Burp Suite review

This review compares a self-service API security scanner to a manual penetration testing approach. The scanner operates as a black-box tool: you submit a target URL and receive a risk score with prioritized findings within a minute. It uses read-only methods such as GET and HEAD, and text-only POST for LLM probes, which means it does not modify, patch, or block anything on your infrastructure.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), including Authentication bypass, BOLA and IDOR, BFLA and privilege escalation, Property Authorization exposure, Input Validation, Rate Limiting and Resource Consumption, Data Exposure, Encryption, SSRF, Inventory Management, Unsafe Consumption, and LLM / AI Security. For LLM testing, it runs 18 adversarial probe types across Quick, Standard, and Deep tiers, covering system prompt extraction, instruction override, jailbreak attempts, data exfiltration patterns, token smuggling, and indirect prompt injection.

OpenAPI specifications are parsed in versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, enabling cross-reference between spec definitions and runtime behavior. This helps identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination directly from the contract.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic auth, and Cookies. Access requires domain verification via DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The tool is designed with a strict safety posture: it never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data can be deleted on demand and is purged within 30 days of cancellation. It does not perform active SQL injection or command injection tests, which fall outside its read-only scope.

The Web Dashboard centralizes scan results, score trends, and the ability to download branded compliance PDFs. The CLI, published as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD pipelines, failing the build when the score drops below a defined threshold. An MCP Server enables scanning from AI coding assistants such as Claude and Cursor.

Pro tier adds continuous monitoring, including scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection between scans to surface new findings, resolved issues, and score drift. Alerts are rate-limited to one email per hour per API, and webhooks are HMAC-SHA256 signed, with auto-disable after 5 consecutive failures. Compliance mappings are provided for PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).

The scanner does not fix, patch, or remediate findings; it reports with remediation guidance. It cannot detect business logic vulnerabilities, which require domain-specific human analysis. Blind SSRF is out of scope due to the lack of out-of-band infrastructure, and it does not replace a human pentester for high-stakes audits.

For regulations such as HIPAA, GDPR, ISO 27001, NIST, CCPA, and others, the tool aligns with security controls described in relevant frameworks but does not certify or guarantee compliance. It surfaces findings relevant to audit evidence while remaining a scanning tool rather than an auditor.