OWASP Zap Overview

OWASP Zap is the #6 ranked solution in our list of AST tools. It is most often compared to PortSwigger Burp: OWASP Zap vs PortSwigger Burp

What is OWASP Zap?

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

OWASP Zap Buyer's Guide

Download the OWASP Zap Buyer's Guide including reviews and more. Updated: January 2021

OWASP Zap Video

Pricing Advice

What users are saying about OWASP Zap pricing:
  • "OWASP Zap is free to use."
  • "It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use."
  • "This app is completely free and open source. So there is no question about any pricing."
  • "This is an open-source solution and can be used free of charge."

OWASP Zap Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Vijayanathan Naganathan
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Real User
Top 5Leaderboard
Jun 21, 2019
Inexpensive licensing, free to use, and has good community support

What is our primary use case?

I focus on software application security. In most of the scenarios that we come across, the customers want complete assurance on security of their platforms/products/applications. Clients reach out to us for our abilities to unearth security issues. I get to use these tools to assess products/platforms before they go live to the market.

Pros and Cons

  • "The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
  • "There's very little documentation that comes with OWASP Zap."

What other advice do I have?

When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online. There are a lot of YouTube videos, articles in the internet that talk about how to use the tools. These are quite easy to understand. Do a small POC. Pick an application which is already having vulnerabilities and assess the application around with the ZAP Proxy tool. In terms of ZAP Proxy tool ease of use, I would rate it nine out of ten.
Balaji Senthiappan
Assistant Vice President at Hexaware Technologies Limited
Real User
Top 20
Nov 12, 2020
Great at reporting vulnerabilities, helps with security, and reveals development threats well

What is our primary use case?

Currently, we build our products for the banking industry and use this solution in that process. From a development cycle, we update the SQL injections that basically shows what a developer may have to address. Then, if there is still a problem, we're concerned at the architect level. That's at least initially reported by the customers when they do another round of review after we deliver our code.

Pros and Cons

  • "The solution is good at reporting the vulnerabilities of the application."
  • "It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."

What other advice do I have?

We are an IT service provider, which means that we use a variety of tools based on what our customer preferences are. There's all, at most, I would say, about 20 companies that we would have the funds to use the solution with. OWASP is definitely in the top three as a tool that we would probably recommend to our team, as a frequent users' tool, however, I don't believe we have any kind of a formal relationship with the company. Multiple teams use it. I have not heard of anybody complaining about anything to do with this particular solution. I would say it's pretty good. I would give it a…
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: January 2021.
456,249 professionals have used our research since 2012.
Vidar Folden
Consultant at Moller
Consultant
Top 20
Feb 8, 2019
Has made us feel safer doing frequent deployments for web applications and has a plug-in into every major system

What is our primary use case?

Our primary use case of this solution is to scan and check that the applications we put on the internet are safe and secure.

Pros and Cons

  • "This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
  • "If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."

What other advice do I have?

I would advise someone considering this solution to try and read about it on internet forums and see if it fits your needs. I would rate this solution an eight out of ten. It does what it says it will do and it's not hard to set up. It is also easy to use both automatically and manually and has a plug-in into every major build-tool, like Jenkins , Gitlab and others. You can automate it through a building process.
Jaromir Tesar
Embedded Software Engineer at Y Soft
Real User
Top 5
May 6, 2020
Automatic updates of our database are valuable; deployment is complicated

What is our primary use case?

Our primary use case is for scanning. We have Bamboo, Nexus and Artifactory and we are able to make snapshots. When we get a pull request we're able to make another snapshot and we compare the two snapshots together and can see what is new in the pull request. We can see which libraries are there and that enables us to see the vulnerabilities. I'm an embedded software engineer.

Pros and Cons

  • "Automatic updates and pull request analysis."
  • "Deployment is somewhat complicated."

What other advice do I have?

I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance. I would rate this solution a six out of 10 in our environment. I don't think deployment was done very well in our company and that has affected the quality of the product. Perhaps if things had been done differently I would rate it an eight out of 10.
Vinod_Gupta
CEO and Founder at Indicrypt Systems
Real User
Top 20
Jul 14, 2019
Offers good web application spidering and vulnerability assessment

What is our primary use case?

We primarily use this application for web application spidering and vulnerability assessment.

Pros and Cons

    • "The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."

    What other advice do I have?

    I would recommend that you should go through the documentation really well. That's it. I would rate this product 8 out of 10.
    RajKumar3
    Business Analyst at Experion Technologies
    Real User
    Jul 7, 2020
    Good user interface and easy to use; test reports could be improved

    What is our primary use case?

    I'm a business analyst and we're a customer of OWASP Zap.

    Pros and Cons

    • "Simple to use, good user interface."
    • "Too many false positives; test reports could be improved."

    What other advice do I have?

    I would definitely recommend this product provided the company can provide more clarity on the false positives that we get. I would rate this solution a seven out of 10.
    reviewer1384869
    Information Security Professional at a energy/utilities company with 1,001-5,000 employees
    Real User
    Jul 17, 2020
    Easy-to-use interface, but the documentation needs to be improved

    What is our primary use case?

    We primarily use this product for web application scanning.

    What is most valuable?

    The interface is easy to use.

    What needs improvement?

    The documentation needs to be improved because I had to learn everything from watching YouTube videos.

    For how long have I used the solution?

    I have been working with OWASP Zap for about three months.

    What do I think about the stability of the solution?

    I have not experienced any trouble in terms of stability.

    What do I think about the scalability of the solution?

    Scalability has not been an issue, so far. There are four of us in the company that can log in to use it.

    How are customer service and technical support?

    I have not been in contact with technical support.

    How was the initial setup?

    The…
    Manager677
    Senior Manager at a marketing services firm with 10,001+ employees
    Real User
    Jul 14, 2019
    Reporting gives you a clear indication of what kind of vulnerability you have that you can drill down on but the reporting should assist with base-lining

    Pros and Cons

    • "The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
    • "I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."

    What other advice do I have?

    I would rate this solution as 7 out of 10, as I am still in the process of exploring. So far I think it's fine, but I think I still need to explore it a bit further and try to do a more comparative analysis.
    See 1 more OWASP Zap Reviews