Both Burp and ZAP have extension capabilities, such that the community of Burp users can develop extensions for Burp for everyone to use. Such extensions can perform specific actions on any captured requests, for example, or add new features, like decoding and beautifying code. Burp allows extensibility through its Extender feature and its BApp Store, while ZAP has its ZAP Marketplace to install new plugins.
BApp Store
To find all available extensions, we can click on the Extender tab within Burp and select the BApp Store sub-tab. Once we do this, we will see a host of extensions. We can sort them by Popularity so that we know which ones users are finding most useful:
| .NET beautifier | J2EEScan | Software Vulnerability Scanner |
| Software Version Reporter | Active Scan++ | Additional Scanner Checks |
| AWS Security Checks | Backslash Powered Scanner | Wsdler |
| Java Deserialization Scanner | C02 | Cloud Storage Tester |
| CMS Scanner | Error Message Checks | Detect Dynamic JS |
| Headers Analyzer | HTML5 Auditor | PHP Object Injection Check |
| JavaScript Security | Retire.JS | CSP Auditor |
| Random IP Address Header | Autorize | CSRF Scanner |
| JS Link Finder |
ZAP Marketplace
ZAP also has its own extensibility feature with the Marketplace that allows us to install various types of community-developed add-ons. To access ZAP’s marketplace, we can click on the Manage Add-ons button and then select the Marketplace tab: