ZAP vs Burpsuite in my mind at 2022
Hi :D
I’m going to compare ZAP and Burpsuite after a long time. Of course, it’s extremely subjective, so I hope you light enjoy it.
## TL;DR
- ZAP has powerful scripting engine and automation
- Burpsuite has powerful scanning engine and That’s Early adopter.
- They’re both really cool tools.
## Compare
ZAP | Burpsuite | |
---|---|---|
Proxy | O , HTTP/1.1 |
O 🎖 HTTP/1.1 , HTTP/2 |
Paasive Scan | O |
O |
Active Scan | O |
O |
Scan Configuration | O 🎖, Easy, Detail control |
O |
Scan Results | O , Mapping more information |
O , Detail results |
Live Scan | O , ATTACK Mode |
O , Live tasks |
Manage scope | O , Detail |
O , Easy |
Manage workspace | O |
O |
Spidering | O , Spider, Ajax Spider |
O , Powerful Crawler |
Extensions (Addons) | O , High quality |
O 🎖, High quality, Many features |
Scripting | O 🎖, Zest 👍, Ruby, Python, JS, Groovy, Etc |
O , Python, Ruby |
Performance | O , Fast, but…, Heavy 😫 |
O , More fast, but, Very heavy 🤯 |
Automation | O 🎖, Automation framework, REST API, Cli flags |
O , REST API (Pro), GraphQL API (Enterprise) |
Friendly CI/CD | O 🎖, Github actions, Jenkins extensions, REST API, Cli flags, Automation framework |
O , REST API (Pro), GraphQL API (Enterprise) |
Dark mode | O Intellij theme is posiible, but it is not official support |
O , Support Intelij theme |
Embedded browser | O , Firefox , Chrome , PhantomJS , Gecko |
O , Chrome , But, burpsuite is persistant to broswser session 😍 |
Manual Testing | O , Manual Request , Requester , Only History |
O 🎖 , Repeater , Inspector , Stepper , Logger, Flow and many history extensions |
Fuzzing | O 🎖, with fuzz script |
O 🎖 , with turbo intruder |
OAST Testing | O 🎖 , OAST (public/private oast) , Callbacks (system oast) , Interactsh |
O 🎖 , Burp collaborator (public/private oast) , Interactsh (extension) |
AAA Testing | O , Access Control , Zest |
O , Many extensions |
DOM Testing | O , Eval Billian |
O 🎖 , DOM Invador 👍 , When active scan for DOM, burp is powerful |
Param Mining | O , Only with fuzzer, Powerful but not easy |
O 🎖, Param Minor 👍, Powerful and easy |
Smuggling Testing | O , Manual Request, Fuzzer |
O 🎖, Repeater, Turbo Intruder, HTTP Smuggler |
Utility for Testing | O , En/Decoder , Compare , Note , Etc.. |
O , En/Decoder , Compare , Note , Etc.. |
Statements | O , Statd, Scanning Graph |
X |
Support WebSocket | O |
O |
Support SSE | O |
X |
Support postMessage | O |
O |
Support JWT | O |
O |
Support GraphQL | O |
O 🎖, inQL..! |
New Tech | O |
O 🎖, Fast apply |
Using other applications | O |
O |
Customize | O 🎖 |
O |
HotKeys | O |
O |
Settings | O 🎖, Very detail control |
O |
Friendly User | O , Cool documents |
O 🎖, Most people like Burp, Many articles |
Dashboard | X |
O |
Use from web | O , Web Swing, HUD |
X |
⚜️ UI #
Choose the UI according to your feel! They are similar but very different. but I love both :D
⚡️ Power of ZAP #
🪄 Powerful Scripting #
ZAP is based on a powerful scripting engine. Through this, I can configure everything I need for testing. which is the most powerful function of ZAP I think.
The more you script, the more the possibility and power of ZAP becomes.
⚙️ Configuration #
ZAP supports very detailed configurations. This means that it’s good for you to optimize the tool.
If you set it up well, it can’t be more comfortable.
🤖 Automation #
The direction ZAP pursues is in Automation. This is really good for CICD or automation flow beyond just tools for manual testing.
Imagine that a tool you know well is in automation. It’s really cool, right?
🟧 Power of Burpsuite #
🔭 Powerful Scanning #
As everyone knows, Burpsuite’s scanner is the best scanning engine in existence. Based on portswigger’s outstanding research, it is very detailed and proficient in catching new technologies.
However, from how I feel about using Burpsuite Enterprise, there are parts that are not enough to leave everything to testing.
💨 Fast support new tech #
As I said before, burpsuite is good at new technologies! This has great advantages not only for scanners but also for manual testing.
👥 User frendly #
Burpsuite is a tool loved by most security engineers and Burgbounty hunters. It has been the same for a long time and will probably be the same in the future.
Good communities and many materials can always be of great help, from beginners to experts. This is a really good weapon.
🔥 Me #
I really like both, but I like ZAP more now :D