Try our new research platform with insights from 80,000+ expert users
it_user860865 - PeerSpot reviewer
Program Manager at a manufacturing company with 1,001-5,000 employees
Real User
The tool's learning curve is smooth and light
Pros and Cons
  • "It scans while you navigate, then you can save the requests performed and work with them later."
  • "I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word ​list, or manually created."

What is our primary use case?

OWASP ZAP is a very useful, light tool for beginners to learn how to “spider” across websites. It is easy to configure and generate reports. There are other solutions for more mature, experienced security analysts and testers, who are capable of extending the coverage of a security assessment.

It is most frequently used to review HTTP methods, how are they constructed and if there is sensitive information in the traffic, such as how HTTPS certifications work on the website, scanning open ports visible via the web, and trying to modify HTTP methods to add or delete requests.

I have used OWASP ZAP as part of my portfolio of security tools since 2013.

How has it helped my organization?

Using this tool, it helps enhance and speed the process of covering big applications with many functionalities. It scans while you navigate, then you can save the requests performed and work with them later. Also, you can pass these requests to colleagues involved in the same security assessment to increase the monitoring as well as avoid extra work.

What is most valuable?

  • Interception of proxy traffic
  • Session comparisons
  • Port scanner
  • Fuzzing
  • Brute force
  • Cookie management

What needs improvement?

I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created.

Buyer's Guide
OWASP Zap
April 2025
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
848,716 professionals have used our research since 2012.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

We have had stability issues a few times. You need to do extra configurations on the tool to make it catch traffic with different browsers. Otherwise, it won’t display any requests.

What do I think about the scalability of the solution?

No scalability issues. I found this to be a very flexible tool.

How are customer service and support?

OWASP ZAP has a forum to help out customers and analysts, as well as an interaction with other experts for a quick process of “Question-Answer”.

Which solution did I use previously and why did I switch?

OWASP ZAP is one of the solutions that I use. For simple tasks, I use Fiddler. For other advanced techniques, I use the Burp Suite. I would say OWASP ZAP is a really light, useful tool in the middle of the other two mentioned.

How was the initial setup?

Initial setup was pretty straightforward; nothing complex.

What's my experience with pricing, setup cost, and licensing?

OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate.

Which other solutions did I evaluate?

As mentioned, BURP Suite and Fiddler are two other great options. OWASP ZAP excels for what it does and for how smooth and light the tool’s learning curve can be.

What other advice do I have?

This is a very mature tool. It is capable of facilitating the work of many security experts. I highly recommend it for beginners and advanced users when some other tools fail to catch traffic.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Mubarak Arimiyah - PeerSpot reviewer
Software Quality Assurance Engineer at Netow Solutions Ltd
Real User
Top 5Leaderboard
An open-source solution that helps with application testing
Pros and Cons
  • "We use the solution for security testing."
  • "OWASP Zap needs to extend to mobile application testing."

What is our primary use case?

We use the solution for security testing. 

What needs improvement?

OWASP Zap needs to extend to mobile application testing. 

What do I think about the stability of the solution?

OWASP Zap is stable. 

What's my experience with pricing, setup cost, and licensing?

The tool is open-source. 

What other advice do I have?

I rate the solution an eight out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
OWASP Zap
April 2025
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
848,716 professionals have used our research since 2012.
Consultant with 1,001-5,000 employees
Consultant
A cost-effective and dynamic application security testing tool, but the product reporting could be better
Pros and Cons
  • "The most valuable feature is scanning the URL to drill down all the different sites."
  • "The product reporting could be improved."

What is our primary use case?

Our primary use case for this solution is for reviewing applications developed in-house to test for known vulnerabilities, and we deploy this product on-premises. Additionally, we use the solution to review some applications that were developed in-house and test for any general or known vulnerabilities before moving them to the production environment.

How has it helped my organization?

The product has improved our application security engagement. It helps with our in-house review and sometimes, we don't need an external third-party tester to review it. Once we get it from OWASP Zap, we have an idea of the inherent vulnerabilities in the application. This is a plus to save cost and improve our application accuracy practice.

What is most valuable?

The most valuable feature is scanning the URL to drill down all the different sites and features embedded within the URL, like the crawler and the Spy Dream.

What needs improvement?

The product reporting could be improved. It could be changed to authorize reporting to be viewed from different perspectives to get additional regulatory requirements.

For how long have I used the solution?

We have been using this solution for approximately six years and are currently using the latest version.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

We have not explored the scalability of the system yet. We only have two users currently using it.

How are customer service and support?

We have not reached out to the technical team for support.

Which solution did I use previously and why did I switch?

We previously used Net Packer.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

Implementation was done in-house.

What was our ROI?

We see a return on investment with this solution.

What's my experience with pricing, setup cost, and licensing?

I cannot comment on licensing costs, as a different department handles it.

Which other solutions did I evaluate?

We did not evaluate other options before choosing this solution.

What other advice do I have?

I rate this solution a seven out of ten. The product is good, but the reporting process could be improved. I recommend this solution to people looking for a quick DAST application and a dynamic application security testing tool. Additionally, the solution is cost-effective.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
President & Owner at Aydayev's Investment Business Group
Real User
Provides visibility of queries, but security and the ability to search the internet for other use cases could be better
Pros and Cons
  • "The solution is scalable."
  • "The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."

What is our primary use case?

The solution has certain models. It allows the creation of a pipeline in respect of the interface or of certain content. It enables one to check that the security is as it should be. 

What is most valuable?

The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined. This way, a person can have a list of the types of queries and can trace them. 

What needs improvement?

The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed. 

For how long have I used the solution?

We have been using OWASP Zap for more than four years. 

What do I think about the stability of the solution?

The computers perform somewhat slowly when loading a large number of queries into memory. As such, I don't know if it will be possible to use cache on the disk, which would greatly increase performance. 

What do I think about the scalability of the solution?

The solution is scalable. It can be run simultaneously for different targets. 

How are customer service and technical support?

I have not had experience with using technical support. I make use of a public community on the public website.

How was the initial setup?

The initial setup is a bit complex, not straightforward. It could be made easy if, lets say, a project can be defined for a certain task through the project's creation. This may simplify its use. 

Which other solutions did I evaluate?

Zap is a very good startup. There is an alternate solution that is a bit more expensive and requires more technical knowledge than OWASP Zap, although both have a model based configuration. The interface allows one to run predefined templates, something OWASP Zap has in common with the other solution. The automation capabilities are similar, as well. 

What other advice do I have?

I used the source code design for the deployment.

I have not had experience with the code crawler, OSWAP Zap code analysis. The solution I was using is run by a search engine. My clients utilize OWASP Zap AST. They do not make use of the code crawler. 

I rate OWASP Zap as a six out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees
Real User
Provides good automatic scanning and privacy; reporting could be improved
Pros and Cons
  • "Automatic scanning is a valuable feature and very easy to use."
  • "Reporting format has no output, is cluttered and very long."

What is our primary use case?

We are using this product at a very basic level to scan reports and then share them with the Dev team for any vulnerabilities. We use the open source version and we are end users. 

How has it helped my organization?

The solution has improved company functioning to a certain extent, but it takes a lot of time coordinating with the Dev team because we are using the open source version and not the enterprise version. It's not an awesome solution but we do get the reports we need and there is a good amount of documentation and support. 

What is most valuable?

The automatic scanning is a valuable feature and very easy. The major advantage to this solution is the privacy it offers. We are able to achieve our objectives to some extent, but only for non-business critical applications.

What needs improvement?

The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.

For how long have I used the solution?

I've been using this solution for about one year. 

What do I think about the stability of the solution?

The product is not that stable and sometimes I have to re-install it and contact the internal IT team. I don't have the admin rights on the laptop. Some features can break down, for example, the browser on the scanning might not open. Slowly our team will be moving towards more critical projects coming from the U.S., Japan and India, so we are definitely planning to upscale. In the next financial year, we're planning to upscale and make it more rigorous.

How are customer service and technical support?

We are using the open source version so we have no technical support for now.

How was the initial setup?

The installation is very simple. It's just an executable file because for now, we are not using it as a part of CACD or anything else. We have just installed the open source version on the laptop which has simplified things; our toolbox opens up and we just give the URL and it does an automatic scan. So information wise and operational wise, it is easy now. Our team carried out the deployment by first reading, watching videos and taking various courses. We had help from the company security team.

Which other solutions did I evaluate?

I carried out an evaluation between Checkmarx and OWASP Zap.

What other advice do I have?

If you are working in a very big gaming company and you have the budget, then I'd suggest switching to the enterprise version because the open source version takes time to resolve the regulations and there are sometimes false positives. It takes a lot of effort to figure out how to resolve the vulnerability and then search the same thing in the code. If you're not from the development team, then a lot of coordination is required. Without any support, we are in a black hole sometimes. Some attacks can be very dangerous for the company and for the application. They create delays and I've had to learn how to deal with that. 

I rate this solution a six out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Rooshan Naeem - PeerSpot reviewer
Security Engineer at Eon Health
Real User
Top 5
Has a good application scanning feature but reporting needs improvement
Pros and Cons
  • "The application scanning feature is the most valuable feature."
  • "The reporting feature could be more descriptive."

What is our primary use case?

We use it for our security scanning for our applications. 

What is most valuable?

The application scanning feature is the most valuable feature. 

What needs improvement?

The reporting feature could be more descriptive.

For how long have I used the solution?

I have been using OWASP Zap for four years. 

What do I think about the stability of the solution?

It is a stable solution. 

What do I think about the scalability of the solution?

Presently seven people use this solution. It is scalable. 

How was the initial setup?

The initial setup is straightforward. 

What's my experience with pricing, setup cost, and licensing?

It's open source.

What other advice do I have?

Overall, i would rate the solution a seven out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
EricIgbinosun - PeerSpot reviewer
Information Security Professional at AEDC
Real User
Fast and easy to set up but uses a lot of memory
Pros and Cons
  • "You can run it against multiple targets."
  • "There isn't too much information about it online."

What is our primary use case?

It's running on my system. I use it to scan URLs and can check things if I find something. 

What is most valuable?

There's a way to set up jobs where you can get it to run all the processes against the target to avoid doing so manually. You can run it against multiple targets. 

It is easy to set up.

The solution is stable. 

What needs improvement?

I don't have any notes for improvements.

It should have more visibility. Everybody defaults to Burp. However, this is a free version that deserves more visibility.

There isn't too much information about it online. You need to self-teach in order to really learn how to use it. There isn't a lot of documentation available. 

It takes up a lot of memory and RAM. 

For how long have I used the solution?

I've been using the solution for roughly six months. I've used it on and off. However, I really started using it constantly over the last six months. 

What do I think about the stability of the solution?

The solution is mostly stable. However, it requires a lot of RAM and memory. There are no bugs or glitches. 

What do I think about the scalability of the solution?

It is not very scalable.

I'm the only security engineer. Only I use it in my company. 

How are customer service and support?

I've never used technical support. I'm not sure how helpful or responsive they are. 

Which solution did I use previously and why did I switch?

I used to use Portswigger Burp. This solution is free and has a lot of the paid versions Burp offers. I haven't used Burp Professional. I used the community version. I chose this solution as it is faster, at least compared to the community version. My understanding it the paid version of Burp is very fast.

How was the initial setup?

The initial setup was very simple and straightforward. I didn't find any difficulty installing it on my system.

It takes about ten to 15 minutes to deploy. It depends on the machine you have. 

What's my experience with pricing, setup cost, and licensing?

The solution is free to use. I don't pay any licensing fees. 

What other advice do I have?

I'm an end-user. 

I'm not sure which version of the solution I'm using. 

I would rate the solution seven out of ten. While it is free to use, it does take up a lot of memory. I also find Burp easier to use than this product.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
CEO and Founder at Indicrypt Systems
Real User
Offers good web application spidering and vulnerability assessment
Pros and Cons
    • "The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."

    What is our primary use case?

    We primarily use this application for web application spidering and vulnerability assessment.

    What is most valuable?

    The most valuable feature is the spidering because, being a security person, it is very important for me to know each and every section of that application, so we cannot afford to miss any single web page or any single link on a particular website. The spidering mechanism is very good.

    What needs improvement?

    The automatic scans need improvement. The automated vulnerability assessments that the application performs needs to be simplified as well as diversified.

    For how long have I used the solution?

    I've been using the solution for 5 years.

    What do I think about the stability of the solution?

    The solution is very stable. Presently there are only around three people including me using this particular solution. I really don't think we would be needing anything more than these as of right now.

    What do I think about the scalability of the solution?

    I would say that scalability doesn't apply to this particular application. 

    How are customer service and technical support?

    Presently there is only community support available, and we are able to solve a lot of problems using the documentation with community support.

    Which solution did I use previously and why did I switch?

    Yes, we actually use a couple of different products but there is one specifically that we use, which is the Burp Suite.

    How was the initial setup?

    The initial setup was very straightforward.

    What's my experience with pricing, setup cost, and licensing?

    This app is completely free and open source. So there is no question about any pricing.

    What other advice do I have?

    I would recommend that you should go through the documentation really well. That's it.

    I would rate this product 8 out of 10.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Download our free OWASP Zap Report and get advice and tips from experienced pros sharing their opinions.
    Updated: April 2025
    Buyer's Guide
    Download our free OWASP Zap Report and get advice and tips from experienced pros sharing their opinions.