14

I am new to security testing and I'm confused about two web proxy tools, namely Burp and OWASP ZAP.

Both seem to fulfill the same task, so what exactly are the differences between them?

Nitin Rastogi
  • 285
  • 1
  • 2
  • 8

2 Answers2

14

It is true that both tools are in the same space. Burp is a commercial closed source tool (which can be extended) developed by a commercial company while ZAP is a free open source tool developed by the community.

Both have relative strengths and weaknesses, but as the ZAP project lead I'll let others enumerate those as I'm kind of biased.

Having 2 tools with overlapping functionality is (in my opinion) a good thing, and many security people chain ZAP and burp together to get the advantages of both.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Simon Bennetts
  • 1,390
  • 7
  • 10
  • 3
    Can you add what the differences are? Feature sets can be looked up in the documentation, but could you add your unique insights? – schroeder Aug 20 '19 at 07:42
  • 1
    Well, I happen to think that being free and open source are significant differences :) I'd say that some of ZAP's strengths are: scripting, the API, the Heads Up Display(HUD). Documentation is a weakness ;) I'm probably not the best person to enumerate Burp's strengths, but it is a very popular and well regarded tool. – Simon Bennetts Aug 20 '19 at 11:05
  • 1
    Burp Pro is definetly the go-to tool because of the variety of plugins you get, which are not available for ZAP, meaning you would have to script them on your own. Otherwise there is not much of a difference. – Raimonds Liepiņš Aug 21 '19 at 05:51
  • @SimonBennetts Do you have any tips on where to find good zap learning resources? I found the video tutorials on your youtube channel, but they are from 2015. Are they still relevant? – vhflat Nov 07 '19 at 11:26
  • Mostly yes, but they will be a bit out of date. We have lots of links off https://github.com/zaproxy/zaproxy but the good news is that we are finally working on some new ZAP videos :) Follow either myself (@psiinon) or @zaproxy on twitter to see when they go live, or join the ZAP user or developer groups. – Simon Bennetts Nov 08 '19 at 10:17
  • FYI we have a new set of videos which are still being added to: https://www.alldaydevops.com/zap-in-ten – Simon Bennetts Mar 02 '20 at 15:16
  • 1
    @SimonBennetts Video series is very helpful. – Nitin Rastogi Jul 02 '20 at 15:28
3

I feel like this might largely be a question of UI preference, as I haven't found something I did in BurpCE that I really can't do in ZAP, and I would say that ZAP is more intuitive. Also, the tabs in Burp are super annoying, and can get unmanageable when you start to have a ton. There are definitely some rough patches in ZAP where doing something looks to be possible, but its just easier in Burp. I do find myself in ZAP more than BurpCE after really getting used to ZAP.

That being said, it seems like Burp's paid feature set is much more of a "Web Application Scanner", which devs can leave running somewhere and just let it scan and flag stuff, as opposed to ZAP, being a tool for web app vuln testing that has to actively be used by the end user.

andrewaf
  • 31
  • 1