We just raised a $30M Series A: Read our story

OWASP Zap OverviewUNIXBusinessApplication

OWASP Zap is the #6 ranked solution in our list of AST tools. It is most often compared to PortSwigger Burp Suite Professional: OWASP Zap vs PortSwigger Burp Suite Professional

What is OWASP Zap?

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

OWASP Zap Buyer's Guide

Download the OWASP Zap Buyer's Guide including reviews and more. Updated: October 2021

OWASP Zap Video

Pricing Advice

What users are saying about OWASP Zap pricing:
  • "This is an open-source solution and can be used free of charge."

OWASP Zap Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Balaji Senthiappan
Assistant Vice President at Hexaware Technologies Limited
Real User
Top 20
Great at reporting vulnerabilities, helps with security, and reveals development threats well

Pros and Cons

  • "The solution is good at reporting the vulnerabilities of the application."
  • "It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."

What is our primary use case?

Currently, we build our products for the banking industry and use this solution in that process.

From a development cycle, we update the SQL injections that basically shows what a developer may have to address. Then, if there is still a problem, we're concerned at the architect level. That's at least initially reported by the customers when they do another round of review after we deliver our code. 

What is most valuable?

The solution is good at reporting the vulnerabilities of the application. 

It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

What needs improvement?

I can't recall any features that are lacking. In my role as a service provider, I only go up to standards defined by somebody else. So far, this solution has met their standards.

So far I've not come across a scenario where we had to do anything that's a major rework due to the fact that we didn't catch something soon enough in the queries that we are using.

It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.

Right now, I can't give it off to a team and expect them to give me a report that I'm happy with. I will give it to a team and they will have to have another person sit with them to make sure they have configured it right. Some kind of pre-designed templates, pre-designed guidelines, or patterns to compliment the tool would go a long way in helping us use the solution.

For how long have I used the solution?

I've been using the solution for five or six years at this point.

What do I think about the stability of the solution?

From the perspective of the development cycle that we use, we find it stable enough. I don't use it in production or I don't have to update sites running all the time. Once a week when I will build a VM pack, I push into another environment, and that's probably the time I would make it. For me, I find it to be stable enough.

How are customer service and technical support?

I haven't really used technical support. Therefore, I can't really speak to their level of responsiveness or knowledgeability.

Which solution did I use previously and why did I switch?

I'm not a security specialist, however, to be clear, we provide services. On a development project, we frequently run into various solutions. It's not just OWASP. It could be Veracode, for example, or multiple other tools. 

How was the initial setup?

The initial setup is not necessarily straightforward. Most are complex. You need a senior person to specialize, understand the set up in which they are running, and understand the tools they are going to use. You need to ask: do they know what to look for and support? I wouldn't say it's complex to use. That said, normally the resources are costly.

What's my experience with pricing, setup cost, and licensing?

In security, you'd expect the product is priced at a premium, so people don't check the pricing for the most part. In my case, I don't buy the product myself. I have the customers buy it for me. I'm not very worried about the price as a consultant.

What other advice do I have?

We are an IT service provider, which means that we use a variety of tools based on what our customer preferences are. 

There's all, at most, I would say, about 20 companies that we would have the funds to use the solution with. OWASP is definitely in the top three as a tool that we would probably recommend to our team, as a frequent users' tool, however, I don't believe we have any kind of a formal relationship with the company. 

Multiple teams use it. I have not heard of anybody complaining about anything to do with this particular solution. I would say it's pretty good. I would give it a rating of eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Alan Gallagher
CEO at Virtual Security International
Real User
Top 20
Open-source, easy to install, feature-rich, with good heads-up display and community resources

Pros and Cons

  • "It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
  • "The forced browse has been incorporated into the program and it is resource-intensive."

What is our primary use case?

I use this solution for penetration tests.

What is most valuable?

It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).

It comes up in your browser and you have control of the program while you are on the website, in your browser. Everything that you can do in the program, you can do from your browser on the fly. It is similar to a targeted attack. You can see what you are doing.

It's a Java program installed on your computer.

What needs improvement?

The forced browse has been incorporated into the program and it is resource-intensive.

It was a copied program named DIR Buster Doorbuster. It needs to be improved, it's too resource-hungry.

I found another program that is written in the Go language and it does the same thing, but it is much faster and more efficient. It will crash those proxy programs within Zap if you do more than one, it will take forever.

It needs to be rewritten, maybe not in Java.

For how long have I used the solution?

I have used OWASP quite a bit. I have dealt with this solution for quite a few years. My usage has not been constant, but it has been quite a while.

We are dealing with the most recent version.

What do I think about the stability of the solution?

It creates a database of all the URLs and it can get a little overwhelming. 

With a large website, you have a lot of URLs, it gets a bit sluggish when loading and saving it, but it really works quite well. It goes in and out of it and goes too slow. It takes a little while to save all of that data.

What do I think about the scalability of the solution?

It's a scalable product but its' slow.

How are customer service and technical support?

I have not contacted technical support.

It has a very good forum on the website. The users help each other. It's helpful and resourceful.

Which solution did I use previously and why did I switch?

I have used several solutions, such as Nessus, WebInspect, and Retina. The retina is a network scanner but OWASP is the best.

How was the initial setup?

It's quick to set up. You can install it in different ways. I run it on Linux, Debian and I have run it on Windows as well.

What's my experience with pricing, setup cost, and licensing?

OWASP Zap is free.

Which other solutions did I evaluate?

I was making a comparison between OWASP and Acunetix to see what the differences were.

What other advice do I have?

I used to work with Homeland security back 10, 15 years ago, in the national cybersecurity division starting up right after 9/11.

I was on that national cybersecurity team. One of the things they looked into was funding using government money to fund some of these security operations or projects. They decided, and I helped decide, that it would be right for the government to support open-source systems or products because they're not making money out of that market.

One of the people in the government got involved and helped to get it started. I don't know if they still have a list on their website of donors or contributors, but you can look on that list pretty easily and see if Homeland security is still supporting them.

I assume it is because it's really well run. It's constantly evolving new versions coming out with new features. It's very well managed and the lead person on it is very sharp. You can go on YouTube and search for a proxy and you will see some deep-dive tutorials. He did a really good job.

There is a lot to this solution. You can use it superficially, but you need to spend a lot of time learning it. It has a lot of options and a lot of angles.

I would rate OWASP Zap a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
542,608 professionals have used our research since 2012.
PiyushSharma
Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees
Real User
Top 20
Provides good automatic scanning and privacy; reporting could be improved

Pros and Cons

  • "Automatic scanning is a valuable feature and very easy to use."
  • "Reporting format has no output, is cluttered and very long."

What is our primary use case?

We are using this product at a very basic level to scan reports and then share them with the Dev team for any vulnerabilities. We use the open source version and we are end users. 

How has it helped my organization?

The solution has improved company functioning to a certain extent, but it takes a lot of time coordinating with the Dev team because we are using the open source version and not the enterprise version. It's not an awesome solution but we do get the reports we need and there is a good amount of documentation and support. 

What is most valuable?

The automatic scanning is a valuable feature and very easy. The major advantage to this solution is the privacy it offers. We are able to achieve our objectives to some extent, but only for non-business critical applications.

What needs improvement?

The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.

For how long have I used the solution?

I've been using this solution for about one year. 

What do I think about the stability of the solution?

The product is not that stable and sometimes I have to re-install it and contact the internal IT team. I don't have the admin rights on the laptop. Some features can break down, for example, the browser on the scanning might not open. Slowly our team will be moving towards more critical projects coming from the U.S., Japan and India, so we are definitely planning to upscale. In the next financial year, we're planning to upscale and make it more rigorous.

How are customer service and technical support?

We are using the open source version so we have no technical support for now.

How was the initial setup?

The installation is very simple. It's just an executable file because for now, we are not using it as a part of CACD or anything else. We have just installed the open source version on the laptop which has simplified things; our toolbox opens up and we just give the URL and it does an automatic scan. So information wise and operational wise, it is easy now. Our team carried out the deployment by first reading, watching videos and taking various courses. We had help from the company security team.

Which other solutions did I evaluate?

I carried out an evaluation between Checkmarx and OWASP Zap.

What other advice do I have?

If you are working in a very big gaming company and you have the budget, then I'd suggest switching to the enterprise version because the open source version takes time to resolve the regulations and there are sometimes false positives. It takes a lot of effort to figure out how to resolve the vulnerability and then search the same thing in the code. If you're not from the development team, then a lot of coordination is required. Without any support, we are in a black hole sometimes. Some attacks can be very dangerous for the company and for the application. They create delays and I've had to learn how to deal with that. 

I rate this solution a six out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
RT
Subdirector de Seguridad Informática e Infraestructura at a financial services firm with 201-500 employees
Real User
Top 20
Open-source and easy to use with a straightforward setup

Pros and Cons

  • "The stability of the solution is very good."
  • "It would be a great improvement if they could include a marketplace to add extra features to the tool."

What is our primary use case?

Currently, we deploy these tools to serve in a few of our services in the organization.

What is most valuable?

The solution is very easy to use.

The initial setup is straightforward.

The solution is free due to the fact that it is open-source.

The stability of the solution is very good.

The product has a strong community surrounding it to help with issues and troubleshooting.

What needs improvement?

The technical support could be improved. It doesn't offer traditional technical support at all.

It would be a great improvement if they could include a marketplace to add extra features to the tool. It would make it more customizable and allow users to add more features as they like.

For how long have I used the solution?

I've been using the solution for a while. I've used it at least over the last 12 months.

What do I think about the stability of the solution?

The stability of the solution s very good. We've never had any issues. It's been reliable. There are no bugs or glitches. It doesn't crash or freeze.

What do I think about the scalability of the solution?

While the solution can scale to a certain extent, it cannot scale a lot. This is not one of the strengths of the product.

We only have one user that is engaged with the solution currently.

How are customer service and technical support?

OWASP is an open-source solution. There's a big community surrounding it, however, it does not have traditional technical support. The main support comes from the community itself. If you have questions, you can find them there, or ask the community for feedback.

Which solution did I use previously and why did I switch?

We previously used the PortSwigger Burp Suite. It's a commercial version with support. We had to pay for the solution on a yearly basis, whereas OWASP is open-source and free.

How was the initial setup?

We found the initial setup to be very straightforward. It's easy. It's not complex. A company shouldn't have any issues with the implementation process.

The deployment only took half an hour. It wasn't more than that. The process is pretty fast.

YOu do not need a big team to handle the deployment process. We only used two.

What about the implementation team?

We deployed the solution ourselves using an in-house team. We didn't need the assistance of consultants or integrators from outside firms.

What's my experience with pricing, setup cost, and licensing?

The solution is open-source. It doesn't cost anything to use it.

What other advice do I have?

We are a customer and end-user of the product.

There's lots of information online for users who are curious to learn more about the product.

In general, I would rate this solution at an eight out of ten. We've been largely satisfied with the product overall.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Eldar Aydayev
President & Owner at Aydayev's Investment Business Group
Real User
Top 10Leaderboard
Provides visibility of queries, but security and the ability to search the internet for other use cases could be better

Pros and Cons

  • "The solution is scalable."
  • "The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."

What is our primary use case?

The solution has certain models. It allows the creation of a pipeline in respect of the interface or of certain content. It enables one to check that the security is as it should be. 

What is most valuable?

The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined. This way, a person can have a list of the types of queries and can trace them. 

What needs improvement?

The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed. 

For how long have I used the solution?

We have been using OWASP Zap for more than four years. 

What do I think about the stability of the solution?

The computers perform somewhat slowly when loading a large number of queries into memory. As such, I don't know if it will be possible to use cache on the disk, which would greatly increase performance. 

What do I think about the scalability of the solution?

The solution is scalable. It can be run simultaneously for different targets. 

How are customer service and technical support?

I have not had experience with using technical support. I make use of a public community on the public website.

How was the initial setup?

The initial setup is a bit complex, not straightforward. It could be made easy if, lets say, a project can be defined for a certain task through the project's creation. This may simplify its use. 

Which other solutions did I evaluate?

Zap is a very good startup. There is an alternate solution that is a bit more expensive and requires more technical knowledge than OWASP Zap, although both have a model based configuration. The interface allows one to run predefined templates, something OWASP Zap has in common with the other solution. The automation capabilities are similar, as well. 

What other advice do I have?

I used the source code design for the deployment.

I have not had experience with the code crawler, OSWAP Zap code analysis. The solution I was using is run by a search engine. My clients utilize OWASP Zap AST. They do not make use of the code crawler. 

I rate OWASP Zap as a six out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Jaromir Tesar
Embedded Software Engineer at Y Soft
Real User
Top 20
Automatic updates of our database are valuable; deployment is complicated

Pros and Cons

  • "Automatic updates and pull request analysis."
  • "Deployment is somewhat complicated."

What is our primary use case?

Our primary use case is for scanning. We have Bamboo, Nexus and Artifactory and we are able to make snapshots. When we get a pull request we're able to make another snapshot and we compare the two snapshots together and can see what is new in the pull request. We can see which libraries are there and that enables us to see the vulnerabilities. I'm an embedded software engineer.

What is most valuable?

I would say that the automatic update is a very valuable feature because we are able to update our internal data base. The pull request analysis is also very good.

What needs improvement?

The product is somewhat complicated and could be improved by simplifying it because you don't want to have to allocate one person to maintain the solution full time. We'd like to be able to deploy it and have it work. Ideally we'd like to be able to get a pull request analysis and the analysis of repositories. 

I think they could definitely work on a more simplified deployment. That would improve the product. The issues are not necessarily related to the solution but possibly connected to how it was initially set up. 

For how long have I used the solution?

We've been using this solution for three or four years. 

What do I think about the stability of the solution?

Regarding stability, we have some issues in our product and we need to work on it. Something is wrong in the architecture, perhaps it's a bug. 

How was the initial setup?

The initial setup was done before I came to the company. There are five people on our security team who discuss maintenance issues and try to solve problems. 

What other advice do I have?

I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance.

I would rate this solution a six out of 10 in our environment. I don't think deployment was done very well in our company and that has affected the quality of the product. Perhaps if things had been done differently I would rate it an eight out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
RK
Business Analyst at Experion Technologies
Real User
Good user interface and easy to use; test reports could be improved

Pros and Cons

  • "Simple to use, good user interface."
  • "Too many false positives; test reports could be improved."

What is our primary use case?

I'm a business analyst and we're a customer of OWASP Zap. 

What is most valuable?

The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.

What needs improvement?

I'd like to be able to explore more and improvements could be made in that area because for now I'm only able to explore the manual testing feature. I'd also like to see an improvement in test reports because we get too many false positives. 

For how long have I used the solution?

I've been using this solution for the past few months. 

What do I think about the stability of the solution?

The stability is okay although we get many false positives when pulling out test reports. 

What do I think about the scalability of the solution?

The scalability is very good. 

How are customer service and technical support?

I haven't needed technical support to date and I haven't yet started using the community support.  

How was the initial setup?

The initial setup wasn't very complex. You're supposed to install a JDK, Java file. I think implementation took about an hour. There are seven people in the company using the solution and maybe in the coming days there will be more. 

What other advice do I have?

I would definitely recommend this product provided the company can provide more clarity on the false positives that we get. 

I would rate this solution a seven out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
EI
Information Security Professional at a energy/utilities company with 1,001-5,000 employees
Real User
Top 20
Easy-to-use interface, but the documentation needs to be improved

What is our primary use case?

We primarily use this product for web application scanning.

What is most valuable?

The interface is easy to use.

What needs improvement?

The documentation needs to be improved because I had to learn everything from watching YouTube videos.

For how long have I used the solution?

I have been working with OWASP Zap for about three months.

What do I think about the stability of the solution?

I have not experienced any trouble in terms of stability.

What do I think about the scalability of the solution?

Scalability has not been an issue, so far. There are four of us in the company that can log in to use it.

How are customer service and technical support?

I have not been in contact with technical support.

How was the initial setup?

The…

What is our primary use case?

We primarily use this product for web application scanning.

What is most valuable?

The interface is easy to use.

What needs improvement?

The documentation needs to be improved because I had to learn everything from watching YouTube videos.

For how long have I used the solution?

I have been working with OWASP Zap for about three months.

What do I think about the stability of the solution?

I have not experienced any trouble in terms of stability.

What do I think about the scalability of the solution?

Scalability has not been an issue, so far. There are four of us in the company that can log in to use it.

How are customer service and technical support?

I have not been in contact with technical support.

How was the initial setup?

The initial setup was straightforward. For me, I just had to press "Next" several times. Between the installation, downloading videos, and investigating how to deploy it, I would say that the process took roughly a day.

What about the implementation team?

I did not require third-party assistance for the deployment.

What was our ROI?

This solution is providing us with value and as long as it continues to do so, we'll continue to use it.

What's my experience with pricing, setup cost, and licensing?

This is an open-source solution and can be used free of charge.

What other advice do I have?

This is a good product where most of the functionality is free, which is why I recommend that others use it.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.