Burp to ZAP Feature Map

ZAP to Burp

Burp Suite is a popular commercial web app pentesting tool. It provides a free (closed source) Community edition and a paid for Professional edition. Many people are unaware that ZAP provides most of the features available in both the Professional and Community editions of Burp.

It should be noted that ZAP is not intended to be a Burp clone and as such has a different way of working. ZAP and Burp features may well not provide exactly the same functionality - in some cases Burp may provide more options but in other cases ZAP may exceed Burp’s capabilities.

An ongoing series of blog posts show how to use ZAP to solve some of the PortSwigger labs.

Feature Map

A mapping from Burp features to their ZAP equivalents. All Burp features are available in the Professional edition but some features are not available in the Community edition, or are throttled like the Intruder.

Burp Feature Community Notes ZAP Equivalent(s)
Collaborator
OAST Support Add-on
Comparer
Diff
Decoder
Encoder
DOM Invader
Eval Villian Add-on
Extender
Marketplace , Scripts
Intercept
Breakpoints
Intruder
Throttled
Fuzzer
Live scan
ATTACK Mode
Project Files
Session Files
Proxy
Proxy
Repeater
Manual Request Editor , Requestor Add-on
Scanner
Active Scanner
Sequencer
Token Generation and Analysis
Target
Contexts

ZAP Missing Features

The following significant features are available in Burp but currently not in ZAP:

  • HTTP Host Header manipulation
    • due to limitations in the current ZAP networking stack it is not possible to manipulate some part of the HTTP header - this is being worked on so this restriction will be removed
  • HTTP/2 Support
    • the current ZAP networking stack does not support HTTP/2 - this is being worked on so this restriction will be removed

Burp Missing Features

The following significant features are available in ZAP but currently not in Burp: