IT Central Station is now PeerSpot: Here's why

OWASP Zap OverviewUNIXBusinessApplication

OWASP Zap is #6 ranked solution in AST tools. PeerSpot users give OWASP Zap an average rating of 7.2 out of 10. OWASP Zap is most commonly compared to PortSwigger Burp Suite Professional: OWASP Zap vs PortSwigger Burp Suite Professional. OWASP Zap is popular among the large enterprise segment, accounting for 63% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a comms service provider, accounting for 25% of all views.
OWASP Zap Buyer's Guide

Download the OWASP Zap Buyer's Guide including reviews and more. Updated: July 2022

What is OWASP Zap?

OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner that enables software developers and testers to perform penetration testing on their applications to discover vulnerabilities and prevent hostile attacks. To date, it is one of the most searched Open Web Application Security Project (OWASP) projects, and an international group of volunteers is maintaining it. This tool is both flexible and extensible and is intended to be used by users who are new to application security as well as expert testers. For the users' convenience, OWASP ZAP has versions for each major OS and Docker platform so as not to rely on any single OS.

OWASP ZAP focuses on being the “middle man proxy,” as it is positioned between the user’s browser and the web application. In doing so, it will intercept and examine messages that are sent between a browser and a web application. If needed, it will adjust the contents and pass those packets on to their destination. As is the case in many corporate settings, if there is already another network proxy in use, ZAP can be configured to join that proxy. A variety of add-ons for further functionality is available on ZAP Marketplace.

OWASP ZAP offers a range of security automation options, including:

  • Docker Packaged Scans: A ZAP automation scanner that provides a lot of flexibility and makes it easy for the user to get started with the tool.

  • Quick Start Command Line: A rapid and straightforward scanner that is suitable for a quick scan.

  • API and Daemon Mode: Through a comprehensive API, this mode gives the user complete control over ZAP.

  • Automation Framework: A state-of-the-art framework that is not tied to any current container technology. This framework will, in time, take over the Command Line and the Package Scan options.

  • GitHub Actions: The ability to use any associated and available GitHub package scan.

Benefits of OWASP ZAP

Some of OWASP ZAP’s benefits include:

  • The ability to run an automated scan. Once set up, ZAP will deploy two spiders to crawl the web application and subsequently scan each page it finds.

  • It interprets your results and sends an automated alert. After scanning the web application, all requests and responses sent to each page are recorded. If there is a potential problem, an alert is created and sent to the user.

  • An intuitive and innovative interface. The Heads Up Display (HUD) is a new feature that provides capabilities right in the browser. It is great for people new to web security and experienced testers alike.

Reviews from Real Users

OWASP ZAP stands out among its competitors for a number of reasons. Among them are the solution’s automatic scanning feature, its ease of use, its ability to report vulnerabilities, and its being a free open-source solution..

PeerSpot user Piyush S., Technical Specialist (DevOps), notes that "Automatic scanning is a valuable feature and very easy to use. The initial setup is straightforward. The solution is free due to the fact that it is open-source. The product has a strong community surrounding it to help with issues and troubleshooting. The stability of the solution is very good."

Raj K., Business Analyst at Experion Technologies, notes, “The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.”

Balaji S., Assistant Vice President at Hexaware Technologies Limited, writes, “The solution is good at reporting the vulnerabilities of the application. It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

Many users like how the solution has improved over the years. As Alan G., CEO at Virtual Security International, notes, "It has evolved over the years, and recently in the last year they have added HUD (Heads Up Display)."

OWASP Zap Video

Archived OWASP Zap Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Information Security Professional at a energy/utilities company with 1,001-5,000 employees
Real User
Easy-to-use interface, but the documentation needs to be improved

What is our primary use case?

We primarily use this product for web application scanning.

What is most valuable?

The interface is easy to use.

What needs improvement?

The documentation needs to be improved because I had to learn everything from watching YouTube videos.

For how long have I used the solution?

I have been working with OWASP Zap for about three months.

Buyer's Guide
OWASP Zap
July 2022
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
622,645 professionals have used our research since 2012.

What do I think about the stability of the solution?

I have not experienced any trouble in terms of stability.

What do I think about the scalability of the solution?

Scalability has not been an issue, so far. There are four of us in the company that can log in to use it.

How are customer service and support?

I have not been in contact with technical support.

How was the initial setup?

The initial setup was straightforward. For me, I just had to press "Next" several times. Between the installation, downloading videos, and investigating how to deploy it, I would say that the process took roughly a day.

What about the implementation team?

I did not require third-party assistance for the deployment.

What was our ROI?

This solution is providing us with value and as long as it continues to do so, we'll continue to use it.

What's my experience with pricing, setup cost, and licensing?

This is an open-source solution and can be used free of charge.

What other advice do I have?

This is a good product where most of the functionality is free, which is why I recommend that others use it.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Business Analyst at Experion Technologies
Real User
Good user interface and easy to use; test reports could be improved
Pros and Cons
  • "Simple to use, good user interface."
  • "Too many false positives; test reports could be improved."

What is our primary use case?

I'm a business analyst and we're a customer of OWASP Zap. 

What is most valuable?

The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.

What needs improvement?

I'd like to be able to explore more and improvements could be made in that area because for now I'm only able to explore the manual testing feature. I'd also like to see an improvement in test reports because we get too many false positives. 

For how long have I used the solution?

I've been using this solution for the past few months. 

What do I think about the stability of the solution?

The stability is okay although we get many false positives when pulling out test reports. 

What do I think about the scalability of the solution?

The scalability is very good. 

How are customer service and technical support?

I haven't needed technical support to date and I haven't yet started using the community support.  

How was the initial setup?

The initial setup wasn't very complex. You're supposed to install a JDK, Java file. I think implementation took about an hour. There are seven people in the company using the solution and maybe in the coming days there will be more. 

What other advice do I have?

I would definitely recommend this product provided the company can provide more clarity on the false positives that we get. 

I would rate this solution a seven out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
OWASP Zap
July 2022
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
622,645 professionals have used our research since 2012.
Jaromir Tesar - PeerSpot reviewer
Embedded Software Engineer at Y Soft
Real User
Automatic updates of our database are valuable; deployment is complicated
Pros and Cons
  • "Automatic updates and pull request analysis."
  • "Deployment is somewhat complicated."

What is our primary use case?

Our primary use case is for scanning. We have Bamboo, Nexus and Artifactory and we are able to make snapshots. When we get a pull request we're able to make another snapshot and we compare the two snapshots together and can see what is new in the pull request. We can see which libraries are there and that enables us to see the vulnerabilities. I'm an embedded software engineer.

What is most valuable?

I would say that the automatic update is a very valuable feature because we are able to update our internal data base. The pull request analysis is also very good.

What needs improvement?

The product is somewhat complicated and could be improved by simplifying it because you don't want to have to allocate one person to maintain the solution full time. We'd like to be able to deploy it and have it work. Ideally we'd like to be able to get a pull request analysis and the analysis of repositories. 

I think they could definitely work on a more simplified deployment. That would improve the product. The issues are not necessarily related to the solution but possibly connected to how it was initially set up. 

For how long have I used the solution?

We've been using this solution for three or four years. 

What do I think about the stability of the solution?

Regarding stability, we have some issues in our product and we need to work on it. Something is wrong in the architecture, perhaps it's a bug. 

How was the initial setup?

The initial setup was done before I came to the company. There are five people on our security team who discuss maintenance issues and try to solve problems. 

What other advice do I have?

I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance.

I would rate this solution a six out of 10 in our environment. I don't think deployment was done very well in our company and that has affected the quality of the product. Perhaps if things had been done differently I would rate it an eight out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Engineer at a aerospace/defense firm with 10,001+ employees
Vendor
Good overall business scanning but there is room for improvement

What is our primary use case?

We only tried out the demo to see what the solution offers and how it performs overall business scanning. They also offer open-source projects.

What needs improvement?

There is definitely room for improvement. I prefer Burp Suite to OWASP Zap because of the extensive coverage it offers. I also think it should have an open-source tool. I would also love to see an improvement in visibility.

For how long have I used the solution?

I used OWASP Sap three to four months ago for less than a week.

What do I think about the stability of the solution?

The OWASP Zap solution was very stable during the few days we used it.

What do I think about the scalability of the solution?

The scalability of this product is very good.

What other advice do I have?

I will rate this product a seven out of ten, because I think the visibility needs to be improved, and the support person needs to do a better job. What's more, additional features, like domain support or different authentication support also needs to be improved.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Manager at a marketing services firm with 10,001+ employees
Real User
Reporting gives you a clear indication of what kind of vulnerability you have that you can drill down on but the reporting should assist with base-lining
Pros and Cons
  • "The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
  • "I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."

What is most valuable?

The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information.

What needs improvement?

I'm still in the process of exploring.

I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help.

For how long have I used the solution?

I haven't been using this solution for very long yet.

What other advice do I have?

I would rate this solution as 7 out of 10, as I am still in the process of exploring. So far I think it's fine, but I think I still need to explore it a bit further and try to do a more comparative analysis.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
PeerSpot user
Vinod_Gupta - PeerSpot reviewer
CEO and Founder at Indicrypt Systems
Real User
Offers good web application spidering and vulnerability assessment
Pros and Cons
    • "The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."

    What is our primary use case?

    We primarily use this application for web application spidering and vulnerability assessment.

    What is most valuable?

    The most valuable feature is the spidering because, being a security person, it is very important for me to know each and every section of that application, so we cannot afford to miss any single web page or any single link on a particular website. The spidering mechanism is very good.

    What needs improvement?

    The automatic scans need improvement. The automated vulnerability assessments that the application performs needs to be simplified as well as diversified.

    For how long have I used the solution?

    I've been using the solution for 5 years.

    What do I think about the stability of the solution?

    The solution is very stable. Presently there are only around three people including me using this particular solution. I really don't think we would be needing anything more than these as of right now.

    What do I think about the scalability of the solution?

    I would say that scalability doesn't apply to this particular application. 

    How are customer service and technical support?

    Presently there is only community support available, and we are able to solve a lot of problems using the documentation with community support.

    Which solution did I use previously and why did I switch?

    Yes, we actually use a couple of different products but there is one specifically that we use, which is the Burp Suite.

    How was the initial setup?

    The initial setup was very straightforward.

    What's my experience with pricing, setup cost, and licensing?

    This app is completely free and open source. So there is no question about any pricing.

    What other advice do I have?

    I would recommend that you should go through the documentation really well. That's it.

    I would rate this product 8 out of 10.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Vijayanathan Naganathan - PeerSpot reviewer
    Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
    Real User
    Inexpensive licensing, free to use, and has good community support
    Pros and Cons
    • "The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
    • "There's very little documentation that comes with OWASP Zap."

    What is our primary use case?

    I focus on software application security. In most of the scenarios that we come across, the customers want complete assurance on security of their platforms/products/applications. Clients reach out to us for our abilities to unearth security issues.

    I get to use these tools to assess products/platforms before they go live to the market.

    How has it helped my organization?

    We recently ran into an issue where we had to test the OAuth token validation, where the REST API calls had OAuth token change every time a request was being sent. Somebody from the support community had contributed a sample code to accomplish this. In terms of the community support that is available, OWASP Zap has great set of features to use.

    What is most valuable?

    The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks.

    What needs improvement?

    OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage.

    One area where the tool can be improved is specifically,  if there's some more intelligence that can be added on to the reporting feature, it would be great. 

    There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report.

    That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report.

    There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation:

    • Project information
    • Client name
    • Organization name
    • Platform against which this test has been done

    If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer.

    Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that.

    For how long have I used the solution?

    We have been using OWASP Zap for more than eight months.

    What do I think about the stability of the solution?

    The only place that I faced issues with the OWASP was testing for a large broadcasting company. The number of requests that come forward is quite large. When the requests are quite huge, we found that ZAP Proxy tool tends to be a little more slow to respond. We're not sure whether it's progressing at the background or whether the application is frozen. We have faced the encounter when we are sending in large payloads, i.e. the multiple requests pull through defensive issues there.Other than that we have not seen significant issue with the tool.

    What do I think about the scalability of the solution?

    Currently, we have three of us who have been using the OWASP Zap proxy tool. There are times when we even propose this ZAP proxy tool to customers. Sometimes, we get requests from clients who want us to use a specific solution like Acunetix, BurpSuite. 

    For the choice of which tool to use in the long run, the decision is driven by the customers. When customers ask us for a tool recommendation, we do a security tool comparison analysis, and make a recommendation that best suits them, explaining the pros and cons of each tools. i.e when you use a solution like OWASP Zap versus going on with a tool like Burp Suite or Acunetix. 

    How are customer service and technical support?

    For OWASP, I've been only looking at their community, but I felt that PortSwigger has much better tech support. In terms of community support, OWASP Zap is very much there.

    For example, we expected PortSwigger to have OAuth token to be available by default, but that was not on their product road map. Fortunately for us, we had somebody from the community who had created several extensions which were a great help to us.

    In terms of product support, I would say, Port Swigger support has been very good. 

    How was the initial setup?

    The initial setup of OWASP Zap was straightforward. That's not an issue at all with OWASP.

    What's my experience with pricing, setup cost, and licensing?

    As far as pricing concerns, for value in the commercial solutions when it comes to security testing tools, it is Burp Suite. Some Burp Suite licenses are available for $300 over a 1-year term, which is pocket-friendly for us. We feel that PortSwigger Burp Suite is the best value for the money that we get. When it comes to clients looking for non-commerical licenses, OWASP Zap tool is the best fit.

    What other advice do I have?

    When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online.

    There are a lot of YouTube videos, articles in the internet that talk about how to use the tools. These are quite easy to understand. Do a small POC. Pick an application which is already having vulnerabilities and assess the application around with the ZAP Proxy tool.

    In terms of ZAP Proxy tool ease of use, I would rate it nine out of ten. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Vidar Folden - PeerSpot reviewer
    Consultant at Moller
    Consultant
    Has made us feel safer doing frequent deployments for web applications and has a plug-in into every major system
    Pros and Cons
    • "This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
    • "If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."

    What is our primary use case?

    Our primary use case of this solution is to scan and check that the applications we put on the internet are safe and secure.

    How has it helped my organization?

    This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we are doing large deployments, we might get a professional security partner in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes the process easier and safer.

    What is most valuable?

    Automatic scanning after a manual walkthrough is the most valuable feature. 

    What needs improvement?

    I would like for them to make it easier to understand exactly what has been checked and what has not been checked. We have to trust that it has checked all known vulnerabilities on all parts of the webapp, but it's a bit hard to see that after scanning. 

    I would also like for them to develop graphical reports on the scan. Based on the log, some graphical drawing could show what part of the site has been tested. I would like to see that it has tested everything that we wanted to test.

    For how long have I used the solution?

    Less than one year.

    What do I think about the stability of the solution?

    Good.

    What do I think about the scalability of the solution?

    In terms of scalability, I only tried it on small applications, so I don't know, but it seems very quick. We have plans to increase usage and to also support APIs and not just the applications. All applications that will be exposed to the internet are scanned. The ones that are used internally, in the organization, are not scanned at this point in time.

    How are customer service and technical support?

    I never had to reach out to their technical support. The internet forums are great. There's so much open information on the internet so you don't really need much else. 

    Which solution did I use previously and why did I switch?

    We tried PortSwigger Burp suite, but only briefly. We have also used IBM AppScan for a while.

    How was the initial setup?

    The initial setup was straightforward. We didn't have to do much. There was an easy to follow guide online and there was not much to do other than to follow a straightforward tutorial. Deployment took around an hour. 

    What about the implementation team?

    I implemented it myself. 

    What's my experience with pricing, setup cost, and licensing?

    It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use.

    Which other solutions did I evaluate?

    We ran IBM Appscan for a year, but it was expensive and did not deliver more value. Veracode was pretty much the same and cost the same. We then also looked at PortSwigger Burp Suite Pro, which is at a better price point and a very good expert tool. Though at this point in time, given our needs, it does not seem to give us any advantage over ZAP. Also, the forums and the internet community is excellent on ZAP and it's free.

    What other advice do I have?

    I would advise someone considering this solution to try and read about it on internet forums and see if it fits your needs.

    I would rate this solution an eight out of ten. It does what it says it will do and it's not hard to set up. It is also easy to use both automatically and manually and has a plug-in into every major build-tool, like Jenkins , Gitlab and others. You can automate it through a building process.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Dittin A - PeerSpot reviewer
    Staff Scientist/Senior Tech. Officer at a tech vendor with 501-1,000 employees
    Real User
    It can be used effectively for internal auditing. We use it to detect f/p (false positives).

    What is our primary use case?

    It is a security tool. We use it for application testing. 

    How has it helped my organization?

    It can be used effectively for internal auditing. We use it to detect f/p (false positives). 

    What needs improvement?

    It needs more robust reporting tools that can be in an editable form. 

    For how long have I used the solution?

    Less than one year.

    What do I think about the stability of the solution?

    This is a good, stable product. 

    How is customer service and technical support?

    We have not used technical support. 

    Which other solutions did I evaluate?

    We looked at Arachni and Acunetix.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Security Testing Engineer at a tech services company with 1,001-5,000 employees
    Real User
    The community edition updates services regularly. They add new vulnerabilities into the scanning list.
    Pros and Cons
    • "The community edition updates services regularly. They add new vulnerabilities into the scanning list."
    • "As security evolves, we would like DevOps built into it. As of now, Zap does not provide this."

    What is our primary use case?

    The use case was we needed to scan our website to find out what vulnerabilities were present.

    We use it to scan the website, then take a report about what vulnerabilities are present on it. Next, we will manually verify those vulnerabilities for false positives.

    How has it helped my organization?

    Every now and then, there is an update. They add new vulnerabilities to the scan list. That is where they just keep on improving.

    What is most valuable?

    The community support that ZAP provides me. As an open source, it provides me flexibility and is convenient to use.

    What needs improvement?

    As security evolves, we would like DevOps built into it. As of now, Zap does not provide this.

    I would like to have more vulnerabilities added to the scan list, because as of now, it covers around 72 to 80. I need more because we need broader coverage.

    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    Stability is good.

    What do I think about the scalability of the solution?

    We have not scaled yet. Though, we should be able to scale.

    How is customer service and technical support?

    I have not used any support for this solution yet.

    How was the initial setup?

    The initial setup is straightforward, because we can integrate it directly into the SDLC.

    What other advice do I have?

    The community edition updates services regularly. They add new vulnerabilities into the scanning list.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user860865 - PeerSpot reviewer
    Program Manager at a manufacturing company with 1,001-5,000 employees
    Real User
    The tool's learning curve is smooth and light
    Pros and Cons
    • "It scans while you navigate, then you can save the requests performed and work with them later."
    • "I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word ​list, or manually created."

    What is our primary use case?

    OWASP ZAP is a very useful, light tool for beginners to learn how to “spider” across websites. It is easy to configure and generate reports. There are other solutions for more mature, experienced security analysts and testers, who are capable of extending the coverage of a security assessment.

    It is most frequently used to review HTTP methods, how are they constructed and if there is sensitive information in the traffic, such as how HTTPS certifications work on the website, scanning open ports visible via the web, and trying to modify HTTP methods to add or delete requests.

    I have used OWASP ZAP as part of my portfolio of security tools since 2013.

    How has it helped my organization?

    Using this tool, it helps enhance and speed the process of covering big applications with many functionalities. It scans while you navigate, then you can save the requests performed and work with them later. Also, you can pass these requests to colleagues involved in the same security assessment to increase the monitoring as well as avoid extra work.

    What is most valuable?

    • Interception of proxy traffic
    • Session comparisons
    • Port scanner
    • Fuzzing
    • Brute force
    • Cookie management

    What needs improvement?

    I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created.

    For how long have I used the solution?

    More than five years.

    What do I think about the stability of the solution?

    We have had stability issues a few times. You need to do extra configurations on the tool to make it catch traffic with different browsers. Otherwise, it won’t display any requests.

    What do I think about the scalability of the solution?

    No scalability issues. I found this to be a very flexible tool.

    How are customer service and technical support?

    OWASP ZAP has a forum to help out customers and analysts, as well as an interaction with other experts for a quick process of “Question-Answer”.

    Which solution did I use previously and why did I switch?

    OWASP ZAP is one of the solutions that I use. For simple tasks, I use Fiddler. For other advanced techniques, I use the Burp Suite. I would say OWASP ZAP is a really light, useful tool in the middle of the other two mentioned.

    How was the initial setup?

    Initial setup was pretty straightforward; nothing complex.

    What's my experience with pricing, setup cost, and licensing?

    OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate.

    Which other solutions did I evaluate?

    As mentioned, BURP Suite and Fiddler are two other great options. OWASP ZAP excels for what it does and for how smooth and light the tool’s learning curve can be.

    What other advice do I have?

    This is a very mature tool. It is capable of facilitating the work of many security experts. I highly recommend it for beginners and advanced users when some other tools fail to catch traffic.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Anish Mishra - PeerSpot reviewer
    Team Lead at a tech services company with 51-200 employees
    Real User
    Fuzzer and Java APIs help customize the solution for our security testing requirements
    Pros and Cons
    • "Fuzzer and Java APIs help a lot with our custom needs."
    • "It would be nice to have a solid SQL injection engine built into Zap."

    What is our primary use case?

    Security/penetration testing of a Java-based Web application which is served over a SaaS platform.

    Zap has been integrated as one of the important tools in our QA cycle. All beta releases of our software go through Zap scanning. Custom reports are generated - they are pretty decent and standardized - and are submitted to upper management for auditing by a third-party.

    How has it helped my organization?

    We save a significant amount of money on third-party security auditing time.

    We are also able to minimize most of the security threats for our software prior to releases, thus saving a lot of time on security fixes and post-release path builds.

    What is most valuable?

    Fuzzer and Java APIs help a lot with our custom needs.

    What needs improvement?

    It would be nice to have a solid SQL injection engine built into Zap.

    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    No stability issues for us, so far.

    What do I think about the scalability of the solution?

    No major problems in terms of the scalability of the software.

    How is customer service and technical support?

    Community support and documentation are good.

    How was the initial setup?

    Setup of Zap is relative easy and straightforward for any technical person, with good documentation to configure it according to your needs.

    What's my experience with pricing, setup cost, and licensing?

    As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out.

    Which other solutions did I evaluate?

    We evaluated several other packages prior to OWASP Zap, such as Burp Suite and Acunetix. We finally moved to Zap as it is open-source and provides almost all the features and the customization that we need.

    What other advice do I have?

    I would rate it an eight out of 10, based on the usability and variety of features provided. It is highly customizable in terms of usability and reporting, and all of this is available in a free solution.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Real User
    It makes work easier and creates faster security testing

    What is our primary use case?

    I tested this application for a bank and public projects. Now, I am testing products.

    How has it helped my organization?

    It has improved my organization with faster security tests.

    What is most valuable?

    • Automatic scanner: It makes work easier. 
    • I like the new solution, ZAP Browser Launch. 
    • Automation script

    What needs improvement?

    The port scanner and Zap could not send a request several times, but this has been corrected.

    What other advice do I have?

    It is a very good product. Though, the port scanner is a little too slow.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user719781 - PeerSpot reviewer
    User at a retailer with 1,001-5,000 employees
    Vendor
    Finds Vulnerabilities And Gives The Latest Attacks And How To Protect Against Them
    Pros and Cons
    • "The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
    • "It doesn't run on absolutely every operating system."

    What is most valuable?

    The vulnerabilities that it finds, because the primary goal is to secure applications and websites.

    How has it helped my organization?

    When I checked the CVE and MITRE databases, that gives the latest attacks that are out there for a particular software, hardware and how to protect against it.

    What needs improvement?

    It's possibly just a limitation of the product itself but sometimes it won't scan a particular website so you have to manually go in and make some configuration changes.

    Also, it needs to have more feeds such as from the Darknet, RSS or intelligence like US-CERT, or some of those like NISTs or other standing bodies because right now it's got some CVEs in there but there's more to it than just that. So if it could tie into those, somehow, so you could do some research, like a "research tab" under tools and some one-click access to those forums and feeds.

    In addition, it doesn't run on absolutely every operating system.

    For how long have I used the solution?

    Five years.

    What do I think about the stability of the solution?

    As far as stability goes, perhaps if you're running it in a Kali Linux virtual machine, sometimes it doesn't close out right away so I don't know if it takes too much time to flush that RAM out. It won't crash but it will lag. On Windows, it'll just close right away.


    What do I think about the scalability of the solution?

    Not at this point. Normally I just play with it on Windows but lately I've been using it on Kali.

    How are customer service and technical support?

    I haven't used it. If I have a question I'll just Google it.

    Also, if you go into a forum, while that's kind of like calling a human, you're really not. It's a very well developed and very mature forum with a lot of people from different organizations all over the world, so it's top notch.

    Which solution did I use previously and why did I switch?

    I use a lot of different tools, the right tool for the job. Burp Suite, IBM Security AppScan, InMap, NIKTO, Wpscan. Depending on what you find, you might have to use better tools so OWASP Zap. I don't know if it's copyright infringement or not, given that it's open source, but it's possible they could build someone else's tools into the GUI of OWASP Zap. As the months and years go by, you'll probably see more features in there.

    I'd have to say Burp Suite Pro, which is the licensed, paid-for version, is better but that's just because it's got more funding.

    How was the initial setup?

    If you're talking about Kali, which is the Linux Pentesting operating system, it comes built in. The only thing you have to do is update it from time to time and you can automate that with like a cron or a script. With Windows you have to download it manually, install it manually and check for updates.

    Which other solutions did I evaluate?

    Burp Suite. It's part of the pool in terms of the tools that do the job, whether they're free or commercially based. So Burp Suite and Nikto, and WPScan, that's for WordPress. They're all website security checkers per se, but they're not all created equal, some are specialized for certain things.

    What other advice do I have?

    If you're a company and you've got your own websites, internally and externally, it's great. It's a great free, open source tool to get your security staff and even your web developers to use it. If you already have a mature SDLC framework in place or web development, then maybe you should get even maybe more serious and buy the Burp Suite Professional license or other tools out there like Acunetix.

    But overall I think it's a great product. It finds, I'd say, 90% if not more of the things that it needs to and helps you remediate any security findings.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user707190 - PeerSpot reviewer
    Technologist at a tech services company
    Consultant
    API Is Exceptional. Documentation needs some love
    Pros and Cons
    • "The API is exceptional."
    • "The documentation is lacking and out-of-date, it really needs more love."

    What is most valuable?

    The API is exceptional.

    How has it helped my organization?

    I can provide examples of how OWASP Zed Attack Proxy (ZAP) has been used inside many of my customer's environments. I've set up Security Regression testing using the ZAP API and written about how this is done in my first book.

    I've also spoken and run many pieces of training on setting up Security Regression testing with the ZAP API.

    What needs improvement?

    The documentation is lacking and out-of-date, it really needs more love. This is a common scenario with developers running many open-source projects. The community is trying to help with this. I've done my part with providing details on how to use the ZAP API for Security Regression testing. I think ZAP is now sponsored by the Linux Foundation.

    For how long have I used the solution?

    I have used this solution for around six to seven years.

    What do I think about the stability of the solution?

    There were no stability issues, it has been in production-ready for a long time.

    What do I think about the scalability of the solution?

    There were no scalability issues, ZAP is a very fully featured HTTP intercepting proxy with many types of attacks targeting a plethora of known vulnerabilities. The OWASP Top 10 receives good coverage with ZAP. The REST API scales as far as you have resources. ZAP also has a docker image.

    How are customer service and technical support?

    Technical support is excellent. The maintainers have gone well beyond what would be expected of any open-source project maintainers. They have personally worked with my customer projects to help on some of the issues we had with some legacy HTTP applications that had communications that were difficult to reason about. ZAP was not at fault at all, but the maintainers were very passionate about making sure I got the security regression system working well.

    Which solution did I use previously and why did I switch?

    I've used many HTTP intercepting proxies, ZAP is one of the few that has an excellent API to program against. Using ZAP manually is also very fully featured.

    How was the initial setup?

    Using the API was initially difficult to set-up, not because the API was difficult, but working out the incantations that needed to be sent. You can see these in my code.

    What's my experience with pricing, setup cost, and licensing?

    It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy.

    Which other solutions did I evaluate?

    I've been evaluating all the well-known HTTP intercepting proxies for years, as I have mentioned earlier, ZAP is the only one that has a fully featured REST API. It also has API clients written in many languages.

    What other advice do I have?

    Don't re-implement it, just use it.

    It's an excellent solution, i.e., driven by committed and passionate security focussed developers.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Saraswathi B - PeerSpot reviewer
    Test Automation Project Lead at a tech services company with 1,001-5,000 employees
    Consultant
    A useful tool for security testing and penetrations testers.
    Pros and Cons
    • "Simple and easy to learn and master."
    • "Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."

    What is most valuable?

    • Very good open source security tool supporting the top 10 vulnerabilities (Injections, Session Management, XSS, Authentication, Authorization, etc.).
    • Simple and easy to learn and master.
    • Good online product documentation.
    • Built in features include: Intercepting proxy, Plug and Hack support, Automated scanning, Passing scan, Fuzzer, Traditional and Ajax Crawling and Web Socket support and so on.
    • Detailed reporting mechanism.
    • The tool has been translated in 25 different languages.
    • Can be executed through GUI, command line and also in Daemon mode with the help of REST API.
    • Very good API support for automating security tests.
    • Supports multiple platforms like Mac, Linux and Windows.
    • It's easy to create add-ons and extensions to scale up the features of the tool.

    How has it helped my organization?

    We have leveraged our existing functional tests for security testing by integrating web driver scripts with the OWASP ZAP tool.

    What needs improvement?

    Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation.

    For how long have I used the solution?

    6 months

    What was my experience with deployment of the solution?

    Did not encounter any issues. It's easy to install and configure.

    What do I think about the stability of the solution?

    So far I am very comfortable and did not find any stability related issues.

    What do I think about the scalability of the solution?

    It is scalable, by creating new extensions and add-ons for the tool. But we faced a couple of challenges initially which were solved with the help of online documentation

    How are customer service and technical support?

    Customer Service:

    4/10

    Technical Support:

    4/10

    Which solution did I use previously and why did I switch?

    No

    How was the initial setup?

    It is very simple to install and configure.

    What about the implementation team?

    We have implemented this with the in-house team support.

    What was our ROI?

    Instead of creating a new framework for security tests, it helped us to leverage (reuse) existing functional test automation framework for security tests. This reduces lot of rework.

    What's my experience with pricing, setup cost, and licensing?

    It is highly recommended as it is an open source tool.

    Which other solutions did I evaluate?

    No, we are happy with the features provided with this tool, but if you want to go with static code analysis for security tests, we need to find a different option here.

    What other advice do I have?

    Very good and useful tool for security testing and penetrations testers.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Saraswathi B - PeerSpot reviewer
    Saraswathi BTest Automation Project Lead at a tech services company with 1,001-5,000 employees
    Consultant

    Note that this tool will not cover 100% of (comprehensive) security testing, But will be beneficial for basic level of security tests along with functional tests.

    Buyer's Guide
    Download our free OWASP Zap Report and get advice and tips from experienced pros sharing their opinions.
    Updated: July 2022
    Buyer's Guide
    Download our free OWASP Zap Report and get advice and tips from experienced pros sharing their opinions.