Hi All, we are looking to get a security testing tool for our ecommerce app, mostly linked with 3p API. I did try to research both, but no strong leaning towards any. Please can someone suggest me, what to go with? Thank you!
What are the differences between Burp and OWASP ZAP? - Information Security Stack Exchange
Burp Suite vs OWASP ZAP comparison part 1
Burp Suite vs Fiddler
Open Source Burp Suite Alternative
Burp has a community edition that may do what you want. Or zap. I prefer zap personally.
More on reddit.comIs Burp Suite better than ZAP?
Can ZAP replace Burp Suite for penetration testing?
How much does Burp Suite cost?
Videos
It is true that both tools are in the same space. Burp is a commercial closed source tool (which can be extended) developed by a commercial company while ZAP is a free open source tool developed by the community.
Both have relative strengths and weaknesses, but as the ZAP project lead I'll let others enumerate those as I'm kind of biased.
Having 2 tools with overlapping functionality is (in my opinion) a good thing, and many security people chain ZAP and burp together to get the advantages of both.
I feel like this might largely be a question of UI preference, as I haven't found something I did in BurpCE that I really can't do in ZAP, and I would say that ZAP is more intuitive. Also, the tabs in Burp are super annoying, and can get unmanageable when you start to have a ton. There are definitely some rough patches in ZAP where doing something looks to be possible, but its just easier in Burp. I do find myself in ZAP more than BurpCE after really getting used to ZAP.
That being said, it seems like Burp's paid feature set is much more of a "Web Application Scanner", which devs can leave running somewhere and just let it scan and flag stuff, as opposed to ZAP, being a tool for web app vuln testing that has to actively be used by the end user.