We performed a comparison between Owasp Zap and Portswigger Burp Suite Professional based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison of Results: Based on the parameters we compared, Owasp Zap seems to be a superior solution. All other things being more or less equal, our reviewers found the full version of Portswigger Burp Suite Professional to be rather expensive to purchase. Additionally, some users of Portswigger Burp Suite Professional are not so impressed by the technical support and documentation that it offers. Finally, one user of Portswigger Burp Suite Professional implied that it would be a better product if it had a HUD like Owasp Zap.
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"The interface is easy to use."
"The stability of the solution is very good."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"Simple to use, good user interface."
"It updates repositories and libraries quickly."
"The solution is scalable."
"Automatic scanning is a valuable feature and very easy to use."
"I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis."
"The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned."
"I find the attack model quite amazing, where I can write my scripts and load my scripts as well, which helps quite a bit. All the active scanning that it can do is also quite a lot helpful. It speeds up our vulnerability assessment and penetration testing. Right now, I am enjoying its in-browser, which also helps quite a bit. I'm always confused about setting up some proxy, but it really is the big solution we all want."
"With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp."
"PortSwigger Burp Suite does not hamper the node of the server, and it does not shut down the server if it is running."
"In my area of expertise, I feel like it has almost everything I could possibly require at this moment."
"The solution has a pretty simple setup."
"The extension that it provides with the community version for the skills mapping is excellent."
"The solution is unable to customize reports."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"Too many false positives; test reports could be improved."
"Reporting format has no output, is cluttered and very long."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The pricing of the solution is quite high."
"The use of system memory is an area that can be improved because it uses a lot."
"PortSwigger Burp Suite Professional can improve by having more features in the free version for beginners to try."
"A lot of our interns find it difficult to get used to PortSwigger Burp's environment."
"We'd like to have more integration potential across all versions of the product."
"If we're running a huge number of scans regularly, it slows down the tool."
"The reporting needs to be improved; it is very bad."
"Currently, the scanning is only available in the full version of Burp, and not in the Community version."
OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner that enables software developers and testers to perform penetration testing on their applications to discover vulnerabilities and prevent hostile attacks. To date, it is one of the most searched Open Web Application Security Project (OWASP) projects, and an international group of volunteers is maintaining it. This tool is both flexible and extensible and is intended to be used by users who are new to application security as well as expert testers. For the users' convenience, OWASP ZAP has versions for each major OS and Docker platform so as not to rely on any single OS.
OWASP ZAP focuses on being the “middle man proxy,” as it is positioned between the user’s browser and the web application. In doing so, it will intercept and examine messages that are sent between a browser and a web application. If needed, it will adjust the contents and pass those packets on to their destination. As is the case in many corporate settings, if there is already another network proxy in use, ZAP can be configured to join that proxy. A variety of add-ons for further functionality is available on ZAP Marketplace.
OWASP ZAP offers a range of security automation options, including:
Benefits of OWASP ZAP
Some of OWASP ZAP’s benefits include:
Reviews from Real Users
OWASP ZAP stands out among its competitors for a number of reasons. Among them are the solution’s automatic scanning feature, its ease of use, its ability to report vulnerabilities, and its being a free open-source solution..
PeerSpot user Piyush S., Technical Specialist (DevOps), notes that "Automatic scanning is a valuable feature and very easy to use. The initial setup is straightforward. The solution is free due to the fact that it is open-source. The product has a strong community surrounding it to help with issues and troubleshooting. The stability of the solution is very good."
Raj K., Business Analyst at Experion Technologies, notes, “The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.”
Balaji S., Assistant Vice President at Hexaware Technologies Limited, writes, “The solution is good at reporting the vulnerabilities of the application. It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.
Many users like how the solution has improved over the years. As Alan G., CEO at Virtual Security International, notes, "It has evolved over the years, and recently in the last year they have added HUD (Heads Up Display)."
Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.
PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.
OWASP Zap is ranked 6th in Application Security Testing (AST) with 10 reviews while PortSwigger Burp Suite Professional is ranked 3rd in Application Security Testing (AST) with 20 reviews. OWASP Zap is rated 7.0, while PortSwigger Burp Suite Professional is rated 8.6. The top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "Best for manual penetration testing, a great user interface, and offers good scanning capabilities". OWASP Zap is most compared with Veracode, Acunetix, Qualys Web Application Scanning, Fortify WebInspect and Invicti, whereas PortSwigger Burp Suite Professional is most compared with Fortify WebInspect, Acunetix, Veracode, HCL AppScan and Qualys Web Application Scanning. See our OWASP Zap vs. PortSwigger Burp Suite Professional report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.