Burp Suite Professional

Features

The leading toolkit for web security testing.

Burp Suite Professional features

Manual penetration testing features

Burp Suite Pro proxy interception
Penetration testing

Intercept everything your browser sees

A powerful proxy/history lets you modify all HTTP(S) communications passing through your browser.

Penetration testing

Manage recon data

All target data is aggregated and stored in a target site map - with filtering and annotation functions.

Penetration testing

Expose hidden attack surface

Find hidden target functionality with an advanced automatic discovery function for "invisible" content.

Penetration testing

Test for clickjacking attacks

Generate and confirm clickjacking attacks for potentially vulnerable web pages, with specialist tooling.

Penetration testing

Work with WebSockets

WebSockets messages get their own specific history - allowing you to view and modify them.

Penetration testing

Break HTTPS effectively

Proxy even secure HTTPS traffic. Installing your unique CA certificate removes associated browser security warnings.

Penetration testing

Manually test for out-of-band vulnerabilities

Make use of a dedicated client to incorporate Burp Suite's out-of-band (OAST) capabilities during manual testing.

Penetration testing

Speed up granular workflows

Modify and reissue individual HTTP and WebSocket messages, and analyze the response - within a single window.

Penetration testing

Quickly assess your target

Determine the size of your target application. Auto-enumeration of static and dynamic URLs, and URL parameters.

Penetration testing

Assess token strength

Easily test the quality of randomness in data items intended to be unpredictable (e.g. tokens).

Advanced/custom automated attacks

Automated attacks

Faster brute-forcing and fuzzing

Deploy custom sequences of HTTP requests containing multiple payload sets. Radically reduce time spent on many tasks.

Automated attacks

Query automated attack results

Capture automated results in customized tables, then filter and annotate to find interesting entries/improve subsequent attacks.

Automated attacks

Construct CSRF exploits

Easily generate CSRF proof-of-concept attacks. Select any suitable request to generate exploit HTML.

Automated attacks

Facilitate deeper manual testing

See reflected/stored inputs even when a bug is not confirmed. Facilitates testing for issues like XSS.

Automated attacks

Scan as you browse

The option to passively scan every request you make, or to perform active scans on specific URLs.

Automated attacks

Automatically modify HTTP messages

Settings to automatically modify responses. Match and replace rules for both responses and requests.

Burp Suite Pro Intruder payload positions

Automated scanning for vulnerabilities

Burp Suite Pro scan results
Automated scanning

Harness pioneering AST technology

High signal: low noise. Scan with pioneering, friction-free, out-of-band-application security testing (OAST).

Automated scanning

Conquer client-side attack surfaces

Hybrid AST and built-in JavaScript analysis engine help to find holes in client-side attack surfaces.

Automated scanning

Fuel vulnerability coverage with research

Cutting-edge scan logic from PortSwigger Research combines with coverage of over 100 generic bugs.

Automated scanning

Fine-tune scan control

Get fine-grained control, with a user-driven scanning methodology. Or, run "point-and-click" scans.

Automated scanning

Remediate bugs effectively

Custom descriptions and step-by-step remediation advice for every bug, from PortSwigger Research.

Automated scanning

Configure scan behavior

Customize what you audit, and how. Skip specific checks, fine-tune insertion points, and much more.

Automated scanning

Crawl more complex targets. Burp Suite's crawler identifies locations based on content - not just URL.

Automated scanning

Effectively apply IAST

Source identification and vulnerability reporting simplified, with optional code instrumentation.

Automated scanning

Experience browser-driven scanning

Browser-driven scanning is already striding toward better coverage of tricky targets like AJAX-heavy single page apps.


Productivity tools

Productivity tools

Deep-dive message analysis

Show follow-up, analysis, reference, discovery, and remediation in a feature-rich HTTP editor.

Productivity tools

Utilize both built-in and custom configurations

Access predefined configurations for common tasks, or save and reuse custom configurations.

Productivity tools

Multiply project options

Auto-save all working projects to disk, and add configurations to pre-saved projects.

Productivity tools

Make code more readable

Automatically pretty-print code formats including JSON, JavaScript, CSS, HTML, and XML.

Productivity tools

Easily remediate scan results

See source, discovery, contents, and remediation, for every bug, with aggregated application data.

Productivity tools

Simplify scan reporting

Customize with HTML/XML formats. Report all evidence identified, including issue details.

Productivity tools

Speed up data transformation

Decode or encode data, with multiple built-in operations (e.g. Hex, Octal, Base64).

Burp Suite Pro pretty-printing

Extensions

PortSwigger BApp Store
Extensions

Create custom extensions

The Montoya API ensures universal adaptability. Code custom extensions to make Burp work for you.

Extensions

Logger++

For in-depth vulnerability detail, ordered and arranged in an easily accessible table, make use of Logger++.

Extensions

Autorize

When testing for authorization vulnerabilities, save time and perform repeat requests with Autorize.

Extensions

Turbo Intruder

Configured in Python, with a custom HTTP stack, Turbo Intruder can unleash thousands of requests per second.

Extensions

J2EE Scan

Expand your Java-specific vulnerability catalogue and hunt the most niche bugs, with J2EEScan.

Extensions

Access the extension library

The BApp Store customizes and extends capabilities. Over 250 extensions, written and tested by Burp users.

Extensions

Upload Scanner

Adapt Burp Scanner's attacks by uploading and testing multiple file-type payloads, with Upload Scanner.

Extensions

AuthMatrix

Run AuthMatrix with Autorize to define your access-level vulnerability authorization check.

Extensions

Param Miner

Quickly find unkeyed inputs with Param Miner - can guess up to 65,000 parameter names per second.

Extensions

Backslash Powered Scanner

Find research-grade bugs, and bridge human intuition and automation, with Backslash Powered Scanner.

Customer quote

Burp Suite is the "go-to" product for web application testing. The scanner finds low hanging fruit but also helps map out areas that need manual investigation with Repeater and Intruder. These three tools used together allow you to perform 70% of a test. The engagement tools help map out and discover the application, and the APIs allow customization for automated testing. That along with the Burp Extensions offer a powerful product to perform any web app testing. Source: TechValidate survey of PortSwigger customers

See more customer stories

David Kirkpatrick

Penetration Tester