Burp Suite Professional Web Vulnerability Scanner or simply just Burp Suite Pro, is one of the top and leading commercial security assessment tools (SAT) allowing web based penetration testing, secure web development testing and bug bounty hurting.
Burp Suite Professional is an integrated suite of web application security testing toolkits targeted for use by web pentester, bug bounty hunters and secure web application developers. One uniqueness of Burp Suite Professional is it allows complete control of how the web application security testing and pentesting workflow fits the tester objective. Be it to use as a user driven automated point and click web scanner, or proxy and manual exploit the web application with various built in toolkits provided.
Burp Suite Professional is licensed by user and installation, typically installed into user laptop or desktop, due to interactive operation of the toolkit involved.
Integrated web application testing platform
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
Burp Suite contains the following key components:
- An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
- An application-aware Spider, for crawling content and functionality.
- An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
- An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
- A Repeater tool, for manipulating and resending individual requests.
- A Sequencer tool, for testing the randomness of session tokens.
- The ability to save your work and resume working later.
- Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.
Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.
Burp Proxy
Burp Proxy is an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application, allowing you to:
- Intercept and modify all HTTP/S traffic passing in both directions.
- Easily analyze all kinds of content, with automatic colorizing of request and response syntax, rendering of web content, and parsing of serialization schemes like AMF.
- Apply fine-grained rules to determine which requests and responses are intercepted for manual testing.
- View all traffic in the detailed Proxy history, with advanced filters and search functions.
- Send interesting items to other Burp Suite tools with a single click.
- Save all of your work, and resume working later.
- Quickly search and highlight interesting content within HTTP messages.
- Work with custom SSL certificates and non-proxy-aware clients.
- Define rules to automatically modify requests and responses without manual intervention.
Burp Proxy provides the foundation for Burp Suite’s user-driven workflow, allowing you to use an application in the normal way via your browser, and yet have full control of all its requests and responses. Using the Proxy, you can quickly understand how the application works and start testing it manually, and you can also pass individual requests to other Burp tools for more advanced, customized and automated testing.
Burp Spider
Burp Spider is a tool for mapping web applications. It automates the laborious task of cataloging an application’s content and functionality, and lets you:
- Work manually via your browser, by passively inspecting traffic passing through Burp Proxy and cataloging everything that this identifies.
- Actively crawl the application, by automatically following links, submitting forms, and parsing responses for new content.
- Browse a detailed site map of discovered content, in tree and table form.
- Retain full control of all spidering actions, with fine-grained scope definition, automatic or user-guided submission of forms, and detailed configuration of the spidering engine.
- Send interesting items to other Burp Suite tools with a single click.
- Deal with complex applications, with automatic handling of login credentials and session cookies, and detection of custom “not found” responses.
- Save all of your work, and resume working later.
When you run Burp, the Spider runs by default in passive mode, and builds up a detailed site map of your target application, by recording all of the requests that you make via Burp Proxy, and parsing all of the responses for new links and functionality. After browsing the whole application, you can use Burp’s site map to review the content you have discovered. You can then use the active spidering function to map out any areas you may have missed, or you can select individual items or branches within the site map, and send these to other Burp tools for further manual or automated attacks.
Burp Scanner or Burp Web Vulnerability Scanner
Burp Suite’s vulnerability scanner helps you to find, track and fix vulnerabilities in your web applications:
- Great performance against all vulnerabilities in the OWASP top 10.
- Reliable reporting and remediation advice.
- The most widely adopted vulnerability scanner on the market.
Burp Scanner is a state-of-the-art vulnerability scanner for web applications. It is designed with security testers in mind, to integrate closely with your existing techniques and methodologies for manual and automated testing.
Burp Intruder
Burp Intruder is a tool for automating customized attacks against web applications, to identify and exploit all kinds of security vulnerabilities. Burp Intruder is exceptionally powerful and configurable, and its potential is limited only by your skill and imagination in using it. You can use Intruder to:
- Performing fuzzing of application requests to identify common vulnerabilities, such as SQL injection, cross-site scripting, and buffer overflows.
- Enumerate identifiers used within the application, such as account numbers and usernames.
- Deliver customized brute-force attacks against authentication schemes and session handling mechanisms.
- Exploit bugs such as broken access controls and information leakage to harvest sensitive data from the application.
- Perform highly customized discovery of application content in the face of unusual naming schemes or retrieval methods.
- Carry out concurrency attacks against race conditions, and application-layer denial-of-service attacks.
A typical workflow using Burp Intruder is as follows:
- Identify an interesting or vulnerable request within any of the Burp Suite tools, and send this to Intruder.
- Mark the locations in the request where you want to insert payloads.
- Configure your attack payloads, using Intruder’s highly configurable algorithms and preset lists, or your own custom list of payloads.
- Start the attack and review the detailed results, including all requests made and responses received.
- Analyze the results to achieve your chosen objective, using customizable filtering and sorting, or by defining your own rules for matching or extracting response data.
Burp Repeater
Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analyzing their responses. Using Burp Repeater, you can:
- Send requests from other Burp Suite tools to test manually in Burp Repeater.
- Work on each base request in a separate tab, to avoid confusion.
- Repeatedly change and resubmit the same request, and review the response.
- Automatically or manually follow redirections where appropriate.
- Step backwards and forwards through the request history within each tab, to quickly compare the results of different attack variants.
- Easily analyze all kinds of content, with automatic colorizing of request and response syntax, rendering of web content, and parsing of serialization schemes like AMF.
- Send interesting items to other Burp Suite tools with a single click.
- Save all of your work, and resume working later.
Burp Sequencer
Burp Sequencer is a tool for analyzing the degree of randomness in security-critical tokens issued by an application. It is typically used to test the quality of an application’s session tokens or other items, such as CSRF nonces, on whose unpredictability the application depends for its security. Burp Sequencer lets you:
- Send requests that return a security token from other Burp Suite tools to test in Burp Sequencer.
- Reissue the same request repeatedly, to generate a large sample of tokens for statistical analysis.
- Perform a rigorous set of tests, including the standard FIPS tests and others, to estimate the degree of randomness within the sample, at both the character and bit level.
- Start performing the analysis with as few as 100 tokens, and re-perform this as a larger sample is collected, up to the FIPS-recommended sample size of 20,000 tokens.
- View an intuitive, at-a-glance summary of all the tests performed, letting you quickly understand the overall quality of randomness.
- Review detailed, graphical test output, letting you drill down into the detailed reasons why individual parts of the token passed or failed each test.
- Load an existing sample of tokens for analysis, if these have already been captured elsewhere.
Burp Sequencer is often highly useful in providing rigorous analysis of an application’s session tokens, in cases where these can appear random to both the naked eye and to simpler, scatter-graph based, analyses. It also enables consultants to provide their clients with output to demonstrate that some meaningful work has been done in this often overlooked area of security.
Burp Extender
Burp Extender lets you extend the functionality of Burp Suite in numerous ways. Extensions can be written in Java, Python or Ruby. The extensibility API is extremely rich and powerful, and lets extensions carry out numerous useful tasks. You can:
- Process and modify HTTP requests and responses for all Burp tools.
- Access key runtime data, such as the Proxy history, target site map, and Scanner issues.
- Initiate actions like scanning and spidering.
- Implement custom scan checks and register scan issues.
- Customize the placement of attack insertion points within scanned requests.
- Provide custom Intruder payloads and payload processors.
- Query and update the Suite-wide target scope.
- Query and update the session handling cookie jar.
- Implement custom session handling actions.
- Add custom tabs and context menu items to Burp’s user interface.
- Use Burp’s native HTTP message editor within your own user interface.
- Customize Burp’s HTTP message editor to handle data formats that Burp does not natively support.
- Analyze HTTP requests and responses to obtain headers, parameters, cookies, etc.
- Build, modify and issue HTTP requests and retrieve responses.
- Read and modify Burp’s configuration settings.
- Save and restore Burp’s state.
Automated crawl and scan
Coverage of over 100 generic vulnerabilities, such as SQL injection and cross-site scripting (XSS), with great performance against all vulnerabilities in the OWASP top 10.
Different modes for scan speed, allowing fast, normal, and thorough scans to be carried out for different purposes.

Advanced scanning for manual testers
View real-time feedback of all actions being performed during scanning. The active scan queue shows the progress of each item that is queued for scanning. The issue activity log shows a sequential record of all issues as they are added or updated.
Use the active scanning mode to interactively test for vulnerabilities like OS command injection and file path traversal.

Cutting-edge scanning logic
Burp Scanner is designed by industry-leading penetration testers. Its advanced feedback-driven scanning logic is designed to reproduce the actions of a skilled human tester.


Clear and detailed presentation of vulnerabilities
The target site map shows all of the content that has been discovered in sites being tested. Content is presented in a tree view that corresponds to the sites’ URL structure. Selecting branches or nodes within the tree shows a listing of individual items, with full details including requests and responses where available.
The site map also shows the vulnerabilities that have been identified. Icons in the site tree allow vulnerable areas of the target to be quickly identified and explored.


Intercept browser traffic using man-in-the-middle proxy


Automate custom attacks using Burp Intruder
- Burp Intruder is an advanced tool for automating custom attacks against applications. It can be used for numerous purposes to improve the speed and accuracy of manual testing.
- Common use cases are fuzzing for vulnerabilities, enumerating valid identifiers, extracting interesting data, and actively exploiting discovered vulnerabilities.
- You can place payloads in arbitrary positions with requests, allowing payloads to be placed within custom data structures and protocols.
- Multiple simultaneous payloads of different types can be placed into different positions within the same request, and can be combined in various ways.
- There are numerous built-in payload generators that can automatically create payloads for virtually any purpose in a highly configurable way. Payload generators include numbers, dates, brute forcer, bit flipper, username generator, ECB block shuffler, illegal Unicode, and case modification. Burp extensions can also provide completely custom payload generators via the API.
- There are built-in wordlists for numerous common purposes, including directory and file names, common field names and values, fuzz strings, HTTP verbs and user agents. You can also easily configure a custom repository of wordlists for direct use within Intruder payloads.
- Payload processing rules can be defined to manipulate generated payloads in arbitrary ways, to meet the exact needs of the custom attack being performed. Payload processing rules include the addition of a prefix or suffix, match and replace, substring, encoding or decoding in various schemes, or skipping payloads that match a regular expression. Burp extensions can also provide completely custom payload processing rules via the API.
- Intruder attacks can be configured to automatically grep for custom match strings in responses. This function can be used for numerous purposes, including looking for error messages during fuzzing, confirming valid identifiers during enumeration tasks, and flagging successful exploitation of discovered vulnerabilities.
- Burp Intruder can extract custom data items from responses. For example, you can cycle through a range of page identifiers and extract the title of each returned page, or iterate over all valid user IDs and extract the name and group of each user.
- Intruder captures detailed attack results, with all relevant information about each request and response clearly presented in table form. Captured data includes the payload values and positions, HTTP status code, response timers, cookies, number of redirections, and the results of any configured grep or data extraction settings.
Advanced manual testing tools
- All requests and responses are displayed in a feature-rich HTTP message editor. This provides numerous views into the underlying message to assist in analyzing and modifying its contents.
- Individual requests and responses can be easily sent between Burp tools to support all kinds of manual testing workflows.
- The Repeater tool lets you manually edit and reissue individual requests, with a full history of requests and responses.
- The Sequencer tool is used for statistical analysis of session tokens using standard cryptographic tests for randomness.
- The Decoder tool lets you convert data between common encoding schemes and formats used on the modern web.
- The CSRF PoC Generator function can be used to generate a proof-of-concept cross-site request forgery (CSRF) attack for a given request.
- The Clickbandit tool generates working clickjacking attacks against vulnerable application functions.
- The Comparer tool performs a visual diff between pairs of requests and responses or other interesting data.
- The Content Discovery function can be used to discover hidden content and functionality that is not linked from visible content that you can browse to.
- The Target Analyzer function can be used to analyze a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes.
- The Compare Site Maps function can compare two site maps and highlight differences. This feature can be used in various ways to help find different types of access control vulnerabilities.
- The Search function can be used to find interesting items of data within all Burp’s tools.
- The Scheduled Tasks function can be used to automatically start and stop certain tasks at defined times and intervals.
Overcome connection challenges
- Burp supports platform authentication using Basic, NTLMv1 and v2, and Digest authentication types.
- You can load client SSL certificates and smartcards needed for authentication to protected applications during testing.
- You can configure all details of SSL negotiation, to help deal with unusually configured targets.
- Burp can automatically handle session handling mechanisms, including conventional logins and cross-site request forgery tokens.
- You can record macros for repeating common sequences of requests, for use within the session handling mechanism.
- You can create custom session handling rules to deal with particular situations. Session handling rules can automatically log in, detect and recover invalid sessions, and fetch valid CSRF tokens.
Extensibility
- The powerful Burp Extender API allows extensions to customize Burp’s behavior and integrate with other tools. Common use cases for Burp extensions include modifying HTTP requests and responses on the fly, customizing the Burp UI, adding custom Scanner checks, and accessing key runtime information including crawl and scan results.
- The BApp Store is a repository of ready-to-use extensions contributed by the Burp user community. These can be installed with a single click from within the Burp UI.
- You can easily create your own extensions using the Java, Python or Ruby programming languages.
- Discovered vulnerabilities can be exported as XML for importing into dozens of third-party tools that support Burp’s export format.
The rest of Burp Suite Pro Features
Burp Suite Professional is the leading toolkit for web security testing to perform faster, more reliable security testing. It being known as best in class for security testing, a must-have tool for security engineers for a very long period of time. Use it to automate repetitive testing tasks – then dig deeper with its expert-designed manual and semi-automated security testing tools. Burp Suite Professional can help you to test for OWASP Top 10 vulnerabilities – as well as the very latest hacking techniques.
A walkthrough of some of Burp Suite Professional’s major features.
Manual penetration testing features
Intercept everything your browser sees
A powerful proxy/history lets you modify all HTTP(S) communications passing through your browser.
Manage recon data
All target data is aggregated and stored in a target site map – with filtering and annotation functions.
Expose hidden attack surface
Find hidden target functionality with an advanced automatic discovery function for “invisible” content.
Test for clickjacking attacks
Generate and confirm clickjacking attacks for potentially vulnerable web pages, with specialist tooling.
Work with WebSockets
WebSockets messages get their own specific history – allowing you to view and modify them.
Break HTTPS effectively
Proxy even secure HTTPS traffic. Installing your unique CA certificate removes associated browser security warnings.
Manually test for out-of-band vulnerabilities
Make use of a dedicated client to incorporate Burp Suite’s out-of-band (OAST) capabilities during manual testing.
Speed up granular workflows
Modify and reissue individual HTTP and WebSocket messages, and analyze the response – within a single window.
Quickly assess your target
Determine the size of your target application. Auto-enumeration of static and dynamic URLs, and URL parameters.
Assess token strength
Easily test the quality of randomness in data items intended to be unpredictable (e.g. tokens).
Advanced/custom automated attacks
Faster brute-forcing and fuzzing
Deploy custom sequences of HTTP requests containing multiple payload sets. Radically reduce time spent on many tasks.
Query automated attack results
Capture automated results in customized tables, then filter and annotate to find interesting entries/improve subsequent attacks.
Construct CSRF exploits
Easily generate CSRF proof-of-concept attacks. Select any suitable request to generate exploit HTML.
Facilitate deeper manual testing
See reflected/stored inputs even when a bug is not confirmed. Facilitates testing for issues like XSS.
Scan as you browse
The option to passively scan every request you make, or to perform active scans on specific URLs.
Automatically modify HTTP messages
Settings to automatically modify responses. Match and replace rules for both responses and requests.
Automated scanning for vulnerabilities
Harness pioneering AST technology
High signal: low noise. Scan with pioneering, friction-free, out-of-band-application security testing (OAST).
Conquer client-side attack surfaces
Hybrid AST and built-in JavaScript analysis engine help to find holes in client-side attack surfaces.
Fuel vulnerability coverage with research
Cutting-edge scan logic from PortSwigger Research combines with coverage of over 100 generic bugs.
Fine-tune scan control
Get fine-grained control, with a user-driven scanning methodology. Or, run “point-and-click” scans.
Remediate bugs effectively
Custom descriptions and step-by-step remediation advice for every bug, from PortSwigger Research.
Configure scan behavior
Customize what you audit, and how. Skip specific checks, fine-tune insertion points, and much more.
Navigate difficult applications
Crawl more complex targets. Burp Suite’s crawler identifies locations based on content – not just URL.
Effectively apply IAST
Source identification and vulnerability reporting simplified, with optional code instrumentation.
Experience browser-driven scanning
Browser-driven scanning is already striding toward better coverage of tricky targets like AJAX-heavy single page apps.
Productivity tools
Deep-dive message analysis
Show follow-up, analysis, reference, discovery, and remediation in a feature-rich HTTP editor.
Utilize both built-in and custom configurations
Access predefined configurations for common tasks, or save and reuse custom configurations.
Multiply project options
Auto-save all working projects to disk, and add configurations to pre-saved projects.
Make code more readable
Automatically pretty-print code formats including JSON, JavaScript, CSS, HTML, and XML.
Easily remediate scan results
See source, discovery, contents, and remediation, for every bug, with aggregated application data.
Simplify scan reporting
Customize with HTML/XML formats. Report all evidence identified, including issue details.
Speed up data transformation
Decode or encode data, with multiple built-in operations (e.g. Hex, Octal, Base64).
Extensions
Create custom extensions
Extender API ensures universal adaptability. Code custom extensions to make Burp work for you.
Logger++
For in-depth vulnerability detail, ordered and arranged in an easily accessible table, make use of Logger++.
Autorize
When testing for authorization vulnerabilities, save time and perform repeat requests with Autorize.
Turbo Intruder
Configured in Python, with a custom HTTP stack, Turbo Intruder can unleash thousands of requests per second.
J2EE Scan
Expand your Java-specific vulnerability catalogue and hunt the most niche bugs, with J2EEScan.
Access the extension library
The BApp Store customizes and extends capabilities. Over 250 extensions, written and tested by Burp users.
Upload Scanner
Adapt Burp Scanner’s attacks by uploading and testing multiple file-type payloads, with Upload Scanner.
AuthMatrix
Run AuthMatrix with Autorize to define your access-level vulnerability authorization check.
Param Miner
Quickly find unkeyed inputs with Param Miner – can guess up to 65,000 parameter names per second.
Backslash Powered Scanner
Find research-grade bugs, and bridge human intuition and automation, with Backslash Powered Scanner.
Latest Release and Update
Due to incremental updates and changing in nature, please read from this dedicated post and consolidate all into a single post for easy reading for those who want to know the feature, patch and update from each build.
Be noted Burp Suite Pro is no automated web scanner, for customer look for scheduler, real time dashboard and DevSecOps CI/CD seamless integration and delivery automation, please refer Burp Suite Enterprise Edition in the separate dedicated post.
Other Post You May Interest