Three years running and the product still only costs $299. It has helped me find almost a thousand vulnerabilities and exploits in a few short years. Web application security is more important than ever. It does not supersede network testing – it actually compliments it.
According to their website and my knowledge they have updated the product dozens of times.
To quote them, “In the last year alone, we’ve made the following improvements to Burp:
- The new BApp Store, for sharing community-authored Burp extensions.
- Support for WebSockets messages.
- Improved Spider link discovery and WIVET score. [my comment: extremely important!]
- Support for nested scan insertion points, enabling Burp to automatically scan complex data structures, such as JSON within XML within a URL parameter. [my comment: another very important update]
- A brand new static code analysis engine, enabling Burp to reliably report DOM XSS and a dozen other new DOM-based issues.
- Scanner checks for several new types of vulnerability, including:
- Perl code injection
- PHP code injection
- Ruby code injection
- File path manipulation
- Serialized object in HTTP message
- Cross-site request forgery
- Significant enhancements to existing scan checks, including XSS, SQL injection, OS command injection and file path traversal. [my comment: another important update]
- A new mechanism for anonymous reporting of Burp’s performance, which has enabled us to resolve several edge case bugs and improve Burp’s general stability.
- Numerous other minor enhancements throughout Burp.
All updates are made available to licensed users without any additional charge.”
And here is the kicker: if you are budgeting for tools and licenses in 2015. They have publicly stated:
“Today, we pledge that we will not increase the USD price of Burp Suite Pro during 2015. Instead of hiking the price, we’ll continue to add great new features. Work is already far advanced on some big new features that will further empower Burp users during the course of 2015.”
This product is a diamond in the rough. Fully supported. Feature rich. It has improved vastly in its intuitiveness as earlier versions were a little hard to wrap your mind around. Take it for a ride. You will not be disappointed. Especially if you use it in conjunction with tools like Tenable Nessus and open source tools that are well supported.
Check them out here: http://portswigger.net/ and I hope this helps your web security initiatives!