We performed a comparison between Owasp Zap and Portswigger Burp Suite Professional based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison of Results: Based on the parameters we compared, Owasp Zap seems to be a superior solution. All other things being more or less equal, our reviewers found the full version of Portswigger Burp Suite Professional to be rather expensive to purchase. Additionally, some users of Portswigger Burp Suite Professional are not so impressed by the technical support and documentation that it offers. Finally, one user of Portswigger Burp Suite Professional implied that it would be a better product if it had a HUD like Owasp Zap.
"It's great that we can use it with Portswigger Burp."
"The application scanning feature is the most valuable feature."
"We use the solution for security testing."
"You can run it against multiple targets."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"They offer free access to some other tools."
"The solution is scalable."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs."
"PortSwigger Burp Suite Professional has an intercept tab that helps us to scan our APIs, set the response, and request errors."
""The product is very good just the way it is; It has everything already well established and functions great. I can't see any way for this current version to be improved.""
"PortSwigger Burp Suite does not hamper the node of the server, and it does not shut down the server if it is running."
"With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp."
"The extension that it provides with the community version for the skills mapping is excellent."
"The most valuable feature is the application security. It also has a reasonable price."
"The most valuable feature of PortSwigger Burp Suite Professional is the dashboard. It is very informative and you can receive all the information you need in one place. It's clear, well-defined, and organized. Anybody without any cybersecurity can use it."
"The reporting feature could be more descriptive."
"OWASP Zap needs to extend to mobile application testing."
"The technical support team must be proactive."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"There isn't too much information about it online."
"It would be nice to have a solid SQL injection engine built into Zap."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
"The solution doesn't offer very good scalability."
"PortSwigger Burp Suite Professional could improve the static code review."
"I would like to see the return of the spider mechanism instead of the crawling feature. Burp Suite's earlier version 1.7 had an excellent spider option, and it would be beneficial if Burp incorporated those features into the current version. The crawling techniques used in the current version are not as efficient as those used in earlier versions."
"The biggest drawback is reporting. It's not so good. I can download them, but they're not so informative."
"A lot of our interns find it difficult to get used to PortSwigger Burp's environment."
"I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us."
"The pricing of the solution is quite high."
"The initial setup is a bit complex."
More PortSwigger Burp Suite Professional Pricing and Cost Advice →
OWASP Zap is ranked 8th in Application Security Testing (AST) with 13 reviews while PortSwigger Burp Suite Professional is ranked 5th in Application Security Testing (AST) with 21 reviews. OWASP Zap is rated 7.6, while PortSwigger Burp Suite Professional is rated 8.6. The top reviewer of OWASP Zap writes "Stable dynamic testing solution with unreliable manual processes". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "Offers efficient scanning of entire websites but presence of false positive bugs, leading to time-consuming efforts in distinguishing real bugs from false alarms". OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, Veracode and Checkmarx, whereas PortSwigger Burp Suite Professional is most compared with Fortify WebInspect, Acunetix, HCL AppScan, Qualys Web Application Scanning and SonarQube. See our OWASP Zap vs. PortSwigger Burp Suite Professional report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
Yes OWASP ZAP is a good option as it's an open source so always preferred but Burp Suite Pro will give you more options, its one of the best tool to have for pentesters so defo worth it.
First things first both are having their own merits, however in my personal experience ZAP can replace your burpsuite for sure considering the License. Also as the latest ZAP versions are covering more advanced techniques and spidering patterns with lots of options in it, it is worth considering ZAP. However remember that burpsuite from latest versions with inbuilt chromium and it's emerging plugin support (Installable jars) you can use burp to the fullest and you can keep it as a swiss knife for your web and app pentesting. Couple of extensions in burp pro are interesting especially the race condition one. I always prefer using Burp and at instances I go with ZAP.
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with quality security vulnerabilities. Both are very comparable in terms of intercepting features, fuzzing capabilities, and encoder and decoders. Both OWASP Zap and PortSwigger Burp Suite Pro have a spider feature, and provide updates.
One big difference between the two, though, is price. OWASP Zap is free, but Burp Suite Pro requires a paid subscription (currently $399 per year). OWASP Zap is maintained by volunteers whereas Burp Suite Pro is a commercial product maintained and sold by PortSwigger, which makes me feel more confident in it. In addition, OWASP Zap provides little documentation, which may be why some people prefer Burp Suite Pro (which offers extensive documentation). Moreover, Burp Suite Pro includes more coverage than OWASP Zap. But it is also worth noting that OWASP Zap has more false positives than Burp Suite Pro.
I like Burp Suite Pro’s interface a lot more than OWASP Zap’s. Another big plus for me with Burp is its Comparer tab,which allows for easier change detection. OWASP Zap does not include this feature without extensions and a ZAP plugin is required. Another thing about OWASP Zap I dislike is that the ability to search for text in the request or server response is difficult, while Burp Suite Pro makes it easier and more accessible.
Conclusion:
In my opinion, Burp Suite Pro is better than OWASP Zap because of its features, which I feel make it a better choice for security professionals. Both OWASP Zap and Burp Suite Pro have good sets of capabilities. However, Burp Suite Pro excels in the specific capabilities I need in more ways that OWASP Zap does.