Burp Suite

Burp Suite

Category: DAST
License: Freemium
Visit Website →

Burp Suite is the industry-standard toolkit for web application security testing.

Developed by PortSwigger, it provides penetration testers and security researchers with comprehensive tools for manual testing, automated scanning, and everything in between.

Pre-installed in Kali Linux, Burp Suite has become synonymous with professional web security assessment.

What is Burp Suite?

Burp Suite functions as an integrated platform for web application security testing.

At its core sits an intercepting proxy that captures and analyzes HTTP/HTTPS traffic between your browser and target applications.

Around this proxy, PortSwigger has built a suite of tools that work together to support the complete testing workflow.

The platform enables security professionals to move seamlessly from initial reconnaissance through vulnerability identification and exploitation.

Whether you need to manually inspect requests, fuzz parameters, or run automated vulnerability scans, Burp Suite provides purpose-built tools that share context and findings.

With the introduction of Burp AI, the platform now includes an intelligent assistant that helps testers understand application behavior, suggest attack vectors, and explain vulnerability findings.

This represents PortSwigger’s latest evolution of the toolkit that has served the security community for over two decades.

Key Features

Intercepting Proxy

The Burp Proxy sits at the heart of the platform:

  • Intercept, inspect, and modify HTTP/HTTPS requests and responses in real-time
  • TLS certificate handling for HTTPS interception
  • WebSocket message interception and modification
  • Match-and-replace rules for automated request modification
  • HTTP history with powerful filtering and search
  • Support for upstream proxies and SOCKS

Scanner (Pro/Enterprise)

Automated vulnerability detection with industry-leading accuracy:

  • Active scanning that probes for vulnerabilities
  • Passive analysis of traffic for security issues
  • Coverage for OWASP Top 10 and beyond
  • Configurable scan profiles for different scenarios
  • Crawl-and-audit mode for automated testing
  • Support for modern web technologies and APIs

Intruder

Automated attack tool for fuzzing and brute-forcing:

  • Multiple attack types (Sniper, Battering Ram, Pitchfork, Cluster Bomb)
  • Built-in payload lists for common attacks
  • Custom payload generation and processing
  • Result analysis with grep matching
  • Integration with scanner for follow-up testing

Repeater

Manual request manipulation and testing:

  • Send individual requests and analyze responses
  • Modify requests iteratively to probe behavior
  • Organize requests in tabbed interface
  • Response comparison and highlighting
  • Protocol-level inspection

BApp Store Extensions

The BApp Store provides hundreds of community and PortSwigger extensions:

  • Active Scan++ for enhanced scanning
  • Autorize for access control testing
  • JWT Editor for token manipulation
  • Logger++ for advanced logging
  • SQLiPy for SQL injection automation
  • And hundreds more

Installation

Community Edition

The free Community Edition provides core functionality:

# Download from PortSwigger website
# https://portswigger.net/burp/releases/community/latest

# On Linux, make executable and run
chmod +x burpsuite_community_linux_v2024_*.sh
./burpsuite_community_linux_v2024_*.sh

# Or use Java JAR directly
java -jar burpsuite_community.jar

Professional Edition

For full features including the scanner:

# Download Professional edition from PortSwigger
# Requires license activation

# Run with increased memory for large scans
java -Xmx4g -jar burpsuite_pro.jar

Browser Configuration

Configure your browser to use Burp’s proxy:

# Burp listens on 127.0.0.1:8080 by default

# Install Burp's CA certificate in your browser
# Navigate to http://burp and download the certificate
# Import into browser's certificate store

# Or use Burp's embedded browser which has
# the certificate pre-installed

Command-Line Scanning (Enterprise)

# Run automated scan via CLI
java -jar burpsuite_enterprise_*.jar \
  --target "https://example.com" \
  --config-file scan-config.json \
  --report-file results.html \
  --report-format HTML

# With authentication
java -jar burpsuite_enterprise_*.jar \
  --target "https://example.com" \
  --credentials-file auth.json \
  --crawl-and-audit

Integration

GitHub Actions (Enterprise)

name: Burp Suite Enterprise Scan

on:
  push:
    branches: [main]
  schedule:
    - cron: '0 2 * * 1'  # Weekly Monday 2 AM

jobs:
  burp-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Deploy test environment
        run: |
          docker-compose up -d
          sleep 60

      - name: Trigger Burp Enterprise Scan
        uses: portswigger/burp-suite-enterprise-action@v1
        with:
          api-url: ${{ secrets.BURP_ENTERPRISE_URL }}
          api-key: ${{ secrets.BURP_ENTERPRISE_API_KEY }}
          site-id: ${{ vars.BURP_SITE_ID }}
          scan-configuration-ids: |
            audit-checks-passive
            audit-checks-medium-active

      - name: Check for vulnerabilities
        run: |
          curl -H "Authorization: Bearer ${{ secrets.BURP_ENTERPRISE_API_KEY }}" \
            "${{ secrets.BURP_ENTERPRISE_URL }}/api/v1/scans/latest/issues" \
            | jq '.issues[] | select(.severity == "high" or .severity == "critical")' \
            | grep -q . && exit 1 || exit 0

      - name: Cleanup
        if: always()
        run: docker-compose down

GitLab CI (Enterprise)

stages:
  - deploy
  - security
  - cleanup

deploy-test:
  stage: deploy
  script:
    - docker-compose up -d
    - sleep 60
  environment:
    name: security-testing
    on_stop: cleanup-test

burp-enterprise-scan:
  stage: security
  image: curlimages/curl:latest
  script:
    - |
      # Trigger scan
      SCAN_ID=$(curl -X POST \
        -H "Authorization: Bearer $BURP_API_KEY" \
        -H "Content-Type: application/json" \
        -d '{"site_id": "'$BURP_SITE_ID'"}' \
        "$BURP_ENTERPRISE_URL/api/v1/scans" | jq -r '.scan_id')

      echo "Scan started: $SCAN_ID"

      # Poll for completion
      while true; do
        STATUS=$(curl -s -H "Authorization: Bearer $BURP_API_KEY" \
          "$BURP_ENTERPRISE_URL/api/v1/scans/$SCAN_ID" | jq -r '.status')

        if [ "$STATUS" = "succeeded" ]; then
          break
        elif [ "$STATUS" = "failed" ]; then
          exit 1
        fi
        sleep 30
      done

      # Generate report
      curl -H "Authorization: Bearer $BURP_API_KEY" \
        "$BURP_ENTERPRISE_URL/api/v1/scans/$SCAN_ID/report?format=html" \
        > burp-report.html
  artifacts:
    paths:
      - burp-report.html
    expire_in: 30 days
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

cleanup-test:
  stage: cleanup
  script:
    - docker-compose down
  when: always
  environment:
    name: security-testing
    action: stop

Jenkins Pipeline

pipeline {
    agent any

    environment {
        BURP_API_KEY = credentials('burp-enterprise-api-key')
        BURP_URL = credentials('burp-enterprise-url')
    }

    stages {
        stage('Deploy') {
            steps {
                sh 'docker-compose up -d'
                sh 'sleep 60'
            }
        }

        stage('Burp Scan') {
            steps {
                script {
                    def response = httpRequest(
                        url: "${BURP_URL}/api/v1/scans",
                        httpMode: 'POST',
                        customHeaders: [[name: 'Authorization', value: "Bearer ${BURP_API_KEY}"]],
                        contentType: 'APPLICATION_JSON',
                        requestBody: '{"site_id": "your-site-id"}'
                    )
                    def scanId = readJSON(text: response.content).scan_id
                    echo "Scan ID: ${scanId}"

                    // Wait for completion
                    timeout(time: 60, unit: 'MINUTES') {
                        waitUntil {
                            def status = httpRequest(
                                url: "${BURP_URL}/api/v1/scans/${scanId}",
                                customHeaders: [[name: 'Authorization', value: "Bearer ${BURP_API_KEY}"]]
                            )
                            return readJSON(text: status.content).status == 'succeeded'
                        }
                    }
                }
            }
        }
    }

    post {
        always {
            sh 'docker-compose down'
        }
    }
}

When to Use Burp Suite

Burp Suite is the right choice when you need:

  • Manual penetration testing capabilities that automated tools cannot provide
  • Deep inspection of web traffic to understand application behavior
  • Extensibility through plugins for custom testing scenarios
  • Industry-standard tooling that security professionals already know
  • Training and education with PortSwigger’s Web Security Academy integration
  • Enterprise-scale automation with CI/CD integration (Enterprise edition)

Consider alternatives if you:

  • Need only automated scanning without manual testing (consider dedicated DAST tools)
  • Require developer-friendly workflows (consider Bright Security or StackHawk)
  • Want open-source only (consider OWASP ZAP)
  • Have limited budget and need full scanner capabilities

Burp Suite excels as the primary tool for professional security assessments.

Most penetration testers combine it with other specialized tools for comprehensive coverage, using Burp as the central hub for web application testing.

Note: Enterprise Edition renamed to Burp Suite DAST in April 2025. Available as cloud-hosted or self-hosted.

Other DAST Tools

Acunetix
Acunetix

Multi-Platform Easy-to-Use DAST

AppCheck
AppCheck

Former Internal Pentest Tool

Astra Security
Astra Security

AI-Powered Continuous Pentest Platform

Beagle Security
Beagle Security

AI-Powered Pentesting Platform

See all DAST tools