger Burp Suite plays a big role on a daily basis, but after loading extensions, the software lags too much. Active scan sends lots of junk requests, which can be improved.The software can be bit lite and more fast as in java lots of thing run slow and at a particular speed.

Pros

  • proxy
  • passive scans
  • response capture

Cons

  • speed
  • more accuracy
  • lite weight
  • ui

Likelihood to Recommend

It is the best and most widely used software for pen-testing with manual effort the automated rules plays a big role but the amazing thing is the manual editing feature of requests.Extension also are the best thing we can add in PortSwigger Burp Suite to utilize the tool at its peek.

VU
Verified User
Employee in Information Technology (10,001+ employees)
Vetted Review
PortSwigger Burp Suite
6 years of experience

One of the best tool for application security testing.

Rating: 10 out of 10
Incentivized

Use Cases and Deployment Scope

With the help of PortSwigger Burp Suite we do the penetration testing of applications. It helps us in proactively identifying security defects and we can fix them before an attacker exploits them. It is a set of tools that we can use to test different type of attacks in a web application. I can also run automagic scan to identify common bugs.

Pros

  • Automated scans
  • Detailed reporting of bugs
  • Less costly or cost effective

Cons

  • User interface can be improved
  • Automated scan report can be further improved to reduce false positive
  • Sometimes tool crashes when open large number of threads

Likelihood to Recommend

It helps us in proactively identifying security defects. It is easy to install, easy to use and it has a good community support. Enough training material ard available free of cost on internet to learn it. Its reporting feature is not the good it required more improvement in reporting section.

PM
Piyush Mittal
Senior Manager in Information Technology at Aujas Cybersecurity Ltd. (501-1000 employees)
Vetted Review
PortSwigger Burp Suite
3 years of experience
Verified on LinkedIn

The perfect partner for a Security professional

Rating: 8 out of 10

Use Cases and Deployment Scope

Our company has a set of security consultants who conducts penetration testing on all the products developed by our company on a regular basis. Being an enterprise product-based company, we have tried out many other scanning tools and ended up using burp which was the only one that helped our consultants to come up with valid and relevant bugs.

Pros

  • The passive scan feature is really awesome, it kind of covers areas that you might miss.
  • The CSRF POC is really helpful to my team. It helps development team see the issue and understand it.
  • Burp intruder and repeater are the features I myself and my team uses the most as it helps us use our payloads in a variety of different ways.
  • Active scan helps the team to ensure coverage for the whole application.

Cons

  • Reporting area is a weak area that we have identified with Burp.
  • DevsecOps integration is something I am really curious about...
  • The user interface can be considered to make more improvements.

Likelihood to Recommend

Best suited if you have a team that has the ability and bandwidth to conduct manual penetration testing. In our case, many commercial tools were unable to find any valid bugs.

Not suitable to teams who needs security testing done with just one click. Reporting is also an issue with this tool.

MJ
Melvin John
Manager - Security Testing at IBS Software (1001-5000 employees)
Vetted Review
PortSwigger Burp Suite
9 years of experience
View profile

A honest mgt view of the tool used by a team of security consultants

Rating: 10 out of 10
Incentivized

Use Cases and Deployment Scope

Burp Suite is used by my security consultants to perform security assessments and reviews for the organization's applications. It is commonly used across the entire organization, by different groups and teams. The security consultants used the suite to perform their security assessments as well as for training for new hires.

Pros

  • Manual penetration testing and configuration tweaks
  • Automated bulk scanning and simulated scenarios
  • Reports generations for mgt as well as working levels

Cons

  • More features to be available for the free/community version to allow more learning
  • Manual updating of plugin without network connectivity
  • More controls with the manual testing with scenario inputs

Likelihood to Recommend

Burp Suite is a baseline for any security reviews. Security consultants and new aspiration security trainees can be more exposed to it to use as part of their course and trainings. Experienced security consultants can transfer their knowledge to the the newbies, but good to have more features to wow the newbies and mgt.

VU
Verified User
Consultant in Information Technology (1001-5000 employees)
Vetted Review
PortSwigger Burp Suite
3 years of experience

Burp is really all you need

Rating: 10 out of 10
Incentivized

Use Cases and Deployment Scope

Working in application security, I use Burp Suite to proxy my internet traffic for inspection and manipulation to help test for security vulnerabilities. The other tool that comes to mind is OWASP ZAP, but overall Burp is generally considered to be the best tool out there for application security testers.

Pros

  • Fuzzing requests for vulnerabilities
  • Intercepting requests
  • Great extensions through the store that extend functionality

Cons

  • Personally I have more trouble than I should getting the scope set just how I need it to filter out junk traffic like Google and Firefox background noise

Likelihood to Recommend

Burp is great for all web application testing. If that is what you are doing I can't think of a scenario where it wouldn't work for you.

VU
Verified User
Engineer in Information Technology (1001-5000 employees)
Vetted Review
PortSwigger Burp Suite
4 years of experience

Hack your applications before anyone else can using BurpSuite

Rating: 9 out of 10
Incentivized

Use Cases and Deployment Scope

BurpSuite is being used in our organization for performing penetration testing on internal as well as external-facing applications. It is a very light-weight tool which can be installed on almost any system (even legacy systems) and be utilized to exploit the applications. The software is being used by one of the departments within our organization which is working on the cybersecurity side. The application is not intended to be used by the whole organization since it contains malicious payloads which when deployed in the production department can bring the whole environment to a halt.

Pros

  • Automated as well as manual testing can be performed form a single tool. Usually, in the industry, automated and manual tools are available but in different tools. However, BurpSuite is a master tool which can perform both of the tasks.
  • Spidering feature: The spidering feature of BurpSuite is one of the most renowned features of this software. It contains an automated and manual process which completely scan a website end to end and shows you a flow chart which beautifully represents the entire workflow and all of this can be done on a click of automated spidering.
  • Acts as an amazing proxy service: BurpSuite helps you proxy all the web-based requests which can even be modified when sent or received. Unlike other proxies, this proxy works without fail. So it is highly reliable.

Cons

  • The interface is a big problem: No matter how many features a software provides you, if the features are not well presented, you will miss most of them when they are actually required. The presentation of the software should be improvised and made more presentable.
  • Tutorial videos for beginners: This software lacks a lot in tutorials. A beginner almost wastes most of the time in finding and understanding the features and the implementation of the same. The software vendor should work on providing more in-depth videos so that people can learn and understand the concepts.

Likelihood to Recommend

BurpSuite is well suited in scenarios where the user is actually trying to exploit internal applications. The controls of internal applications can always be modified and made to suit the environment of the pen-testing. However, if this was for external applications, this tool can lock out the application since it has no control over the number and time of tries. A professional can, however, use it and make the necessary changes for the external applications but it can be risky at the time, so I would recommend it to be used only on internal/non-production applications.

VU
Verified User
Engineer in Information Technology (10,001+ employees)
Vetted Review
PortSwigger Burp Suite
1 year of experience

Best web app security testing tool on the market

Rating: 9 out of 10
Incentivized

Use Cases and Deployment Scope

Burp Suite is a web application security testing tool. As a security consultant, I have used Burp Suite for security testing for web applications of our clients and also for my own personal research.

Pros

  • First of all, it is possible to carry out manual security tests of web applications and mobile applications using this tool. The advantage is that you can also securely test the vulnerabilities related to the business logic of these apps.
  • It uses a local proxy, so it allows you to intercept the traffic of the applications to find vulnerabilities.
  • Its also allows you to manipulate the attribute fields of intercepted traffic to find any flaws inside applications.

Cons

  • Doesn't describe how to test different vulnerabilities, which can be challenging if you are a new user of this tool.
  • The community edition provides a limited number of features compared to the professional edition. Since many researchers use the community edition for security testing, they should provide more features which would be helpful.

Likelihood to Recommend

Burp Suite is well-suited for doing testing of applications the way researchers want, in contrast to other automated security testing tools which perform tests of well-known vulnerabilities. In comparison to automated security testing tools, Burp Suite takes more time to perform the test as its a manual testing tool which can be a drawback if tests are to be carried out quickly.

TG
Tejas Gandhi
Associate Security Consultant in Information Technology at SISA Information Security (201-500 employees)
Vetted Review
PortSwigger Burp Suite
1 year of experience
View profile

Burp is for Professionals, Not Quick Fixes

Rating: 6 out of 10
Incentivized

Use Cases and Deployment Scope

Our security department uses it, and I use it to test the security features of applications I develop. It solves the problem of needing a quick way of intercepting HTTP requests for our web apps and running routine scans.

Pros

  • Inspection/altering of HTTPb requests/responses.
  • The scans are fairly comprehensive and the application itself is very mature in this.
  • The attack features are very nice and are enough so that I don't have to do everything from scratch to test out my code.
  • Works great on a private network with no internet connection.

Cons

  • Setup for proxies is cumbersome and took some time to get setup. There's a lot to be done outside of Burp itself for this to work.
  • The interface is outdated and uses tabs for everything, can get lost in deep nested features if you're new
  • The way CSRF scans find the vulnerabilities can be cryptic and takes time to find in the documentation. When we get a result we want more comprehensive information on why a scan succeeded, not just failed.

Likelihood to Recommend

After the initial setup, it's good for inspecting headers quickly on an application. Being able to watch all the traffic and let some through or alter them was a good visual. There is a big learning curve to this application however, it took plenty of time to get familiar with everything, as there's a lot of features that are not self-explanatory.

VU
Verified User
Employee in Information Technology (11-50 employees)
Vetted Review
PortSwigger Burp Suite
1 year of experience