Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more

Burp Suite Professional


The leading toolkit for web security testing.

Burp Suite Professional features

Manual penetration testing features

Burp Suite Pro proxy interception
Penetration testing

Intercept everything your browser sees

Burp Suite's built-in browser works right out of the box - enabling you to modify every HTTP message that passes through it.

Penetration testing

Quickly assess your target

Determine the size of your target application. Auto-enumeration of static and dynamic URLs, and URL parameters.

Penetration testing

Speed up granular workflows

Modify and reissue individual HTTP and WebSocket messages, and analyze the response - within a single window.

Penetration testing

Manage recon data

All target data is aggregated and stored in a target site map - with filtering and annotation functions.

Penetration testing

Expose hidden attack surface

Find hidden target functionality with an advanced automatic discovery function for "invisible" content.

Penetration testing

Break HTTPS effectively

Proxy even secure HTTPS traffic, using Burp Suite's built-in instrumented browser.

Penetration testing

Work with HTTP/2

Burp Suite offers unrivaled support for HTTP/2-based testing - enabling you to work with HTTP/2 requests in ways that other tools cannot.

Penetration testing

Work with WebSockets

WebSockets messages get their own specific history - allowing you to view and modify them.

Penetration testing

Manually test for out-of-band vulnerabilities

Make use of a dedicated client to incorporate Burp Suite's out-of-band (OAST) capabilities during manual testing.

Penetration testing

DOM Invader

Use Burp Suite's built-in browser to test for DOM XSS vulnerabilities more easily - with DOM Invader.

Penetration testing

Assess token strength

Easily test the quality of randomness in data items intended to be unpredictable (e.g. tokens).

Advanced / custom automated attacks

Automated attacks

Faster brute-forcing and fuzzing

Deploy custom sequences of HTTP requests containing multiple payload sets. Radically reduce time spent on many tasks.

Automated attacks

Query automated attack results

Capture automated results in customized tables, then filter and annotate to find interesting entries / improve subsequent attacks.

Automated attacks

Construct CSRF exploits

Easily generate CSRF proof-of-concept attacks. Select any suitable request to generate exploit HTML.

Automated attacks

Facilitate deeper manual testing

See reflected / stored inputs even when a bug is not confirmed. Facilitates testing for issues like XSS.

Automated attacks

Scan as you browse

The option to passively scan every request you make, or to perform active scans on specific URLs.

Automated attacks

Automatically modify HTTP messages

Settings to automatically modify responses. Match and replace rules for both responses and requests.

Burp Suite Pro Intruder payload positions

Automated scanning for vulnerabilities

Burp Suite Pro scan results
Automated scanning

Browser powered scanning

Burp Scanner uses its embedded browser to render its target - enabling it to navigate even complex single-page applications (SPAs).

Automated scanning

Harness pioneering OAST technology

High signal: low noise. Scan with pioneering, friction-free, out-of-band-application security testing (OAST).

Automated scanning

Remediate bugs effectively

Custom descriptions and step-by-step remediation advice for every bug, from PortSwigger Research and the Web Security Academy.

Automated scanning

Fuel vulnerability coverage with research

Cutting-edge scan logic from PortSwigger Research combines with coverage of over 100 generic bugs.

Automated scanning


Create custom scan checks for Burp Scanner, written in a simple text-based language.

Automated scanning

API scanning

Discover more potential attack surface. Burp Scanner parses JSON or YAML API definitions - scanning any API endpoints it finds.

Automated scanning

Authenticated scanning

Scan privileged areas of target applications, even if they use complex login mechanisms like single sign-on (SSO).

Automated scanning

Conquer client-side attack surfaces

A built-in JavaScript analysis engine help to find holes in client-side attack surfaces.

Automated scanning

Configure scan behavior

Customize what you audit, and how. Skip specific checks, fine-tune insertion points, and much more. Or use preset scan modes to get an overview.

Productivity tools

Productivity tools

Deep-dive message analysis

Show follow-up, analysis, reference, discovery, and remediation in a feature-rich HTTP editor.

Productivity tools

Utilize both built-in and custom configurations

Access predefined configurations for common tasks, or save and reuse custom configurations.

Productivity tools

Project files

Auto-save everything you do while on an engagement, as well as the configuration settings you used.

Productivity tools

Burp Logger

See every HTTP message that passes through Burp Suite's tools - all in one place - with Burp Logger.

Productivity tools

Speed up data transformation

Decode or encode data, with multiple built-in operations (e.g. Hex, Octal, Base64).

Productivity tools

Burp Organizer

Store and annotate interesting messages you find while testing, so you can come back to them later.

Productivity tools

Make code more readable

Automatically pretty-print code formats including JSON, JavaScript, CSS, HTML, and XML.

Productivity tools

Easily remediate scan results

See source, discovery, contents, and remediation, for every bug, with aggregated application data.

Productivity tools

Search function

Search everywhere in Burp Suite Professional at once, with its powerful search function.

Productivity tools

Simplify scan reporting

Customize with HTML / XML formats. Report all evidence identified, including issue details.

Burp Suite Pro pretty-printing

BApp extensions

PortSwigger BApp Store

Create custom extensions

The Montoya API ensures universal adaptability. Code custom extensions to make Burp work for you.



Convert between various encodings with Hackvertor. Use multiple nested tags to perform layered encoding. Even execute your own code with custom tags - and more.



When testing for authorization vulnerabilities, save time and perform repeat requests with Autorize.


Turbo Intruder

Configured in Python, with a custom HTTP stack, Turbo Intruder can unleash thousands of requests per second.


J2EE Scan

Expand your Java-specific vulnerability catalogue and hunt the most niche bugs, with J2EEScan.


Access the extension library

The BApp Store customizes and extends capabilities. Over 250 extensions, written and tested by Burp users.


Upload Scanner

Adapt Burp Scanner's attacks by uploading and testing multiple file-type payloads, with Upload Scanner.


HTTP Request Smuggler

Scan for request smuggling vulnerabilities - and exploit them more easily by having HTTP Request Smuggler tweak offsets automatically for you.


Param Miner

Quickly find unkeyed inputs with Param Miner - can guess up to 65,000 parameter names per second.


Backslash Powered Scanner

Find research-grade bugs, and bridge human intuition and automation, with Backslash Powered Scanner.

It's that time of year. Time to renew my Burp license. I just noticed that it's been 10 years since I bought my first license. That's crazy, how times flies! Thanks for the last 10 years and a great tool, @PortSwigger :)


For more than 10 years now, something called "Burp" has been my most-consistently-paid-for security tool... @PortSwigger continues to do awesome work. (Also great free-vs-paid differentiation; this single text box is the killer feature I always renew for.)