[capt8bit]

I have used mitmproxy for performing web application pentest for years.

If you want something to create/intercept/edit/tamper/replay requests, this is your tool. If you want to script any of those things, this is still your tool.

However, burp comes with a lot of bells and whistles that don't make a lot of sense to build in to mitmproxy, but you can script yourself. For example, there is no intruder, spider, or scanner tool. But, they have an easy to use interface to write scripts that will be run on every request you make, or individual requests.

Or, you can just pass all mitmproxy traffic out to burp and get the best of both worlds.

[SCHiM]

I found burps active scanning feature in the pro version insanely valuable. So far it has found blind SQL injections, numerous xss vulns, command injection and even XXE. I think it's very hard to script such a comprehensive feature into mitmproxy (that is burp pro with collaborator servers).

Still if you're comparing the free version of burp with mitmproxy they do seem very similar. I wouldn't know for sure since I've never used mitmproxy.

[tptacek]

I wouldn't bother with the free version of Burp. If that's where you're at, use Fiddler or mitmproxy.

For software developers doing routine integration-test security checks, I think there's probably a lot of value in the scanner. For professional testers, though, I think the scanner does more harm than good: if it's routinely spotting things you don't spot manually, you should revise your technique.