OWASP Zap Overview

OWASP Zap is the #5 ranked solution in our list of AST tools. It is most often compared to PortSwigger Burp Suite Professional: OWASP Zap vs PortSwigger Burp Suite Professional

What is OWASP Zap?

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

OWASP Zap Buyer's Guide

Download the OWASP Zap Buyer's Guide including reviews and more. Updated: May 2021

OWASP Zap Video

Pricing Advice

What users are saying about OWASP Zap pricing:
  • "OWASP Zap is free to use."
  • "This app is completely free and open source. So there is no question about any pricing."

Filter Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Vijayanathan Naganathan
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Real User
Top 5Leaderboard
Inexpensive licensing, free to use, and has good community support

What is our primary use case?

I focus on software application security. In most of the scenarios that we come across, the customers want complete assurance on security of their platforms/products/applications. Clients reach out to us for our abilities to unearth security issues. I get to use these tools to assess products/platforms before they go live to the market.

Pros and Cons

  • "The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
  • "There's very little documentation that comes with OWASP Zap."

What other advice do I have?

When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online. There are a lot of YouTube videos, articles in the internet that talk about how to use the tools. These are quite easy to understand. Do a small POC. Pick an application which is already having vulnerabilities and assess the application around with the ZAP Proxy tool. In terms of ZAP Proxy tool ease of use, I would rate it nine out of ten.
Balaji Senthiappan
Assistant Vice President at Hexaware Technologies Limited
Real User
Top 5
Great at reporting vulnerabilities, helps with security, and reveals development threats well

What is our primary use case?

Currently, we build our products for the banking industry and use this solution in that process. From a development cycle, we update the SQL injections that basically shows what a developer may have to address. Then, if there is still a problem, we're concerned at the architect level. That's at least initially reported by the customers when they do another round of review after we deliver our code.

Pros and Cons

  • "The solution is good at reporting the vulnerabilities of the application."
  • "It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."

What other advice do I have?

We are an IT service provider, which means that we use a variety of tools based on what our customer preferences are. There's all, at most, I would say, about 20 companies that we would have the funds to use the solution with. OWASP is definitely in the top three as a tool that we would probably recommend to our team, as a frequent users' tool, however, I don't believe we have any kind of a formal relationship with the company. Multiple teams use it. I have not heard of anybody complaining about anything to do with this particular solution. I would say it's pretty good. I would give it a…
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: May 2021.
511,521 professionals have used our research since 2012.
PiyushSharma
Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees
Real User
Top 10
Provides good automatic scanning and privacy; reporting could be improved

What is our primary use case?

We are using this product at a very basic level to scan reports and then share them with the Dev team for any vulnerabilities. We use the open source version and we are end users.

Pros and Cons

  • "Automatic scanning is a valuable feature and very easy to use."
  • "Reporting format has no output, is cluttered and very long."

What other advice do I have?

If you are working in a very big gaming company and you have the budget, then I'd suggest switching to the enterprise version because the open source version takes time to resolve the regulations and there are sometimes false positives. It takes a lot of effort to figure out how to resolve the vulnerability and then search the same thing in the code. If you're not from the development team, then a lot of coordination is required. Without any support, we are in a black hole sometimes. Some attacks can be very dangerous for the company and for the application. They create delays and I've had to…
RT
Subdirector de Seguridad Informática e Infraestructura at a financial services firm with 201-500 employees
Real User
Top 10
Open-source and easy to use with a straightforward setup

What is our primary use case?

Currently, we deploy these tools to serve in a few of our services in the organization.

Pros and Cons

  • "The stability of the solution is very good."
  • "It would be a great improvement if they could include a marketplace to add extra features to the tool."

What other advice do I have?

We are a customer and end-user of the product. There's lots of information online for users who are curious to learn more about the product. In general, I would rate this solution at an eight out of ten. We've been largely satisfied with the product overall.
Eldar Aydayev
President & Owner at Aydayev's Investment Business Group
Real User
Provides visibility of queries, but security and the ability to search the internet for other use cases could be better

What is our primary use case?

The solution has certain models. It allows the creation of a pipeline in respect of the interface or of certain content. It enables one to check that the security is as it should be.

Pros and Cons

  • "The solution is scalable."
  • "The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."

What other advice do I have?

I used the source code design for the deployment. I have not had experience with the code crawler, OSWAP Zap code analysis. The solution I was using is run by a search engine. My clients utilize OWASP Zap AST. They do not make use of the code crawler. I rate OWASP Zap as a six out of ten.
Jaromir Tesar
Embedded Software Engineer at Y Soft
Real User
Automatic updates of our database are valuable; deployment is complicated

What is our primary use case?

Our primary use case is for scanning. We have Bamboo, Nexus and Artifactory and we are able to make snapshots. When we get a pull request we're able to make another snapshot and we compare the two snapshots together and can see what is new in the pull request. We can see which libraries are there and that enables us to see the vulnerabilities. I'm an embedded software engineer.

Pros and Cons

  • "Automatic updates and pull request analysis."
  • "Deployment is somewhat complicated."

What other advice do I have?

I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance. I would rate this solution a six out of 10 in our environment. I don't think deployment was done very well in our company and that has affected the quality of the product. Perhaps if things had been done differently I would rate it an eight out of 10.
Vinod_Gupta
CEO and Founder at Indicrypt Systems
Real User
Offers good web application spidering and vulnerability assessment

What is our primary use case?

We primarily use this application for web application spidering and vulnerability assessment.

Pros and Cons

    • "The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."

    What other advice do I have?

    I would recommend that you should go through the documentation really well. That's it. I would rate this product 8 out of 10.
    RK
    Business Analyst at Experion Technologies
    Real User
    Top 20
    Good user interface and easy to use; test reports could be improved

    What is our primary use case?

    I'm a business analyst and we're a customer of OWASP Zap.

    Pros and Cons

    • "Simple to use, good user interface."
    • "Too many false positives; test reports could be improved."

    What other advice do I have?

    I would definitely recommend this product provided the company can provide more clarity on the false positives that we get. I would rate this solution a seven out of 10.
    See 3 more OWASP Zap Reviews