Re: buy it? it's free!
I love that tool for web app testing. But 1, you have to get the client to trust Burp's cert: Not trivial, especially with Firefox. I.E.? Just take over a domain and publish it with GP. Else, the user will get an error. And if you do get them to trust the cert, and go to Bank of America, for instance....no extended validation, no green bar.
Now, for fun, if you use GMail, log out of your accounts, setup the proxy on a browser that doesn't trust Burp's cert and try to logon? Ahhhh, no trust, no "Add Exception". You'll see one that permits an exception, but keep on going, and you will not be able to trust the 2nd one, and GMail is out.
....and that's the whole point. There are ways to make MITM and other attacks harder to pull off, if the ADMINs and Devs know what they're doing. There are header elements to add that add all sorts of protections (if browser implemented): X-XSS-Protection (for IE), CSP, X-Frame-Options, Cache-Control, Anti-Mime sniffing, specifying the right Mime Type, Anti-CSRF (not a header thing, but.....), and the list goes on. Devs are just too concerned with pretty pictures and font alignment to be bothered.