IT Central Station is now PeerSpot: Here's why

OWASP Zap vs PortSwigger Burp Suite Professional comparison

Cancel
You must select at least 2 products to compare!
Executive Summary
Updated on March 20, 2022

We performed a comparison between Owasp Zap and Portswigger Burp Suite Professional based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Most users of both solutions feel that deploying them is relatively easy and straightforward. However, some of the users of both of these solutions feel that they are somewhat difficult to deploy.

  • Features: Reviewers of both solutions find them to be reliable and easy to use. Owasp Zap’s users particularly like its heads up display. One reviewer feels that Owasp Zap should offer a marketplace of additional options. This would enable users to customize it according to their specific needs.

    Portswigger Burp Suite Professional’s users note that it has many valuable features, including its wealth of extensions and its automated scanning feature. However, one feature that it lacks is a heads up display.
  • Pricing: Users of Owasp Zap note that it is an open source solution. Therefore, it is completely free of cost. While some users note that Portswigger Burp Suite Professional has a free version others note that this version is very basic and the paid version is expensive.
  • Service and Support: Most users of Owasp Zap note that the community support makes up for the fact that it lacks traditional technical support. Most users of Portswigger Burp Suite Professional think that the technical support that it offers is good. Reviewers were split as to whether or not the documentation that Portswigger Burp Suite Professional offers is good enough.

Comparison of Results: Based on the parameters we compared, Owasp Zap seems to be a superior solution. All other things being more or less equal, our reviewers found the full version of Portswigger Burp Suite Professional to be rather expensive to purchase. Additionally, some users of Portswigger Burp Suite Professional are not so impressed by the technical support and documentation that it offers. Finally, one user of Portswigger Burp Suite Professional implied that it would be a better product if it had a HUD like Owasp Zap.

Featured Review
Buyer's Guide
OWASP Zap vs. PortSwigger Burp Suite Professional
May 2022
Find out what your peers are saying about OWASP Zap vs. PortSwigger Burp Suite Professional and other solutions. Updated: May 2022.
598,116 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"They offer free access to some other tools.""It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).""Simple to use, good user interface.""The interface is easy to use.""Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.""Automatic scanning is a valuable feature and very easy to use.""The stability of the solution is very good.""The solution is good at reporting the vulnerabilities of the application."

More OWASP Zap Pros →

"With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp.""The most valuable feature is Burp Collaborator.""The solution has a great user interface.""We use the solution for vulnerability assessment in respect of the application and the sites.""The extension that it provides with the community version for the skills mapping is excellent.""There is no other tool like it. I like the intuitiveness and the plugins that are available.""For pentesting scenarios, this is the number one tool. It can capture the request, and there are so many functions that are very good for that. For example, a black box satellite host.""The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs."

More PortSwigger Burp Suite Professional Pros →

Cons
"The documentation needs to be improved because I had to learn everything from watching YouTube videos.""Zap could improve by providing better reports for security and recommendations for the vulnerabilities.""The solution is unable to customize reports.""The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed.""It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.""It would be a great improvement if they could include a marketplace to add extra features to the tool.""The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.""Too many false positives; test reports could be improved."

More OWASP Zap Cons →

"The price could be better. The rest is fine.""As with most automated security tools, too many false positives.""A lot of our interns find it difficult to get used to PortSwigger Burp's environment.""I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us.""One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that.""One thing that is not up to the mark in PortSwigger is web application testing. I found some issues with its performance and reporting. They should work on these and give us a better outcome.""There needs to be better documentation provided. Currently, we need to buy books, or we need to review online some use cases from other professionals who have been using the solution to find out their experience. It is not easy to find out how to properly do a security assessment.""The reporting needs to be improved; it is very bad."

More PortSwigger Burp Suite Professional Cons →

Pricing and Cost Advice
  • "This is an open-source solution and can be used free of charge."
  • "This solution is open source and free."
  • "We have used the freeware version. I believe Zap only has freeware."
  • More OWASP Zap Pricing and Cost Advice →

  • "At $400 or $500 per license paid annually, it is a very cheap tool."
  • "PortSwigger is reasonably-priced. It's fair."
  • "It has a yearly license. I am satisfied with its price."
  • "We are using the community version, which is free."
  • "It is expensive for us in Brazil because the currency exchange rate from a dollar to a Brazilian Real is quite steep."
  • "The price for the solution is expensive and could be cheaper. We pay an annual license and our team has several of them."
  • "It's a lower priced tool that we can rely on with good standard mechanisms."
  • "This solution requires a license. It is expensive but you receive a lot of functionality for the price."
  • More PortSwigger Burp Suite Professional Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    598,116 professionals have used our research since 2012.
    Answers from the Community
    Anonymous User
    reviewer1526550 - PeerSpot reviewerreviewer1526550 (Lead Security Architect at a comms service provider with 1,001-5,000 employees)
    Real User

    Yes OWASP ZAP is a good option as it's an open source so always preferred but Burp Suite Pro  will give you more options, its one of the best tool to have for pentesters so defo worth it.

    Avinash-Kumar - PeerSpot reviewerAvinash-Kumar
    Real User

    First things first both are having their own merits, however in my personal experience ZAP can replace your burpsuite for sure considering the License. Also as the latest ZAP versions are covering more advanced techniques and spidering patterns with lots of options in it, it is worth considering ZAP. However remember that burpsuite from latest versions with inbuilt chromium and it's emerging plugin support (Installable jars) you can use burp to the fullest and you can keep it as a swiss knife for your web and app pentesting. Couple of extensions in burp pro are interesting especially the race condition one. I always prefer using Burp and at instances I go with ZAP.

    Questions from the Community
    Top Answer: 
    OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with… more »
    Top Answer: 
    Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is… more »
    Top Answer: 
    We have used the freeware version. I believe Zap only has freeware.
    Top Answer: 
    For pentesting scenarios, this is the number one tool. It can capture the request, and there are so many functions that are very good for that. For example, a black box satellite host.
    Top Answer: 
    They should reduce the license cost a little bit. It is $400 per user, and it would be better if they could reduce the licensing fee.
    Ranking
    Views
    30,259
    Comparisons
    19,274
    Reviews
    11
    Average Words per Review
    463
    Rating
    6.9
    Views
    20,991
    Comparisons
    17,004
    Reviews
    16
    Average Words per Review
    463
    Rating
    8.5
    Comparisons
    Also Known As
    Burp
    Learn More
    Overview

    OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner that enables software developers and testers to perform penetration testing on their applications to discover vulnerabilities and prevent hostile attacks. To date, it is one of the most searched Open Web Application Security Project (OWASP) projects, and an international group of volunteers is maintaining it. This tool is both flexible and extensible and is intended to be used by users who are new to application security as well as expert testers. For the users' convenience, OWASP ZAP has versions for each major OS and Docker platform so as not to rely on any single OS.

    OWASP ZAP focuses on being the “middle man proxy,” as it is positioned between the user’s browser and the web application. In doing so, it will intercept and examine messages that are sent between a browser and a web application. If needed, it will adjust the contents and pass those packets on to their destination. As is the case in many corporate settings, if there is already another network proxy in use, ZAP can be configured to join that proxy. A variety of add-ons for further functionality is available on ZAP Marketplace.

    OWASP ZAP offers a range of security automation options, including:

    • Docker Packaged Scans: A ZAP automation scanner that provides a lot of flexibility and makes it easy for the user to get started with the tool.

    • Quick Start Command Line: A rapid and straightforward scanner that is suitable for a quick scan.

    • API and Daemon Mode: Through a comprehensive API, this mode gives the user complete control over ZAP.

    • Automation Framework: A state-of-the-art framework that is not tied to any current container technology. This framework will, in time, take over the Command Line and the Package Scan options.

    • GitHub Actions: The ability to use any associated and available GitHub package scan.

    Benefits of OWASP ZAP

    Some of OWASP ZAP’s benefits include:

    • The ability to run an automated scan. Once set up, ZAP will deploy two spiders to crawl the web application and subsequently scan each page it finds.

    • It interprets your results and sends an automated alert. After scanning the web application, all requests and responses sent to each page are recorded. If there is a potential problem, an alert is created and sent to the user.

    • An intuitive and innovative interface. The Heads Up Display (HUD) is a new feature that provides capabilities right in the browser. It is great for people new to web security and experienced testers alike.

    Reviews from Real Users

    OWASP ZAP stands out among its competitors for a number of reasons. Among them are the solution’s automatic scanning feature, its ease of use, its ability to report vulnerabilities, and its being a free open-source solution..

    PeerSpot user Piyush S., Technical Specialist (DevOps), notes that "Automatic scanning is a valuable feature and very easy to use. The initial setup is straightforward. The solution is free due to the fact that it is open-source. The product has a strong community surrounding it to help with issues and troubleshooting. The stability of the solution is very good."

    Raj K., Business Analyst at Experion Technologies, notes, “The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.”

    Balaji S., Assistant Vice President at Hexaware Technologies Limited, writes, “The solution is good at reporting the vulnerabilities of the application. It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

    Many users like how the solution has improved over the years. As Alan G., CEO at Virtual Security International, notes, "It has evolved over the years, and recently in the last year they have added HUD (Heads Up Display)."

    Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

    PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

    Offer
    Learn more about OWASP Zap
    Learn more about PortSwigger Burp Suite Professional
    Sample Customers
    Information Not Available
    Google, Amazon, NASA, FedEx, P&G, Salesforce
    Top Industries
    REVIEWERS
    Computer Software Company33%
    Financial Services Firm17%
    Retailer8%
    Manufacturing Company8%
    VISITORS READING REVIEWS
    Computer Software Company28%
    Comms Service Provider27%
    Government6%
    Financial Services Firm6%
    REVIEWERS
    Manufacturing Company33%
    Financial Services Firm28%
    Computer Software Company11%
    Insurance Company6%
    VISITORS READING REVIEWS
    Comms Service Provider27%
    Computer Software Company26%
    Government7%
    Financial Services Firm5%
    Company Size
    REVIEWERS
    Small Business17%
    Midsize Enterprise30%
    Large Enterprise52%
    VISITORS READING REVIEWS
    Small Business19%
    Midsize Enterprise26%
    Large Enterprise55%
    REVIEWERS
    Small Business20%
    Midsize Enterprise20%
    Large Enterprise60%
    Buyer's Guide
    OWASP Zap vs. PortSwigger Burp Suite Professional
    May 2022
    Find out what your peers are saying about OWASP Zap vs. PortSwigger Burp Suite Professional and other solutions. Updated: May 2022.
    598,116 professionals have used our research since 2012.

    OWASP Zap is ranked 6th in Application Security Testing (AST) with 10 reviews while PortSwigger Burp Suite Professional is ranked 3rd in Application Security Testing (AST) with 18 reviews. OWASP Zap is rated 7.0, while PortSwigger Burp Suite Professional is rated 8.6. The top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "Best for manual penetration testing, a great user interface, and offers good scanning capabilities". OWASP Zap is most compared with Veracode, Acunetix, Qualys Web Application Scanning, Fortify WebInspect and Invicti, whereas PortSwigger Burp Suite Professional is most compared with Fortify WebInspect, Acunetix, HCL AppScan, Veracode and Qualys Web Application Scanning. See our OWASP Zap vs. PortSwigger Burp Suite Professional report.

    See our list of best Application Security Testing (AST) vendors.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.