Difference between OWASP ZAP & BURP SUITE


Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.

In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suitethen acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed. Penetration testers can pause, manipulate and replay individual HTTP requests in order to analyze potential parameters or injection points. Injection points can be specified for manual as well as automated fuzzing attacks to discover potentially unintended application behaviors, crashes and error messages.

What is ZAPP :

OWASP ZAPStable release2.8.0 / 7 June 2019; 32 days agoWritten inJavaOperating systemLinux, Windows, OS XAvailable in25,languagesTypeComputer securityLicenseApache

OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

It is one of the most active OWASP projects and has been given Flagship status.

When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.

It can also run in a daemon mode which is then controlled via a REST API.

ZAP was added to the ThoughtWorks Technology Radar in May 2015 in the Trial ring.

Difference between OWASP ZAP & BURP SUITE:

1. Security test scanners Burp vs ZAP

2. Security testing process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended

3.Difference between OWASP ZAP & BURP SUITE

4.The OWASP Top 10 vulnerabilities: • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards



7False positive – vulnerability does not exist, but found False negative – vulnerability exists, but not found

7. Burp on DVWA points priority default deep no Int. no Int. MinFalseNeg no Int. MinFalsePos 5 Certain High 16 16 18 17 17 3

Medium 0 0 0 0 0 1

Low 2 2 2 4 4 5

Firm High 9 10 12 13 9 3

Medium 1 0 0 1 1 1

Low 0 0 0 0 0 -5

Tentative High 2 16 13 17 4 -3

Medium 5 8 10 11 9 -1

Low 0 0 0 0 0

summary 105 28 57 39 90

What is most valuable in OWASP ZAP?

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks.

What needs improvement in OWASP ZAP?

OWASP Zap has the award for best token authentication. A lot of applications are getting into this space where there are token barriers. Moreover ZAP Proxy security scans are excellent providing a comprehensive coverage.

One area where the tool can be improved is specifically,  if there's some more intelligence that can be added on to the reporting feature, it would be great. 

There's some element of intelligence that can be built into it as to how reports can be generated. Currently, there are only a few ways, i.e. a couple of templates with which you can generate these reports. If there are additional templates that could be put in place, the reports would come out very well, and we'd be able to edit it along reading the report.

That could be good for us to make it through. Because that is an area that we've seen typically, where it's common in the other tools. We run the test. We run the scans. We do the vulnerability assessment, analyze their impacts and then we generate the report.

There's the element of documentation that we need to create along with that. If there is a provision to enter inputs like below as part of report generation:

Project informationClient nameOrganization namePlatform against which this test has been done

If these small inputs can be handled, at the end of the report, I would have a customized report which I could easily give across to the customer.

Today it's this is something not easily available in not at that level in the tool. In the reporting presentation format, Acunetix tool has a much better "look and feel" appearance.

What is most valuable in Burp Suite?

I like the way the tool has been designed. Once I capture the proxy, I'm able to transfer across, all the requested information that is there. I can send across the request to the 'Repeater' feature. I put in malicious payloads and then see how the application responds to it.

More than that, the Repeater and Intruder are really awesome features on BurpSuite. For example, if I'm going to test for a SQL injection, I have certain payloads that are trying to break into the application. I make use of these predefined payloads which come as part of the tool are really useful for us to use and see how the application behaves. We are able to approximate well to see if the application is breaking through at any point in time.

So the Repeater and the Intruder, are great features that are there. More than that I think the entire community support is really fabulous. As well as of the number of plug-ins that people have written for the tool. Those have been standouts. Community support is really strong. We see a lot of plug-ins that are made available that work along with the tool.

What needs improvement in Burp Suite?

In the earlier versions what we saw was that the REST API was something that needed to be improved upon but I think that has come in the new edition when I was reading through the release offset available. 

There is a certain amount of lead time for the tickets to get resolved. The biggest improvement that I would like to see from PortSwigger is what many people see as a need in their security testing that coudl be priortized and developed as a feature which can be useful. For example, if they're able to take these kinds of requests, group them, prioritize and show this is how the correct code path is going to be in the future, this is what we're going to focus around in building in the next six months or so.

Pricing, setup cost, and licensing?

As far as pricing concerns, for value in the commercial solutions when it comes to security testing tools, it is Burp Suite. Some Burp Suite licenses are available for $300 over a 1-year term, which is pocket-friendly for us. We feel that PortSwigger Burp Suite is the best value for the money that we get. When it comes to clients looking for non-commerical licenses, OWASP Zap tool is the best fit.

Licensing costs are about $450/year for one use. For larger organizations, they're able to test against multiple applications while simultaneously others might have multiple versions of applications which needs to be tested which is why there is an enterprise edition. We might have more than five to six people and then whole organizations doing security testing. You can give full-base access to them and control who uses your licenses.

It depends on the stream of projects, business pipeline that I get, but security is not something that done all throughout the year. We get it in cycles. We pace it in such a way that from our different customers that we work with, we actually have one project running throughout the year. I might do a project for Client X during the month of let's say January to February. Then for another client, I might have something lined up for April to May. So with a single license, I am able to maximize the usage very well.

An Ethical hacker should know the penalties of unauthorized hacking into a system. Read more at: Legality and Ethics