🕸️Stop Using Burp Suite, Use ZAP!⚡

Robert Scocca
Geek Culture
Published in
7 min readJul 6, 2021

Why use Burp Suite when OWASP ZAP does it all* without the paywall. Everything you do in Burp Community can be done just as well in ZAP.

Nearly every web application pentesting tutorial you’ll find online uses Burp Suite Community for demonstrations, but why is this? Burp Suite is the most popular, but every time I use it, I feel like I’m playing a free-to-play game where all the good stuff is behind a “membership”. There is a persistent feeling of irritation in facing this paywall every time I use Burp.

Burp Suite has it’s vulnerability scanner and it’s fuzzing capabilities, among other things, behind a paywall of up to $400 USD per year. This is beyond consideration for someone who is an aspiring security professional doing CTF’s and Boot2Root boxes.

Yet, it is important to know how Burp Suite works in case you end up in employment where the firm does have pro edition. *Also note Burp Suite does have features that OWASP ZAP doesn’t have like Session Token Entropy Analysis, Comparison Feature, and a huge library of extensions. So their are somethings Burp has ZAP beat on. However, for an independent web pentester, OWASP Zap is the overall better alternative to Burp Suite.

I’ll “translate” essential features you’re familiar with in Burp Suite to ZAP like:

Burp Suite -> ZAP

  • Proxy -> Requests/Response Editor
  • Intercept -> Break Points
  • Repeater -> Open/Resend Request Editor
  • Intruder -> Fuzz
  • Vulnerability Scanner -> “Attack”

Proxy -> Requests/Response Editor

Clicking on the “Proxy” tab for Burp Suite brings you all the data of traffic being captured by Burp’s proxy, luckily you don’t have to set up the proxy on your own browser manually anymore(as you may see on a lot of guides and tutorials)thanks to the “Open Browser” feature.

OWASP ZAP shares these nifty features too. Click on “Manual Explore” and “Launch Browser” to start capturing web traffic to the ZAP proxy without any configuration of your own browser.