There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.
Sometimes, we get some false positives. The developers understand the context and usually tell me if it's a false positive and why. The reporting was bad in the past, but it has improved. It would be nice if we could have the report output in PDF. The product could automate the reports to email.
Researcher in Cyber Security at Sekolah Tinggi Ilmu Statistik BPS
Real User
Top 10
2024-03-11T08:36:55Z
Mar 11, 2024
There is the point that there may be false positives if we're doing vulnerability scanning. The automated scanning feature is good. But if the website has a web application firewall, it's very difficult to use automated scanning. Because the automated scan sends many requests at the same time, and the WAF will block it as suspicious activity. The results of an automated scan may not be very successful for websites with WAFs because many requests will be blocked. Therefore, improving the algorithm accuracy for finding leaks in OWASP ZAP is important to decrease false positives. The algorithm used for finding leaks needs improvement. During scanning, if we execute exploits to find vulnerabilities, there are many false positives. Additionally, it would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results. In the next improvement for OWASP Zap is to add the ability to integrate with tools like Burp Suite Professional. Also, improving the algorithms to identify leaks is important to decrease false positive discovery. It has a large wordlist. If we could integrate with that feature, it would be helpful. However, if we use OWASP ZAP standalone, we would need to create or find wordlists ourselves, which takes significant time.
Since it is a community-based tool, I am unsure if OWASP Zap is quite up to date with recent weaknesses currently exploitable in work. So, sometimes we have to add to do it manually. How to differentiate between the false positive and the true findings need improvement. In general, the shortcomings in the accuracy of the findings need to be improved. The automation process can help us perform website attacks using the latest exploit techniques and procedures, often used in reverse scenarios. Although other commercial solutions have this feature, I hope OWASP Zap can catch up and offer similar capabilities.
Cyber Security Engineer at a transportation company with 10,001+ employees
Real User
Top 20
2023-03-16T16:40:17Z
Mar 16, 2023
We'd like the solution to continue to add more extensions. They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better. It's not as good as it was.
Automation Engineer at a tech services company with 1,001-5,000 employees
Real User
2022-10-31T18:37:08Z
Oct 31, 2022
We get too many false positives and that should definitely be improved. I'd like to see site scanning included in the solution because it can get into your hidden files and reports.
The product reporting could be improved. It could be changed to authorize reporting to be viewed from different perspectives to get additional regulatory requirements.
I'd like to see more regular updates with new features and I'd like to see resources where users can internally access a learning module from the tool. It would be helpful for any user interested in developing their skills. They have all the built-ins but it's not user-friendly in the sense that the UI is not as easy as you'd find in a solution such as the Burp Suite.
The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more. It should have more reporting options because the reporting options are currently only in HTML, XLS, and so on, but there is nothing in PDF or Word, which makes it a bit less user-friendly. It needs more comprehensive reporting. It already has a reporting system, but it is just not user-friendly.
The disadvantage of Zap is that we're unable to customize reports as it only has a single standard format. The default PDF template has no proper customizations, dashboards, or any sort of widgets that we can maintain. There's a single dashboard and only one type of report that it provides.
The forced browse has been incorporated into the program and it is resource-intensive. It was a copied program named DIR Buster Doorbuster. It needs to be improved, it's too resource-hungry. I found another program that is written in the Go language and it does the same thing, but it is much faster and more efficient. It will crash those proxy programs within Zap if you do more than one, it will take forever. It needs to be rewritten, maybe not in Java.
Software Engineer at a computer software company with 201-500 employees
Real User
2021-07-19T02:17:09Z
Jul 19, 2021
Zap could improve by providing better reports for security and recommendations for the vulnerabilities. Additionally, they should allow more testing other than web applications, such as on the cloud and VMs.
Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees
Real User
2021-04-06T13:58:13Z
Apr 6, 2021
The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.
Subdirector de Seguridad Informática e Infraestructura at a financial services firm with 201-500 employees
Real User
2021-02-11T05:01:31Z
Feb 11, 2021
The technical support could be improved. It doesn't offer traditional technical support at all. It would be a great improvement if they could include a marketplace to add extra features to the tool. It would make it more customizable and allow users to add more features as they like.
Assistant Vice President at Hexaware Technologies Limited
Vendor
2020-11-12T08:21:07Z
Nov 12, 2020
I can't recall any features that are lacking. In my role as a service provider, I only go up to standards defined by somebody else. So far, this solution has met their standards. So far I've not come across a scenario where we had to do anything that's a major rework due to the fact that we didn't catch something soon enough in the queries that we are using. It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful. Right now, I can't give it off to a team and expect them to give me a report that I'm happy with. I will give it to a team and they will have to have another person sit with them to make sure they have configured it right. Some kind of pre-designed templates, pre-designed guidelines, or patterns to compliment the tool would go a long way in helping us use the solution.
I'd like to be able to explore more and improvements could be made in that area because for now I'm only able to explore the manual testing feature. I'd also like to see an improvement in test reports because we get too many false positives.
The product is somewhat complicated and could be improved by simplifying it because you don't want to have to allocate one person to maintain the solution full time. We'd like to be able to deploy it and have it work. Ideally we'd like to be able to get a pull request analysis and the analysis of repositories. I think they could definitely work on a more simplified deployment. That would improve the product. The issues are not necessarily related to the solution but possibly connected to how it was initially set up.
Senior Manager at a marketing services firm with 10,001+ employees
Real User
2019-06-24T12:13:00Z
Jun 24, 2019
I'm still in the process of exploring. I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help.
The automatic scans need improvement. The automated vulnerability assessments that the application performs needs to be simplified as well as diversified.
There is definitely room for improvement. I prefer Burp Suite to OWASP Zap because of the extensive coverage it offers. I also think it should have an open-source tool. I would also love to see an improvement in visibility.
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Real User
2019-06-19T05:02:00Z
Jun 19, 2019
OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage. One area where the tool can be improved is specifically, if there's some more intelligence that can be added on to the reporting feature, it would be great. There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report. That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report. There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation: * Project information * Client name * Organization name * Platform against which this test has been done If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer. Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that.
I would like for them to make it easier to understand exactly what has been checked and what has not been checked. We have to trust that it has checked all known vulnerabilities on all parts of the webapp, but it's a bit hard to see that after scanning. I would also like for them to develop graphical reports on the scan. Based on the log, some graphical drawing could show what part of the site has been tested. I would like to see that it has tested everything that we wanted to test.
Security Testing Engineer at a tech services company with 1,001-5,000 employees
Real User
2018-07-09T07:46:00Z
Jul 9, 2018
As security evolves, we would like DevOps built into it. As of now, Zap does not provide this. I would like to have more vulnerabilities added to the scan list, because as of now, it covers around 72 to 80. I need more because we need broader coverage.
OWASP Zap is a free and open-source web application security scanner.
The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.
With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.
There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.
Sometimes, we get some false positives. The developers understand the context and usually tell me if it's a false positive and why. The reporting was bad in the past, but it has improved. It would be nice if we could have the report output in PDF. The product could automate the reports to email.
There is the point that there may be false positives if we're doing vulnerability scanning. The automated scanning feature is good. But if the website has a web application firewall, it's very difficult to use automated scanning. Because the automated scan sends many requests at the same time, and the WAF will block it as suspicious activity. The results of an automated scan may not be very successful for websites with WAFs because many requests will be blocked. Therefore, improving the algorithm accuracy for finding leaks in OWASP ZAP is important to decrease false positives. The algorithm used for finding leaks needs improvement. During scanning, if we execute exploits to find vulnerabilities, there are many false positives. Additionally, it would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results. In the next improvement for OWASP Zap is to add the ability to integrate with tools like Burp Suite Professional. Also, improving the algorithms to identify leaks is important to decrease false positive discovery. It has a large wordlist. If we could integrate with that feature, it would be helpful. However, if we use OWASP ZAP standalone, we would need to create or find wordlists ourselves, which takes significant time.
The reporting feature could be more descriptive.
OWASP Zap needs to extend to mobile application testing.
The technical support team must be proactive. The team must advise users about the available features, how to find them, and how to use them better.
ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline.
Since it is a community-based tool, I am unsure if OWASP Zap is quite up to date with recent weaknesses currently exploitable in work. So, sometimes we have to add to do it manually. How to differentiate between the false positive and the true findings need improvement. In general, the shortcomings in the accuracy of the findings need to be improved. The automation process can help us perform website attacks using the latest exploit techniques and procedures, often used in reverse scenarios. Although other commercial solutions have this feature, I hope OWASP Zap can catch up and offer similar capabilities.
We'd like the solution to continue to add more extensions. They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better. It's not as good as it was.
We get too many false positives and that should definitely be improved. I'd like to see site scanning included in the solution because it can get into your hidden files and reports.
The product reporting could be improved. It could be changed to authorize reporting to be viewed from different perspectives to get additional regulatory requirements.
I'd like to see more regular updates with new features and I'd like to see resources where users can internally access a learning module from the tool. It would be helpful for any user interested in developing their skills. They have all the built-ins but it's not user-friendly in the sense that the UI is not as easy as you'd find in a solution such as the Burp Suite.
The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more. It should have more reporting options because the reporting options are currently only in HTML, XLS, and so on, but there is nothing in PDF or Word, which makes it a bit less user-friendly. It needs more comprehensive reporting. It already has a reporting system, but it is just not user-friendly.
The disadvantage of Zap is that we're unable to customize reports as it only has a single standard format. The default PDF template has no proper customizations, dashboards, or any sort of widgets that we can maintain. There's a single dashboard and only one type of report that it provides.
The forced browse has been incorporated into the program and it is resource-intensive. It was a copied program named DIR Buster Doorbuster. It needs to be improved, it's too resource-hungry. I found another program that is written in the Go language and it does the same thing, but it is much faster and more efficient. It will crash those proxy programs within Zap if you do more than one, it will take forever. It needs to be rewritten, maybe not in Java.
Zap could improve by providing better reports for security and recommendations for the vulnerabilities. Additionally, they should allow more testing other than web applications, such as on the cloud and VMs.
The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed.
The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.
The technical support could be improved. It doesn't offer traditional technical support at all. It would be a great improvement if they could include a marketplace to add extra features to the tool. It would make it more customizable and allow users to add more features as they like.
I can't recall any features that are lacking. In my role as a service provider, I only go up to standards defined by somebody else. So far, this solution has met their standards. So far I've not come across a scenario where we had to do anything that's a major rework due to the fact that we didn't catch something soon enough in the queries that we are using. It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful. Right now, I can't give it off to a team and expect them to give me a report that I'm happy with. I will give it to a team and they will have to have another person sit with them to make sure they have configured it right. Some kind of pre-designed templates, pre-designed guidelines, or patterns to compliment the tool would go a long way in helping us use the solution.
The documentation needs to be improved because I had to learn everything from watching YouTube videos.
I'd like to be able to explore more and improvements could be made in that area because for now I'm only able to explore the manual testing feature. I'd also like to see an improvement in test reports because we get too many false positives.
The product is somewhat complicated and could be improved by simplifying it because you don't want to have to allocate one person to maintain the solution full time. We'd like to be able to deploy it and have it work. Ideally we'd like to be able to get a pull request analysis and the analysis of repositories. I think they could definitely work on a more simplified deployment. That would improve the product. The issues are not necessarily related to the solution but possibly connected to how it was initially set up.
I'm still in the process of exploring. I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help.
The automatic scans need improvement. The automated vulnerability assessments that the application performs needs to be simplified as well as diversified.
There is definitely room for improvement. I prefer Burp Suite to OWASP Zap because of the extensive coverage it offers. I also think it should have an open-source tool. I would also love to see an improvement in visibility.
OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage. One area where the tool can be improved is specifically, if there's some more intelligence that can be added on to the reporting feature, it would be great. There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report. That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report. There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation: * Project information * Client name * Organization name * Platform against which this test has been done If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer. Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance. The clients love it when we do it in that.
I would like for them to make it easier to understand exactly what has been checked and what has not been checked. We have to trust that it has checked all known vulnerabilities on all parts of the webapp, but it's a bit hard to see that after scanning. I would also like for them to develop graphical reports on the scan. Based on the log, some graphical drawing could show what part of the site has been tested. I would like to see that it has tested everything that we wanted to test.
It needs more robust reporting tools that can be in an editable form.
As security evolves, we would like DevOps built into it. As of now, Zap does not provide this. I would like to have more vulnerabilities added to the scan list, because as of now, it covers around 72 to 80. I need more because we need broader coverage.