We performed a comparison between Owasp Zap and Portswigger Burp Suite Professional based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison of Results: Based on the parameters we compared, Owasp Zap seems to be a superior solution. All other things being more or less equal, our reviewers found the full version of Portswigger Burp Suite Professional to be rather expensive to purchase. Additionally, some users of Portswigger Burp Suite Professional are not so impressed by the technical support and documentation that it offers. Finally, one user of Portswigger Burp Suite Professional implied that it would be a better product if it had a HUD like Owasp Zap.
"The product discovers more vulnerabilities compared to other tools."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"We use the solution for security testing."
"It scans while you navigate, then you can save the requests performed and work with them later."
"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
"The scalability of this product is very good."
"It has improved my organization with faster security tests."
"It is useful for scanning and tracing activities."
"Once I capture the proxy, I'm able to transfer across. All the requested information is there. I can send across the request to what we call a repeater, where I get to ready the payload that I send to the application. Put in malicious content and then see if it's responding to it."
"I have found the best features to be the performance and there are a lot of additional plugins available."
"You can download different plugins if you don't have them in the standard edition."
"I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis."
"I personally love its capability to automatically and accurately detect vulnerabilities. So, I would say it is the Burp scanner that is THE most powerful, valuable, and an awesome feature."
"The solution has a limited range of functions, which is good for small companies. This is because, in small companies, websites are less complex. They also have single services which makes the solution good enough for them. However, the most advantageous aspect of the solution is its affordable price."
"We use the solution for vulnerability assessment in respect of the application and the sites."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."
"Sometimes, we get some false positives."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
"The port scanner is a little too slow."
"Lacks resources where users can internally access a learning module from the tool."
"The scanner and crawler need to be improved."
"BurpSuite has some issues regarding authentication with OAT tokens that need to be improved."
"There is a lot to this product, and it would be good if when you purchase the tool, they can provide us with a more extensive user manual."
"The Iran market does not have after-sales support. PortSwigger Burp Suite Professional needs to provide after-sales support."
"The number of false positives need to be reduced on the solution."
"The reporting needs to be improved; it is very bad."
"As with most automated security tools, too many false positives."
"The biggest drawback is reporting. It's not so good. I can download them, but they're not so informative."
More PortSwigger Burp Suite Professional Pricing and Cost Advice →
OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews while PortSwigger Burp Suite Professional is ranked 5th in Static Application Security Testing (SAST) with 57 reviews. OWASP Zap is rated 7.6, while PortSwigger Burp Suite Professional is rated 8.6. The top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "The solution is versatile and easy to deploy, but it needs to give more detailed security reports". OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, Veracode and Checkmarx One, whereas PortSwigger Burp Suite Professional is most compared with Fortify WebInspect, Acunetix, HCL AppScan, Qualys Web Application Scanning and SonarQube. See our OWASP Zap vs. PortSwigger Burp Suite Professional report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
Yes OWASP ZAP is a good option as it's an open source so always preferred but Burp Suite Pro will give you more options, its one of the best tool to have for pentesters so defo worth it.
First things first both are having their own merits, however in my personal experience ZAP can replace your burpsuite for sure considering the License. Also as the latest ZAP versions are covering more advanced techniques and spidering patterns with lots of options in it, it is worth considering ZAP. However remember that burpsuite from latest versions with inbuilt chromium and it's emerging plugin support (Installable jars) you can use burp to the fullest and you can keep it as a swiss knife for your web and app pentesting. Couple of extensions in burp pro are interesting especially the race condition one. I always prefer using Burp and at instances I go with ZAP.
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with quality security vulnerabilities. Both are very comparable in terms of intercepting features, fuzzing capabilities, and encoder and decoders. Both OWASP Zap and PortSwigger Burp Suite Pro have a spider feature, and provide updates.
One big difference between the two, though, is price. OWASP Zap is free, but Burp Suite Pro requires a paid subscription (currently $399 per year). OWASP Zap is maintained by volunteers whereas Burp Suite Pro is a commercial product maintained and sold by PortSwigger, which makes me feel more confident in it. In addition, OWASP Zap provides little documentation, which may be why some people prefer Burp Suite Pro (which offers extensive documentation). Moreover, Burp Suite Pro includes more coverage than OWASP Zap. But it is also worth noting that OWASP Zap has more false positives than Burp Suite Pro.
I like Burp Suite Pro’s interface a lot more than OWASP Zap’s. Another big plus for me with Burp is its Comparer tab,which allows for easier change detection. OWASP Zap does not include this feature without extensions and a ZAP plugin is required. Another thing about OWASP Zap I dislike is that the ability to search for text in the request or server response is difficult, while Burp Suite Pro makes it easier and more accessible.
Conclusion:
In my opinion, Burp Suite Pro is better than OWASP Zap because of its features, which I feel make it a better choice for security professionals. Both OWASP Zap and Burp Suite Pro have good sets of capabilities. However, Burp Suite Pro excels in the specific capabilities I need in more ways that OWASP Zap does.