OWASP Zap Reviews

It is a security tool. We use it for application testing. 

It can be used effectively for internal auditing. We use it to detect f/p (false positives). 

It needs more robust reporting tools that can be in an editable form. 

This is a good, stable product. 

We have not used technical support. 

We looked at Arachni and Acunetix.

The use case was we needed to scan our website to find out what vulnerabilities were present.

We use it to scan the website, then take a report about what vulnerabilities are present on it. Next, we will manually verify those vulnerabilities for false positives.

Every now and then, there is an update. They add new vulnerabilities to the scan list. That is where they just keep on improving.

The community support that ZAP provides me. As an open source, it provides me flexibility and is convenient to use.

As security evolves, we would like DevOps built into it. As of now, Zap does not provide this.

I would like to have more vulnerabilities added to the scan list, because as of now, it covers around 72 to 80. I need more because we need broader coverage.

Stability is good.

We have not scaled yet. Though, we should be able to scale.

I have not used any support for this solution yet.

The initial setup is straightforward, because we can integrate it directly into the SDLC.

The community edition updates services regularly. They add new vulnerabilities into the scanning list.

OWASP ZAP is a very useful, light tool for beginners to learn how to “spider” across websites. It is easy to configure and generate reports. There are other solutions for more mature, experienced security analysts and testers, who are capable of extending the coverage of a security assessment.

It is most frequently used to review HTTP methods, how are they constructed and if there is sensitive information in the traffic, such as how HTTPS certifications work on the website, scanning open ports visible via the web, and trying to modify HTTP methods to add or delete requests.

I have used OWASP ZAP as part of my portfolio of security tools since 2013.

Using this tool, it helps enhance and speed the process of covering big applications with many functionalities. It scans while you navigate, then you can save the requests performed and work with them later. Also, you can pass these requests to colleagues involved in the same security assessment to increase the monitoring as well as avoid extra work.

• Interception of proxy traffic
• Session comparisons
• Port scanner
• Fuzzing
• Brute force
• Cookie management

I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created.

We have had stability issues a few times. You need to do extra configurations on the tool to make it catch traffic with different browsers. Otherwise, it won’t display any requests.

No scalability issues. I found this to be a very flexible tool.

OWASP ZAP has a forum to help out customers and analysts, as well as an interaction with other experts for a quick process of “Question-Answer”.

OWASP ZAP is one of the solutions that I use. For simple tasks, I use Fiddler. For other advanced techniques, I use the Burp Suite. I would say OWASP ZAP is a really light, useful tool in the middle of the other two mentioned.

Initial setup was pretty straightforward; nothing complex.

OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate.

As mentioned, BURP Suite and Fiddler are two other great options. OWASP ZAP excels for what it does and for how smooth and light the tool’s learning curve can be.

This is a very mature tool. It is capable of facilitating the work of many security experts. I highly recommend it for beginners and advanced users when some other tools fail to catch traffic.

Security/penetration testing of a Java-based Web application which is served over a SaaS platform.

Zap has been integrated as one of the important tools in our QA cycle. All beta releases of our software go through Zap scanning. Custom reports are generated - they are pretty decent and standardized - and are submitted to upper management for auditing by a third-party.

We save a significant amount of money on third-party security auditing time.

We are also able to minimize most of the security threats for our software prior to releases, thus saving a lot of time on security fixes and post-release path builds.

Fuzzer and Java APIs help a lot with our custom needs.

It would be nice to have a solid SQL injection engine built into Zap.

No stability issues for us, so far.

No major problems in terms of the scalability of the software.

Community support and documentation are good.

Setup of Zap is relative easy and straightforward for any technical person, with good documentation to configure it according to your needs.

As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out.

We evaluated several other packages prior to OWASP Zap, such as Burp Suite and Acunetix. We finally moved to Zap as it is open-source and provides almost all the features and the customization that we need.

I would rate it an eight out of 10, based on the usability and variety of features provided. It is highly customizable in terms of usability and reporting, and all of this is available in a free solution.

I tested this application for a bank and public projects. Now, I am testing products.

It has improved my organization with faster security tests.

• Automatic scanner: It makes work easier. 
• I like the new solution, ZAP Browser Launch. 
• Automation script

The port scanner and Zap could not send a request several times, but this has been corrected.

It is a very good product. Though, the port scanner is a little too slow.

The vulnerabilities that it finds, because the primary goal is to secure applications and websites.

When I checked the CVE and MITRE databases, that gives the latest attacks that are out there for a particular software, hardware and how to protect against it.

It's possibly just a limitation of the product itself but sometimes it won't scan a particular website so you have to manually go in and make some configuration changes.

Also, it needs to have more feeds such as from the Darknet, RSS or intelligence like US-CERT, or some of those like NISTs or other standing bodies because right now it's got some CVEs in there but there's more to it than just that. So if it could tie into those, somehow, so you could do some research, like a "research tab" under tools and some one-click access to those forums and feeds.

In addition, it doesn't run on absolutely every operating system.

Five years.

As far as stability goes, perhaps if you're running it in a Kali Linux virtual machine, sometimes it doesn't close out right away so I don't know if it takes too much time to flush that RAM out. It won't crash but it will lag. On Windows, it'll just close right away.

Not at this point. Normally I just play with it on Windows but lately I've been using it on Kali.

I haven't used it. If I have a question I'll just Google it.

Also, if you go into a forum, while that's kind of like calling a human, you're really not. It's a very well developed and very mature forum with a lot of people from different organizations all over the world, so it's top notch.

I use a lot of different tools, the right tool for the job. Burp Suite, IBM Security AppScan, InMap, NIKTO, Wpscan. Depending on what you find, you might have to use better tools so OWASP Zap. I don't know if it's copyright infringement or not, given that it's open source, but it's possible they could build someone else's tools into the GUI of OWASP Zap. As the months and years go by, you'll probably see more features in there.

I'd have to say Burp Suite Pro, which is the licensed, paid-for version, is better but that's just because it's got more funding.

If you're talking about Kali, which is the Linux Pentesting operating system, it comes built in. The only thing you have to do is update it from time to time and you can automate that with like a cron or a script. With Windows you have to download it manually, install it manually and check for updates.

Burp Suite. It's part of the pool in terms of the tools that do the job, whether they're free or commercially based. So Burp Suite and Nikto, and WPScan, that's for WordPress. They're all website security checkers per se, but they're not all created equal, some are specialized for certain things.

If you're a company and you've got your own websites, internally and externally, it's great. It's a great free, open source tool to get your security staff and even your web developers to use it. If you already have a mature SDLC framework in place or web development, then maybe you should get even maybe more serious and buy the Burp Suite Professional license or other tools out there like Acunetix.

But overall I think it's a great product. It finds, I'd say, 90% if not more of the things that it needs to and helps you remediate any security findings.

The API is exceptional.

I can provide examples of how OWASP Zed Attack Proxy (ZAP) has been used inside many of my customer's environments. I've set up Security Regression testing using the ZAP API and written about how this is done in my first book.

I've also spoken and run many pieces of training on setting up Security Regression testing with the ZAP API.

The documentation is lacking and out-of-date, it really needs more love. This is a common scenario with developers running many open-source projects. The community is trying to help with this. I've done my part with providing details on how to use the ZAP API for Security Regression testing. I think ZAP is now sponsored by the Linux Foundation.

I have used this solution for around six to seven years.

There were no stability issues, it has been in production-ready for a long time.

There were no scalability issues, ZAP is a very fully featured HTTP intercepting proxy with many types of attacks targeting a plethora of known vulnerabilities. The OWASP Top 10 receives good coverage with ZAP. The REST API scales as far as you have resources. ZAP also has a docker image.

Technical support is excellent. The maintainers have gone well beyond what would be expected of any open-source project maintainers. They have personally worked with my customer projects to help on some of the issues we had with some legacy HTTP applications that had communications that were difficult to reason about. ZAP was not at fault at all, but the maintainers were very passionate about making sure I got the security regression system working well.

I've used many HTTP intercepting proxies, ZAP is one of the few that has an excellent API to program against. Using ZAP manually is also very fully featured.

Using the API was initially difficult to set-up, not because the API was difficult, but working out the incantations that needed to be sent. You can see these in my code.

It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy.

I've been evaluating all the well-known HTTP intercepting proxies for years, as I have mentioned earlier, ZAP is the only one that has a fully featured REST API. It also has API clients written in many languages.

Don't re-implement it, just use it.

It's an excellent solution, i.e., driven by committed and passionate security focussed developers.

• Very good open source security tool supporting the top 10 vulnerabilities (Injections, Session Management, XSS, Authentication, Authorization, etc.).
• Simple and easy to learn and master.
• Good online product documentation.
• Built in features include: Intercepting proxy, Plug and Hack support, Automated scanning, Passing scan, Fuzzer, Traditional and Ajax Crawling and Web Socket support and so on.
• Detailed reporting mechanism.
• The tool has been translated in 25 different languages.
• Can be executed through GUI, command line and also in Daemon mode with the help of REST API.
• Very good API support for automating security tests.
• Supports multiple platforms like Mac, Linux and Windows.
• It's easy to create add-ons and extensions to scale up the features of the tool.

We have leveraged our existing functional tests for security testing by integrating web driver scripts with the OWASP ZAP tool.

Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation.

6 months

Did not encounter any issues. It's easy to install and configure.

So far I am very comfortable and did not find any stability related issues.

It is scalable, by creating new extensions and add-ons for the tool. But we faced a couple of challenges initially which were solved with the help of online documentation

4/10

4/10

No

It is very simple to install and configure.

We have implemented this with the in-house team support.

Instead of creating a new framework for security tests, it helped us to leverage (reuse) existing functional test automation framework for security tests. This reduces lot of rework.

It is highly recommended as it is an open source tool.

No, we are happy with the features provided with this tool, but if you want to go with static code analysis for security tests, we need to find a different option here.

Very good and useful tool for security testing and penetrations testers.