Burp Suite, from PortSwigger Ltd, is a package of system testing tools accessed from a single interface. The system includes penetration testing utilities for Web applications and a vulnerability scanner. Burp Suite is offered in three editions, and the higher-priced versions add on more automated systems. All three editions are delivered with the same interface.
Burp Suite Community Edition
The lowest plan is free, and that only includes penetration testing tools. Users of the free version, the Community Edition, can see the paid tools but the buttons that launch them are disabled. The operating mechanism of Burp Suite is as a Web proxy. The package works with a Web browser, and the penetration tester intercepts traffic between the Web server and the browser. All three elements can be resident on the same computer.
Burp Suite paid editions
The two paid plans of Burp Suite are called the Professional Edition and the Enterprise Edition. These both include a vulnerability scanner that automates testing. In addition, the penetration testing tools that are in the Community Edition are also available in the two paid versions.
As a rule of thumb, a testing service checking on system security for a client would use Burp Suite Professional. On the other hand, a Web applications development company would need Burp Suite Enterprise for development testing.
What does Burp Suite do?
Burp Suite intercept traffic between a Web server and a Web browser. The package includes penetration testing and vulnerability scanning tools, but the utilities you get depend on which edition you choose. Higher plans get all of the facilities included in lower plans.
The features of each edition are shown below.
Burp Suite Community Edition features
One of the best features of the Burp Suite system is that its interface is well laid out. You access system research functions and attack strategies in different tabs, enabling you to keep your work plan correctly organized. However, the system allows pertinent data from a research screen to be easily copied over into an attack feature.
The main tools in the Community Edition are:
- Proxy This is the engine behind Burp Suite that facilitates all research and attack scenarios. It diverts network traffic through its processor, enabling a range of assessments to be performed.
- Repeater This tool lets you inject traffic into a stream and test a specific Web application for the presence of a known weakness. You would generate and adjust the HTTP header, change different components, and note different responses to benefit from this tool fully.
- Decoder This system can work out what encryption or hashing method is in use for passing packets, and in some instances, it can decode them. This tool can also encode source data into an appropriate format to match the conventions in use on a network.
- Sequencer This tool examines captured data and looks for “randomness.” The purpose of that is to work out what patterns are intentional and so you can check on the value of each variation in your testing strategy. In short, it lets you work out which responses were the results of the parameters that you put into your probe run and which would probably have come through in the response anyway.
- Comparer This compares responses. Those responses might be encoded and impossible to decipher. However, if a sequence of tests results in the same character pattern but is different, this shows you the direction to move in. For example, consider a brute force password cracker getting a different response one out ten tries – that one is the avenue to go down.
Burp Suite Professional Edition features
The main feature of Burp Suite Professional Edition is the Intruder module. This is a cross between a penetration testing suite and a vulnerability scanner. It is customizable and automated so that you can set a plan running that will carry on through sufficient cycles to gain results in one stage before moving on to another research phase. Attack probes can also be integrated into an Intruder run.
The Professional Edition includes a full vulnerability scanner and also offers OAST testing. OAST is out-of-band security testing, launching from external locations to probe for exploits in your Web applications.
Burp Suite Enterprise Edition features
The identifying feature of the Enterprise Edition is that it can be run continuously and with many probes running simultaneously. This is an entirely different service from those systems offered by the other two editions because it is intended as a pipeline testing service.
The Enterprise Edition can be integrated with project management and bug tracking tools, such as Jira, Jenkins, and ThreadFix. The outcome reports of this tool produce recommendations on how to fix the identified security weakness.
Who would use each Burp Suite edition?
Each package offered by Port Swigger is aimed at a different user community.
- Community Edition is a penetration testing system for use by white hat hackers
- Professional Edition is a vulnerability scanner that would appeal to IT Operations departments
- Enterprise Edition is a Web application development testing service that can be integrated into a CI/CD pipeline
As stated earlier, each higher edition includes the functionality of lower plans. So, if you buy the Enterprise edition, you also get the penetration testing tools of the Community Edition and the vulnerability management features of the Professional Edition.
The Professional Edition is not too expensive and is within the price range of similar vulnerability scanners for businesses. However, the price of the Enterprise Edition is a big step up and so would only be considered by those businesses that need integrated development testing. You certainly wouldn’t get the Enterprise Edition if you just needed some pen-testing tools.
How much does Burp Suite cost?
The Community Edition of Burp Suite is free.
The Professional Edition is sold on single-user licenses, so each installation requires a separate purchase. The price is gauged on a subscription basis:
- 1 year: $399
- 2 years: $798
- 3 years: $1,197
There isn’t a discount for buying a more extended license – the prices for two and three-year licenses are just two and three times the one-year price. You can examine Burp Suite Professional on a 30-day free trial.
The Enterprise Edition is available in three versions: Starter, Grow and Accelerate. The three plans all have the same features but a different number of scanning agents. These prices are:
- Starter: 5 scanning agents — $6,995 per year
- Grow: 20 scanning agents — $14,480 per year
- Accelerate: 50+ scanning agents — $29,450
It is possible to order the package with any number of scanning agents. The pricing is $4,990 for the first agent and then $499 for each subsequent agent. As with the Professional Edition, buying the Enterprise Edition on a one, two, or three-year license is possible. The prices for multi-year licenses are just the one-year price multiplied by the number of years. Again, it is possible to examine Burp Suite Enterprise Enterprise on a free trial.
Burp Suite system requirements
All versions of Burp Suite are available for Windows, macOS, and Linux. The host computer has to have Java Runtime Environment (JRE) 1.7 or later (64-bit edition) for the software to operate correctly.
The host computer should have at least 4 GB of memory for the Community Edition, and the Professional Edition requires a host with at least 8 GB of free memory. The Enterprise Edition will need to be installed on several computers, particularly for implementations that deploy many scanning agents.
Alternatives to Burp Suite
Burp Suite is three tools in one and is used for different purposes, so the best alternative to this tool depends on the type of system that you were looking for in the Burp Suite package. For example, Burp Suite is a penetration testing tool, a vulnerability scanner, or a Web applications development testing system.
There are some excellent tools when looking for any of these system testing categories, and even if you are sure that Burp Suite is what you need, it is always a good idea to trial alternatives before buying.
Here is our list of the six best alternatives to Burp Suite:
- Invicti (ACCESS FREE DEMO) This vulnerability scanner also has a development testing mode, so it offers an excellent alternative to Burp suite Professional and Burp suite Enterprise. The tool can also be run to operate tests in a penetration testing scenario. However, it doesn’t include manual testing systems, so it can’t be counted as a complete replacement for Burp Suite Community Edition. The development testing features of Invicti offer DAST, IAST, and SAST testing scenarios to exercise code from outside and from within. In addition, this system can provide continuous Web application testing for CI/CD pipelines. Finally, when used for vulnerability scanning, Invicti can orchestrate responses with other on-site security tools. This system is offered for installation on Windows and Windows Server, and it is also available as a SaaS platform. Apply to access a free demo account to examine Invicti.
- Acunetix (ACCESS FREE DEMO) This package is available in three editions, which closely correlates to the Burp Suite system. This system is more of a security testing service with automated scans than a manual testing tool. It can be used for internal security scanning around a network as well as external Web application testing. It offers a continuous testing option that is suitable for CI/CD pipelines and a vulnerability scanning mode, which would be used by IT operations technicians. Testing scenarios run on code and from an external viewpoint, so you get DAST and SAST with this package, giving you a full IAST service. Acunetix is offered as a SaaS platform, and it is also possible to get the software package for installation on Windows, macOS, or Linux. You can get access to a demo account to look into Acunetix.
- Metasploit This testing system is a very close competitor to Burp Suite. It offers a free version, called Metasploit Framework, and a paid edition called Metasploit Pro. The Framework version is a suite of penetration testing tools, while the Pro edition is more of an automated tool for vulnerability scanning. However, it does include some manual attack facilities. The basis of both versions is a list of 1,500 known exploits that focus on Web application weaknesses. Both versions of Metasploit need to be installed on your server, and the software packages are available for Windows, macOS, and Linux. In addition, you can get a 14-day free trial of Metasploit Pro.
- ManageEngine Vulnerability Manager Plus This is a top-of-the-line vulnerability scanner aimed at IP operations departments. Not only will this scanner look for potential system weaknesses every 90 minutes, but it includes modules that will automatically repair your system to make it secure. In addition, the system includes a vulnerability manager, a risk assessor, a patch manager, a file integrity monitor, and a configuration manager. This is particularly useful for defending an established, operating business system. This is a software package that installs on Windows and Windows Server. Vulnerability Manager Plus is available for a 30-day free trial.
- Sqlmap This free command-line utility has an excellent reputation and is widely used by hackers and penetration testers alike, making it a good alternative for Burp Suite Community Edition. The lack of a graphical user interface will make you think that this is not the same standard as Burp Suite. However, the insights that this tool offers into database-linked Web applications are second-to-none. Additionally, this utility provides research and attack facilities, such as database identification and password cracking. Sqlmap installs on Windows, macOS, and Linux.
- Ettercap This is a similar free package to Burp Suite Community Edition. However, although the tool has its own GUI, this is little more than a customized Command Prompt window. Ettercap can be used for target research into Web applications, and it also offers many attack methods. One problem with Ettercap is that it is only effective if launched within a network because it diverts Web traffic by assuming the role of the network gateway and allows man-in-the-middle attack-type scenarios. Ettercap runs on Linux, Unix, Mac OS X, Windows 7, and 8. It won’t run on macOS or Windows 10.