See our complete list of top penetration testing tools.
The Bottom Line
PortSwigger Web Security’s Burp is a top-rated web vulnerability scanner used in many organizations and is found in most penetration testing toolkits, though its strength is more on the scanning side than on penetration. A free version is limited in functionality, so those interested in the complete package for enterprise-wide scalability and automation should be prepared to pay well. Security professionals needing only a good automated vulnerability scanner for code testing can make do with the much cheaper Professional version.
For more on the Burp Suite, see Getting Started with the Burp Suite: A Pentesting Tutorial
Type of tool: Web vulnerability scanner
Key features: PortSwigger Web Security offers the Burp web vulnerability scanner in three flavors:
- The Enterprise Edition comes with an automated Web vulnerability scanner, scheduling of scans, scalability across the enterprise, and CI integration as well as a series of manual tools.
- The Professional version doesn’t have scheduling, enterprise scalability or CI integration.
- The Community Edition consists of a series of manual tools and is aimed at researchers and hobbyists. The free version has essential manual tools for carrying out scanning. activities.
Burp bills itself as the world’s most widely used web vulnerability scanner. Major retailers, banks and governments use it to protect applications. It can check for SQL injection, cross-site scripting (XSS) and other vulnerabilities (including those listed in the OWASP top 10). In addition to scanning, it is also used for compliance and security audit purposes.
Burp is a Java-based web vulnerability scanner, enabling IT to scan applications to gain an enterprise-wide view of the most significant vulnerabilities. Drill-down capabilities allow for a closer look at individual applications, URLs and parameters to view issues in more detail. Web vulnerabilities are classified by type and severity.
Burp pioneered the use of out-of-band techniques (OAST) to supplement regular scanning. Burp Collaborator detects server-side vulnerabilities that may not be noticeable when only the application’s external behavior is viewed. Burp functions as an HTTP proxy server so all HTTP/S traffic from the browser passes through it.
“Burp is my go-to tool for testing web applications,” said the CEO of a security firm.
Differentiator: Automation of scanning and repetitive functions, enterprise scalability.
What it can’t do: It is a vulnerability scanner with some penetration tools that attack the exploits it uncovers.
Cost: The Enterprise Edition costs $3,999 per year. The Professional version costs $399, and there is also a free edition.