This document compares the four major free web app security tools. This document was last updated in June 2017 and was created as a work experience project.
Each tool was tested using the OWASP NodeGoat project.
| Tool | Licence | Platofrms | Pros | Cons | Common Vulnerabilities Detected |
|---|---|---|---|---|---|
| Golismero | GPL v2.0 | Linux, FreeBSD, MacOS, Windows | Golismero runs from the command line, so it's easy to run from an external server. It's simple and easy to use, and is great for scanning websites not behind a login. It has a strong plugin collection and is easy to build plugins. | Many of Golismero's built in plugins require a connection to the internet to work properly, so it's diificult to test on an isolated network. Testing applications behind a login page is far harder on Golismero compared to ZAP as it doesn't work through a proxy in the way ZAP does. ZAP intergration is planned for Golismero in the future according to their GitHub page so they may play well in the future. | I had issues running Golismero as I had to run it on a isolated network but it has some helpful features that should help a web developer build secure web apps. |
| OWASP ZAP | Apache v2.0 | Linux, MacOS, Windows | ZAP is very feature packed and very well documented. It's got plenty of plugins and is well maintained. It's also been around much longer than Golismero, but is still very well maintained. As ZAP works through a proxy it's very easy to scan password protected websites. ZAP also works equally as well on a isolated network as it does on the internet so that is also a big bonus. Recomendations for security improvements are also well presented and easy to understand. | ZAP can be very confusing for a new user, it's got lots of options and some things aren't all that obvious. ZAP also doesn't have a safety prompt if you try closing the program, which can be really annoying if you've just scanned a huge website and accidently pressed the cross in the top right (or left) corner. | A full report of all vulnerabilities detected can be found here. |