What is our primary use case?
OWASP ZAP is a very useful, light tool for beginners to learn how to “spider” across websites. It is easy to configure and generate reports. There are other solutions for more mature, experienced security analysts and testers, who are capable of extending the coverage of a security assessment.
It is most frequently used to review HTTP methods, how are they constructed and if there is sensitive information in the traffic, such as how HTTPS certifications work on the website, scanning open ports visible via the web, and trying to modify HTTP methods to add or delete requests.
I have used OWASP ZAP as part of my portfolio of security tools since 2013.
How has it helped my organization?
Using this tool, it helps enhance and speed the process of covering big applications with many functionalities. It scans while you navigate, then you can save the requests performed and work with them later. Also, you can pass these requests to colleagues involved in the same security assessment to increase the monitoring as well as avoid extra work.
What is most valuable?
- Interception of proxy traffic
- Session comparisons
- Port scanner
- Brute force
- Cookie management
What needs improvement?
I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created.
For how long have I used the solution?
More than five years.
What do I think about the stability of the solution?
We have had stability issues a few times. You need to do extra configurations on the tool to make it catch traffic with different browsers. Otherwise, it won’t display any requests.
What do I think about the scalability of the solution?
No scalability issues. I found this to be a very flexible tool.
How are customer service and technical support?
OWASP ZAP has a forum to help out customers and analysts, as well as an interaction with other experts for a quick process of “Question-Answer”.
Which solution did I use previously and why did I switch?
OWASP ZAP is one of the solutions that I use. For simple tasks, I use Fiddler. For other advanced techniques, I use the Burp Suite. I would say OWASP ZAP is a really light, useful tool in the middle of the other two mentioned.
How was the initial setup?
Initial setup was pretty straightforward; nothing complex.
What's my experience with pricing, setup cost, and licensing?
OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate.
Which other solutions did I evaluate?
As mentioned, BURP Suite and Fiddler are two other great options. OWASP ZAP excels for what it does and for how smooth and light the tool’s learning curve can be.
What other advice do I have?
This is a very mature tool. It is capable of facilitating the work of many security experts. I highly recommend it for beginners and advanced users when some other tools fail to catch traffic.