Try our new research platform with insights from 80,000+ expert users
CEO at Virtual Security International
Real User
Open-source, easy to install, feature-rich, with good heads-up display and community resources
Pros and Cons
  • "It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
  • "The forced browse has been incorporated into the program and it is resource-intensive."

What is our primary use case?

I use this solution for penetration tests.

What is most valuable?

It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).

It comes up in your browser and you have control of the program while you are on the website, in your browser. Everything that you can do in the program, you can do from your browser on the fly. It is similar to a targeted attack. You can see what you are doing.

It's a Java program installed on your computer.

What needs improvement?

The forced browse has been incorporated into the program and it is resource-intensive.

It was a copied program named DIR Buster Doorbuster. It needs to be improved, it's too resource-hungry.

I found another program that is written in the Go language and it does the same thing, but it is much faster and more efficient. It will crash those proxy programs within Zap if you do more than one, it will take forever.

It needs to be rewritten, maybe not in Java.

For how long have I used the solution?

I have used OWASP quite a bit. I have dealt with this solution for quite a few years. My usage has not been constant, but it has been quite a while.

We are dealing with the most recent version.

Buyer's Guide
OWASP Zap
December 2024
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,053 professionals have used our research since 2012.

What do I think about the stability of the solution?

It creates a database of all the URLs and it can get a little overwhelming. 

With a large website, you have a lot of URLs, it gets a bit sluggish when loading and saving it, but it really works quite well. It goes in and out of it and goes too slow. It takes a little while to save all of that data.

What do I think about the scalability of the solution?

It's a scalable product but its' slow.

How are customer service and support?

I have not contacted technical support.

It has a very good forum on the website. The users help each other. It's helpful and resourceful.

Which solution did I use previously and why did I switch?

I have used several solutions, such as Nessus, WebInspect, and Retina. The retina is a network scanner but OWASP is the best.

How was the initial setup?

It's quick to set up. You can install it in different ways. I run it on Linux, Debian and I have run it on Windows as well.

What's my experience with pricing, setup cost, and licensing?

OWASP Zap is free.

Which other solutions did I evaluate?

I was making a comparison between OWASP and Acunetix to see what the differences were.

What other advice do I have?

I used to work with Homeland security back 10, 15 years ago, in the national cybersecurity division starting up right after 9/11.

I was on that national cybersecurity team. One of the things they looked into was funding using government money to fund some of these security operations or projects. They decided, and I helped decide, that it would be right for the government to support open-source systems or products because they're not making money out of that market.

One of the people in the government got involved and helped to get it started. I don't know if they still have a list on their website of donors or contributors, but you can look on that list pretty easily and see if Homeland security is still supporting them.

I assume it is because it's really well run. It's constantly evolving new versions coming out with new features. It's very well managed and the lead person on it is very sharp. You can go on YouTube and search for a proxy and you will see some deep-dive tutorials. He did a really good job.

There is a lot to this solution. You can use it superficially, but you need to spend a lot of time learning it. It has a lot of options and a lot of angles.

I would rate OWASP Zap a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Gebran Hadchity - PeerSpot reviewer
Head Of Development at VALOORES
Reseller
An easy-to-install product that discovers more vulnerabilities than any other tool in the market
Pros and Cons
  • "The product discovers more vulnerabilities compared to other tools."
  • "The product should allow users to customize the report based on their needs."

What is our primary use case?

We use the product to ensure that our source code is safe enough and has no vulnerabilities before delivering a new release for our AML product. We also used the product for dynamic testing to test applications as a black box.

What is most valuable?

The report design is very useful. The explanation is very clear. It also provides additional solutions and plugins. The product discovers more vulnerabilities compared to other tools. It might have additional plugins and features for testing.

What needs improvement?

The product should allow users to customize the report based on their needs. For example, suppose the user needs to test only the vulnerability of SQL injection and not any other category or vulnerabilities. In that case, it's better to provide end users with a way to choose the subject they want to audit and the severity of the vulnerability. 

If I need to figure out only the critical or the high severity, I shouldn’t have to figure out the low severity vulnerabilities or the smell codes. These services could be helpful for the end user and save time whenever we need to generate a new report. The execution time is a little bit exaggerated. This process can optimize the report’s performance.

For how long have I used the solution?

I have been using the solution for two to three months.

What do I think about the stability of the solution?

The solution is very stable. I rate the solution’s stability a nine out of ten.

What do I think about the scalability of the solution?

Two resources from our security team work on generating and implementing reports. However, many other developers use the product to fix vulnerabilities and penetrate or audit the whole source code for products. The owner of the product and the developers are involved in the correction and the long-term plan to cover or close the vulnerability.

How was the initial setup?

I rate the ease of setup an eight out of ten.

What about the implementation team?

The installation is quick. It can be done in a couple of hours.

What's my experience with pricing, setup cost, and licensing?

The solution’s pricing is high. I rate the pricing a nine or ten out of ten. There is an indirect cost on the resources and specs needed to deploy or implement the product. When we run the report, it consumes a lot of du from the servers.

What other advice do I have?

We use SonarQube for penetration testing. We are most likely to have hybrid solutions. However, the deployment model depends on our clients, the data, and the type of product we will deploy. I didn't use automatic scalability for our deliveries and deployment. 

The solution is worth using. We've used many tools and discovered that OWASP detects multiple high vulnerabilities, which the other tools do not detect. Overall, I rate the product an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer:
PeerSpot user
Buyer's Guide
OWASP Zap
December 2024
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,053 professionals have used our research since 2012.
Security Officer at UnDisclosed
Real User
Top 20
Stable dynamic testing solution with unreliable manual processes
Pros and Cons
  • "Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
  • "The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."

What is our primary use case?

OWASP Zap is used for dynamic testing. So when any kind of application, like, a web application, needs to be tested for its security and vulnerabilities. It is also used to crawl the site and then to enumerate all the input or the possible exploitation points, and then we try to exploit any blockings within OWASP Zap.

How has it helped my organization?

It improved our company's functioning because it integrates and can automate most of our workflow, so it helps. Based on its automation abilities, I rate it a seven out of ten. But there are many things that I have to do manually for safety and better clarification.

What is most valuable?

I think the automation feature is the one I used the most in the tool. For the crawling and enumeration one and the feature, we can manipulate the insides of the response. So, we can manipulate web responses and use them to test a certain website's security.

What needs improvement?

Since it is a community-based tool, I am unsure if OWASP Zap is quite up to date with recent weaknesses currently exploitable in work. So, sometimes we have to add to do it manually. How to differentiate between the false positive and the true findings need improvement. In general, the shortcomings in the accuracy of the findings need to be improved.

The automation process can help us perform website attacks using the latest exploit techniques and procedures, often used in reverse scenarios. Although other commercial solutions have this feature, I hope OWASP Zap can catch up and offer similar capabilities.

For how long have I used the solution?

I have been using the solution for four or five years. We got the information from the community that it is open-source software, so we are using it as part of the community. We are using the open-source version. It is not difficult to upgrade to the latest version.

What do I think about the stability of the solution?

Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high. I never found the applications crashing.

What do I think about the scalability of the solution?

Scalability-wise, I rate the solution a five out of ten.

The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time. Five users who are IT security engineers in my company use the tool. I plan to increase the usage of the tool in the future.

How are customer service and support?

Since it's a community-based tool, I rate the solution's technical support as less than five. It's community support. We do not have technical support, so we have to manually read the documentation and check the community forums.

How would you rate customer service and support?

Neutral

How was the initial setup?

I rate the initial setup a ten out of ten since it is easy. The server is easily deployed because it's an open-source and free solution. I think it's very easy to install on every computer authorized to use it.

Which other solutions did I evaluate?

I am still currently using Burp Suite, which is free.

What other advice do I have?

I can recommend others to use the solution for a quick and easy introduction to dynamic testing. But for the more advanced solution and for users like myself who understand the application suite itself for others and any organization to use the commercial solution as a proxy. I rate the overall solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
President & Owner at Aydayev's Investment Business Group
Real User
Provides visibility of queries, but security and the ability to search the internet for other use cases could be better
Pros and Cons
  • "The solution is scalable."
  • "The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."

What is our primary use case?

The solution has certain models. It allows the creation of a pipeline in respect of the interface or of certain content. It enables one to check that the security is as it should be. 

What is most valuable?

The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined. This way, a person can have a list of the types of queries and can trace them. 

What needs improvement?

The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed. 

For how long have I used the solution?

We have been using OWASP Zap for more than four years. 

What do I think about the stability of the solution?

The computers perform somewhat slowly when loading a large number of queries into memory. As such, I don't know if it will be possible to use cache on the disk, which would greatly increase performance. 

What do I think about the scalability of the solution?

The solution is scalable. It can be run simultaneously for different targets. 

How are customer service and technical support?

I have not had experience with using technical support. I make use of a public community on the public website.

How was the initial setup?

The initial setup is a bit complex, not straightforward. It could be made easy if, lets say, a project can be defined for a certain task through the project's creation. This may simplify its use. 

Which other solutions did I evaluate?

Zap is a very good startup. There is an alternate solution that is a bit more expensive and requires more technical knowledge than OWASP Zap, although both have a model based configuration. The interface allows one to run predefined templates, something OWASP Zap has in common with the other solution. The automation capabilities are similar, as well. 

What other advice do I have?

I used the source code design for the deployment.

I have not had experience with the code crawler, OSWAP Zap code analysis. The solution I was using is run by a search engine. My clients utilize OWASP Zap AST. They do not make use of the code crawler. 

I rate OWASP Zap as a six out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Real User
Inexpensive licensing, free to use, and has good community support
Pros and Cons
  • "The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
  • "There's very little documentation that comes with OWASP Zap."

What is our primary use case?

I focus on software application security. In most of the scenarios that we come across, the customers want complete assurance on security of their platforms/products/applications. Clients reach out to us for our abilities to unearth security issues.

I get to use these tools to assess products/platforms before they go live to the market.

How has it helped my organization?

We recently ran into an issue where we had to test the OAuth token validation, where the REST API calls had OAuth token change every time a request was being sent. Somebody from the support community had contributed a sample code to accomplish this. In terms of the community support that is available, OWASP Zap has great set of features to use.

What is most valuable?

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks.

What needs improvement?

OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage.

One area where the tool can be improved is specifically,  if there's some more intelligence that can be added on to the reporting feature, it would be great. 

There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report.

That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report.

There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation:

  • Project information
  • Client name
  • Organization name
  • Platform against which this test has been done

If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer.

Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that.

For how long have I used the solution?

We have been using OWASP Zap for more than eight months.

What do I think about the stability of the solution?

The only place that I faced issues with the OWASP was testing for a large broadcasting company. The number of requests that come forward is quite large. When the requests are quite huge, we found that ZAP Proxy tool tends to be a little more slow to respond. We're not sure whether it's progressing at the background or whether the application is frozen. We have faced the encounter when we are sending in large payloads, i.e. the multiple requests pull through defensive issues there.Other than that we have not seen significant issue with the tool.

What do I think about the scalability of the solution?

Currently, we have three of us who have been using the OWASP Zap proxy tool. There are times when we even propose this ZAP proxy tool to customers. Sometimes, we get requests from clients who want us to use a specific solution like Acunetix, BurpSuite. 

For the choice of which tool to use in the long run, the decision is driven by the customers. When customers ask us for a tool recommendation, we do a security tool comparison analysis, and make a recommendation that best suits them, explaining the pros and cons of each tools. i.e when you use a solution like OWASP Zap versus going on with a tool like Burp Suite or Acunetix. 

How are customer service and technical support?

For OWASP, I've been only looking at their community, but I felt that PortSwigger has much better tech support. In terms of community support, OWASP Zap is very much there.

For example, we expected PortSwigger to have OAuth token to be available by default, but that was not on their product road map. Fortunately for us, we had somebody from the community who had created several extensions which were a great help to us.

In terms of product support, I would say, Port Swigger support has been very good. 

How was the initial setup?

The initial setup of OWASP Zap was straightforward. That's not an issue at all with OWASP.

What's my experience with pricing, setup cost, and licensing?

As far as pricing concerns, for value in the commercial solutions when it comes to security testing tools, it is Burp Suite. Some Burp Suite licenses are available for $300 over a 1-year term, which is pocket-friendly for us. We feel that PortSwigger Burp Suite is the best value for the money that we get. When it comes to clients looking for non-commerical licenses, OWASP Zap tool is the best fit.

What other advice do I have?

When people are trying to make use of OWASP Zap, I would advise first read through and understand the OWASP vulnerabilities very well. Then start looking at features, tutorials of the OWASP ZAP Proxy that are made available online.

There are a lot of YouTube videos, articles in the internet that talk about how to use the tools. These are quite easy to understand. Do a small POC. Pick an application which is already having vulnerabilities and assess the application around with the ZAP Proxy tool.

In terms of ZAP Proxy tool ease of use, I would rate it nine out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Consultant with 1,001-5,000 employees
Consultant
A cost-effective and dynamic application security testing tool, but the product reporting could be better
Pros and Cons
  • "The most valuable feature is scanning the URL to drill down all the different sites."
  • "The product reporting could be improved."

What is our primary use case?

Our primary use case for this solution is for reviewing applications developed in-house to test for known vulnerabilities, and we deploy this product on-premises. Additionally, we use the solution to review some applications that were developed in-house and test for any general or known vulnerabilities before moving them to the production environment.

How has it helped my organization?

The product has improved our application security engagement. It helps with our in-house review and sometimes, we don't need an external third-party tester to review it. Once we get it from OWASP Zap, we have an idea of the inherent vulnerabilities in the application. This is a plus to save cost and improve our application accuracy practice.

What is most valuable?

The most valuable feature is scanning the URL to drill down all the different sites and features embedded within the URL, like the crawler and the Spy Dream.

What needs improvement?

The product reporting could be improved. It could be changed to authorize reporting to be viewed from different perspectives to get additional regulatory requirements.

For how long have I used the solution?

We have been using this solution for approximately six years and are currently using the latest version.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

We have not explored the scalability of the system yet. We only have two users currently using it.

How are customer service and support?

We have not reached out to the technical team for support.

Which solution did I use previously and why did I switch?

We previously used Net Packer.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

Implementation was done in-house.

What was our ROI?

We see a return on investment with this solution.

What's my experience with pricing, setup cost, and licensing?

I cannot comment on licensing costs, as a different department handles it.

Which other solutions did I evaluate?

We did not evaluate other options before choosing this solution.

What other advice do I have?

I rate this solution a seven out of ten. The product is good, but the reporting process could be improved. I recommend this solution to people looking for a quick DAST application and a dynamic application security testing tool. Additionally, the solution is cost-effective.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Rooshan Naeem - PeerSpot reviewer
Security Engineer at Eon Health
Real User
Top 5Leaderboard
Has a good application scanning feature but reporting needs improvement
Pros and Cons
  • "The application scanning feature is the most valuable feature."
  • "The reporting feature could be more descriptive."

What is our primary use case?

We use it for our security scanning for our applications. 

What is most valuable?

The application scanning feature is the most valuable feature. 

What needs improvement?

The reporting feature could be more descriptive.

For how long have I used the solution?

I have been using OWASP Zap for four years. 

What do I think about the stability of the solution?

It is a stable solution. 

What do I think about the scalability of the solution?

Presently seven people use this solution. It is scalable. 

How was the initial setup?

The initial setup is straightforward. 

What's my experience with pricing, setup cost, and licensing?

It's open source.

What other advice do I have?

Overall, i would rate the solution a seven out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Mubarak Arimiyah - PeerSpot reviewer
Software Quality Assurance Engineer at Netow Solutions Ltd
Real User
Top 5Leaderboard
An open-source solution that helps with application testing
Pros and Cons
  • "We use the solution for security testing."
  • "OWASP Zap needs to extend to mobile application testing."

What is our primary use case?

We use the solution for security testing. 

What needs improvement?

OWASP Zap needs to extend to mobile application testing. 

What do I think about the stability of the solution?

OWASP Zap is stable. 

What's my experience with pricing, setup cost, and licensing?

The tool is open-source. 

What other advice do I have?

I rate the solution an eight out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros sharing their opinions.