ZAP vs Burpsuite in my mind at 2022

Hi :D

I’m going to compare ZAP and Burpsuite after a long time. Of course, it’s extremely subjective, so I hope you light enjoy it.

## TL;DR

  • ZAP has powerful scripting engine and automation
  • Burpsuite has powerful scanning engine and That’s Early adopter.
  • They’re both really cool tools.

## Compare

  ZAP Burpsuite
Proxy O , HTTP/1.1 O🎖 HTTP/1.1 , HTTP/2
Paasive Scan O O
Active Scan O O
Scan Configuration O🎖, Easy, Detail control O
Scan Results O, Mapping more information O, Detail results
Live Scan O, ATTACK Mode O, Live tasks
Manage scope O, Detail O, Easy
Manage workspace O O
Spidering O, Spider, Ajax Spider O, Powerful Crawler
Extensions (Addons) O, High quality O🎖, High quality, Many features
Scripting O🎖, Zest 👍, Ruby, Python, JS, Groovy, Etc O, Python, Ruby
Performance O, Fast, but…, Heavy 😫 O, More fast, but, Very heavy 🤯
Automation O🎖, Automation framework, REST API, Cli flags O, REST API (Pro), GraphQL API (Enterprise)
Friendly CI/CD O🎖, Github actions, Jenkins extensions, REST API, Cli flags, Automation framework O, REST API (Pro), GraphQL API (Enterprise)
Dark mode O Intellij theme is posiible, but it is not official support O, Support Intelij theme
Embedded browser O , Firefox , Chrome , PhantomJS , Gecko O, Chrome , But, burpsuite is persistant to broswser session 😍
Manual Testing O , Manual Request , Requester , Only History O🎖 , Repeater , Inspector , Stepper , Logger, Flow and many history extensions
Fuzzing O🎖, with fuzz script O🎖 , with turbo intruder
OAST Testing O🎖 , OAST (public/private oast) , Callbacks (system oast) , Interactsh O🎖 , Burp collaborator (public/private oast) , Interactsh (extension)
AAA Testing O , Access Control , Zest O, Many extensions
DOM Testing O, Eval Billian O🎖 , DOM Invador 👍 , When active scan for DOM, burp is powerful
Param Mining O, Only with fuzzer, Powerful but not easy O🎖, Param Minor 👍, Powerful and easy
Smuggling Testing O, Manual Request, Fuzzer O🎖, Repeater, Turbo Intruder, HTTP Smuggler
Utility for Testing O , En/Decoder , Compare , Note , Etc.. O , En/Decoder , Compare , Note , Etc..
Statements O, Statd, Scanning Graph X
Support WebSocket O O
Support SSE O X
Support postMessage O O
Support JWT O O
Support GraphQL O O🎖, inQL..!
New Tech O O🎖, Fast apply
Using other applications O O
Customize O🎖 O
HotKeys O O
Settings O🎖, Very detail control O
Friendly User O , Cool documents O🎖, Most people like Burp, Many articles
Dashboard X O
Use from web O, Web Swing, HUD X

⚜️ UI #

Choose the UI according to your feel! They are similar but very different. but I love both :D

Both are also possible to change the UI structure. It's just a difference in style.

⚡️ Power of ZAP #

🪄 Powerful Scripting #

ZAP is based on a powerful scripting engine. Through this, I can configure everything I need for testing. which is the most powerful function of ZAP I think.

The more you script, the more the possibility and power of ZAP becomes.

⚙️ Configuration #

ZAP supports very detailed configurations. This means that it’s good for you to optimize the tool.

If you set it up well, it can’t be more comfortable.

🤖 Automation #

The direction ZAP pursues is in Automation. This is really good for CICD or automation flow beyond just tools for manual testing.

Imagine that a tool you know well is in automation. It’s really cool, right?

🟧 Power of Burpsuite #

🔭 Powerful Scanning #

As everyone knows, Burpsuite’s scanner is the best scanning engine in existence. Based on portswigger’s outstanding research, it is very detailed and proficient in catching new technologies.

However, from how I feel about using Burpsuite Enterprise, there are parts that are not enough to leave everything to testing.

💨 Fast support new tech #

As I said before, burpsuite is good at new technologies! This has great advantages not only for scanners but also for manual testing.

👥 User frendly #

Burpsuite is a tool loved by most security engineers and Burgbounty hunters. It has been the same for a long time and will probably be the same in the future.

Good communities and many materials can always be of great help, from beginners to experts. This is a really good weapon.

🔥 Me #

I really like both, but I like ZAP more now :D