Your agentic AI partner in Burp Suite - Discover Burp AI now           
Read More
Portswigger Logo
Burp Suite DAST The enterprise-enabled dynamic web vulnerability scanner.
Burp Suite Professional The world's #1 web penetration testing toolkit.
Burp Suite Community Edition The best manual tools to start web security testing.
View all product editions
Burp Scanner Burp Suite's web vulnerability scanner Featured Article
Attack surface visibility Improve security posture, prioritize manual testing, free up time.
CI-driven scanning More proactive security - find and fix vulnerabilities earlier.
Application security testing See how our software enables the world to secure the web.
DevSecOps Catch critical bugs; ship more secure software, more quickly.
Penetration testing Accelerate penetration testing - find more bugs, more quickly.
Automated scanning Scale dynamic scanning. Reduce risk. Save time/money.
Bug bounty hunting Level up your hacking and earn more bug bounties.
Compliance Enhance security monitoring to comply with confidence.
View all solutions
Burp Scanner Burp Suite's web vulnerability scanner Featured Article
Research Academy
Support Center Get help and advice from our experts on all things Burp.
Documentation Tutorials and guides for Burp Suite.
Get Started - Professional Get started with Burp Suite Professional.
Get Started - Enterprise Get started with Burp Suite Enterprise Edition.
User Forum Get your questions answered in the User Forum.
Downloads Download the latest version of Burp Suite.
Visit the Support Center
Downloads Download the latest version of Burp Suite Featured Article
Product Overview Features Workflow Burp AI Burp Scanner Customer Stories Request a Trial Buy
Get certified
Product Overview
Features
Workflow
Burp AI
Burp Scanner
Customer Stories
Request a Trial
Buy
Get certified
Get certified
How to prepare
How it works
Practice exam
What the exam involves
FAQs
Burp Suite Professional

Features

A comprehensive suite of tools to efficiently discover and exploit vulnerabilities in web apps and APIs.
Portswigger Culture Hero Image
"I just renewed my annual subscription. Burp Suite is one of the best and affordable Cyber Security products! My thanks go out to the team for providing such an indispensable tool. AppSec would be lost without you." Daniel Oakley, Cyber Security Professional.

Manual penetration testing features

image Log, intercept, and manipulate HTTPS and WebSocket traffic right out of the box with Burp's built-in browser and proxy.
image Easily detect otherwise invisible vulnerabilities with out-of-the-box tools for out-of-band testing (OAST) .
image Automatically map the attack surface with the industry's leading crawler.
image Simplify testing for DOM-based vulnerabilities with DOM Invader.
image Expose hidden attack surface with auto-enumeration of static and dynamic URLs and parameters.
image Assess token strength to test the quality of randomness in data items.
image Manage recon data in a target site map.
image Work with binary HTTP/2 requests in a familiar, HTTP/1-like format, and seamlessly alternate between protocols with Burp's unrivalled HTTP/2 support.
Portswigger Culture Hero Image

Burp's Proxy Intercept view

Advanced / custom automated attacks

image Conduct faster brute-forcing and fuzzing with custom sequences of HTTP requests and payload sets.
image Passively scan as you browse, or perform active scans on individual URLs and specific inputs.
image Capture, filter, and query automated attack results.
image Automatically modify HTTP messages with match and replace rules for both responses and requests.
image Easily generate CSRF proof-of-concept attacks.
Portswigger Culture Hero Image

Automated scanning for vulnerabilities

image Scan your applications using a built-in browser , which navigates complex JavaScript-heavy apps and SPAs, just like a user.
image Scan privileged areas of target applications with authenticated scanning.
image Scan OpenAPI, GraphQL, and SOAP APIs based on a definition file, either discovered during a crawl or uploaded manually.
image Conquer client-side attack surfaces with the built-in JavaScript analysis engine.
image Fuel vulnerability coverage with logic from PortSwigger Research .
image Configure scan behavior to customize what you audit, and how.
image Quickly create custom scan checks ( BChecks ) using a simple, purpose-built language.
Portswigger Culture Hero Image

Utilize authentication in API scanning

Improve your productivity with a number of tools

image Deep-dive message analysis with the feature-rich HTTP editor.
image Automatically pretty-print formats using JSON, JavaScript, CSS, HTML, and XML.
image Utilize both built-in and custom configurations.
image Easily remediate scan results.
image Automatically keep a persistent log of all your testing activities using project files.
image Cut through the noise with advanced search, filtering, and sorting features.
image Store and annotate interesting messages with Burp Organizer.
image Simple reporting with automated report generation.   
Portswigger Culture Hero Image

Unleash the power of Burp Suite with unrivalled extensibility

image Explore the unrivalled BApp store for community-created extensions.
image Unleash thousands of requests per second with Turbo Intruder .
image Create custom extensions with the Montoya API .
image Perform repeat requests when testing for broken access controls with Autorize .
image Customize Burp Suite using small snippets of Java with Bambdas .
image Adapt Burp's Scanner attacks with Upload Scanner .
image Convert between various encodings with Hackvertor .
image Find research-grade bugs with Backslash Powered Scanner .
image Hunt for niche java-specific vulnerabilities with J2EE Scan .
image Tweak offsets automatically with HTTP Request Smuggler.
image Quickly find unkeyed inputs with Param Miner .
Portswigger Culture Hero Image
250+ BApp authors
300+ Extensions

Automate customized attacks with Burp Intruder

image
“Checking out the new Bambdas for proxy filtering that Burp Suite just launched. Quickly parsing through all my history to identify improperly set Content-Types. It will definitely come in handy to be able to create these powerful filters from now on!” Carles Llobet Pons, Cyber Security Professional.