Burp Suite vs ZAP

Photo by vipul uthaiah on Unsplash

Hello Friends,

Both of these tools (Burp Suite & ZAP) are proxy tools. What does that mean?
It means, that you would run your web traffic through them. That is done by setting up the proxy of your browser to go to one of these tools.

In plain English: Your telling your browser “hey, when I type google.com, go to ZAP first (or go to Burp Suite first), and let it take you to google.com”.

What this does, is it allows your tool to see all the traffic, and from there, it allows you to do all sorts of cool things, like scanning the site for hidden files and a plethora of other things.

I’m a fan of FoxyProxy, it is an add-on for FireFox that allows you to set up multiple proxies, and you can choose which one you want to use, or none at all, its makes life a lot easier.

Burp Suite, has added a built-in chromium “browser” feature into their tool. That’s right. When you open up Burp Suite, navigate to the Proxy > Interceptor section, and there is a button to launch a browser. Once you do that, its automatically configured to run through Burp.

ZAP ALSO has this feature, when you start ZAP, right at the main tool bar there is a FireFox browser button, in which it would automatically open up the browser configured to run through ZAP.

// Burp Suite
Burp Suite has 2 versions, Community & Professional.
The Community version is the free version of the tool, and the of course the Pro is the paid version.

I’ve personally have noticed 3 main differences between the 2 versions, and they all pertain to the Community (free version).

1- It is slower to scan (especially with Brute Force attacks).
2- You can not save your session to be able to come back to it.
3- There are some extensions that you may not be able to install.

As long as you are aware of these limitations, you can still work with the Community version. Most people do. It is still a very formidable tool, and can is still feature rich.

// ZAP (Zed Attack Proxy)
I have a soft spot for open source projects, there for I am a fan of ZAP.
Since it is an open source project, it is completely free, and full of great features. This also means that if any upgrades or new features are added, they are automatically available to all users. It’s even cross platform (Windows, MAC, Linux). They also encourage people to join the community, and even contribute to the project if you can.

It is quick, and as of the writing of this post, it has this cool feature called HUD (Heads Up Display) where it would bring up some of the tools you may need on the sides of the browser for you to lunch things from the browser, which is just super cool. You can easily turn it off, but by having it right there for you is pretty neat.

They also have a marketplace to be able to install add-ons.
They have an automated feature as well.
Also, its automatically installed on Kali Linux if that’s what your using as your hacker OS.

There is a lovely little video series called ZAP in Ten which I would recommend checking out. It was a collaboration between All Day Dev Ops & the project manager of ZAP.

// Conclusion
There you go.
If you’re a student, or a hacking hobbyist I would recommend downloading both and trying them out. ZAP is free, and Burp Suite (Community) is also free. As you read earlier each one has some cool features, Burp now has its internal pre-proxied browser, and ZAP had the HUD for your browser. One thing I started doing is actually scanning the same site with both, and they sometimes find different things, so it can be very helpful to learn the basics of both, then choose one of them and dive deep.

I hope that was helpful.
Go (ethically) Hack The Planet.
[R/F]