Should I Purchase Burp Pro?


#1

Like the title says. The only reason I don’t right now is because I’m broke for the holidays.

At first I thought it would be possible to use burp on a trial basis and then supplement it with other applications. Has anyone taken this route?


#2

Hello @Magick17 I was a Burp user for a long time, mostly because there was no other option that could achieve the same results. But in the last year Zap Proxy has enter a state where is almost as good as Burp, and is open source(no blackbox and software you have to blindly trust) and is a huge community of developers that makes the project move at a fast pace with new modules/add-ons and options… It does have a learning curve, most things are accomplished in a different way that you do with Burp also some utilities are better and some are still behind Burp but since is open source and the development is super fast I am sure it will surpass Burp in no time… I will recommend that you switch to Zaproxy if a small learning curve does not scares you, and you value running open source applications, and with it you will save some money, you can always after some time of use, donate to the OWASP project as a thank you for creating such tools that benefit the whole Information security community, that are vendor neutral and non-bias.

Just my 2 cents. I hope this helps.
Fernandez, Christian
Cloud Infrastructure and Security Engineer at Bugcrowd Inc


#3

Hi @Magick17,
ask you this question: “do I need the features of the Pro version?”. If the answer is “no” or “I don’t know”, then don’t purchase it.
If you are just starting out with bug bounty programs and no making good money, I don’t see the point to purchase it. In my case, I use the Repeater and the Proxy 99% of the time, and when I use the other features I usually end with nothing useful. I pay for it to support the developers, because it only costs 250USD or something like that per year, which you should be able to afford whenever you start making money of bug bounty programs. The Free version was my only tool for 1-2 years, and now it’s the Pro version :smile:. It depends on how you work too. The Pro version has features for automatization, but if you are starting out I would recommend you not to use those features because you won’t know what’s happening “behind the scenes” which won’t help you to learn.

Maybe you can try Zap Proxy too, as Christian told you. I was very excited when I started using it, but then I noticed that I worked faster using Burp, and at the end I stopped using it.

Anyway, as a final note if you are starting out: you shouldn’t be thinking about that now, you should be spending a lot of time learning and looking for bugs with whatever tool you like without overthinking it. You are the talent, the tool (Burp/Zap/HackerBar) is just a tool at the service of the talent and not vice versa (unless you want to be replaced for machines in the decades ahead).

Best.


#4

Thank you f or the advice. Both of you guys. For now I will continue to read the Web applications hacker handbook and utilize open source tools.

Do any of you use the irc chat? I jumped on there and no one was talking. Just wondering.

I guess I ask because I’m feeling stuck. I keep reading the wahh. And I see where they are coming from but I feel overwhelmed with a lot of material. I tried looking at that silentcirle challenge but when I started viewing everything through burp I didn’t even know where to start.

I guess I’m just looking for a friend to chat with and bounce ideas off of.


#5

Hi @Magick17

The Bugcrowd forum is a great place for seeking help. You will always get someone who will provide great advice. Additionally, get on twitter as well.

Also go through Peter Yaworsky’s Web Hacking 101. It has some excellent reports and explanations of how vulnerabilities were found.

As you said it will be overwhelming at first but don’t try to master each and every vulnerability there. Try to find (a couple) categories which interest and intrigue you and get acquainted with them.

All the best.


#6

https://s2.yimg.com/bt/api/res/1.2/sLtFzRnfK0edIp2tOY_dew--/YXBwaWQ9eW5ld3NfbGVnbztxPTg1O3c9NjMw/http://l.yimg.com/os/publish-images/gma/2014-09-01/9ee037f0-3204-11e4-a47c-2937d77efc16_GTY_the_fonz_2_kab_140901_16x9_608.jpg

Sounds like a plan.