// 0x6a_v1.0
Logo
← cd ../notes

Summary Web Proxy Tools: Burp Suite and OWASP ZAP

//web, web-proxy, burpsuite, owaspzap, proxy//Read Original

By 0x6a03448f4d
Published on June 1st, 2025

Burp Suite and OWASP ZAP are powerful web proxy tools used in penetration testing. Both are compatible with Windows, macOS, and Linux, and come pre-installed on security-focused distributions like Kali Linux and Parrot OS.

Burp Suite: Offers a user-friendly interface.

  • Community Edition: Free with limitations (e.g., temporary projects, no saving).
  • Pro/Enterprise Editions: Paid, with advanced features.

ZAP: Fully open-source and unrestricted, with functionality comparable to Burp Suite.

Installation and Configuration

Burp: portswigger.net

ZAP: zaproxy.org

Configure your browser proxy (e.g., using FoxyProxy for Firefox) to use port 8080

Install CA certificates to intercept HTTPS

  • Burp Community supports only temporary projects
  • ZAP allows persistent projects

CLI command to start either Burp or ZAP

java -jar </path/to/burpsuite.jar or zap.jar>

Web Proxies

These tools act as man-in-the-middle (MITM) proxies to intercept and manipulate HTTP/HTTPS traffic.

Common Use Cases

  • Analyze HTTP requests/responses
  • Fuzzing and crawling
  • Application mapping
  • Vulnerability testing (e.g., SQLiXSS)

Key Features

Request Interception

  • Burp: Proxy > Intercept
  • ZAP: HUD or CTRL+B

→ Modify requests before reaching the server.

Automatic Modification

  • Burp: Match and Replace
  • ZAP: Replacer

→ Useful to modify headers (e.g., User-Agent) or request bodies (e.g., type="number" to type="text").

Request Repetition

  • Burp: Repeater (CTRL+R)
  • ZAP: Request Editor

→ Resend and test modified requests.

Encoding / Decoding

Support for various encoding formats:

  • URL
  • HTML
  • Base64
  • And more

Command-line Proxy Support

ProxyChains

ProxyChains GitHub → routes CLI tools through a proxy.

Edit /etc/proxychains.conf:

#socks4 127.0.0.1 9050
http 127.0.0.1 8080

Enable quiet mode:

# Un-comment quiet_mode

Run curl via ProxyChains:

proxychains curl http://SERVER_IP:PORT

Nmap

Use --proxies and other flags:

nmap --proxies http://127.0.0.1:8080 SERVER_IP -pPORT -Pn -sC

Metasploit

Configure proxy and run HTTP modules:

msfconsole
use auxiliary/scanner/http/robots_txt
set PROXIES HTTP:127.0.0.1:8080
set RHOST SERVER_IP
set RPORT PORT
run

Additional Features

Burp: Built-in Chromium browser, modify responses (e.g., re-enable disabled buttons)

ZAP: HUD overlay displays hidden HTML elements and comments

Request history: For detailed analysis

Fuzzing

Burp Intruder

Fuzz pages, directories, subdomains, and parameters

Community version is rate-limited (1 request/sec)

Configuration:

  • Target
  • Payload positions using: §DIRECTORY§
  • Attack types: Sniper, Battering Ram, etc.
  • Load custom wordlists (e.g., SecLists common.txt)
  • Filtering:
  • Use regex like ^\..*$ to skip certain lines
  • Filter by HTTP response codes (e.g., 200 OK)

ZAP Fuzzer

No speed limitations

Built-in payloads (e.g., FuzzDB)

Configure:

  • Fuzzing location
  • Payload (e.g., Dirbuster list)
  • Thread settings
  • Filter results by status code or response size

Scanning

Burp Scanner (Pro only)

Includes:

  • Crawler: Builds a site map
  • Passive Scan: Detects issues in responses (headers, cookies, etc.)
  • Active Scan: Finds exploitable vulnerabilities (e.g., XSS, SQLi)

→ Reports are filterable and exportable with remediation suggestions.

ZAP Scanner

  • Spider (normal and AJAX): Crawls the web app
  • Passive Scan: E.g., missing security headers
  • Active Scan: Probes for vulnerabilities

→ Reports available in HTML, XML, and Markdown.

Extensions

Burp BApp Store

Add-ons for hashing, encoding, automation

Some require Burp Pro or dependencies like Jython

ZAP Marketplace

Add-ons like FuzzDB Files, Offensive Payloads

Supports stable and experimental add-ons (Release / Beta / Alpha)

Conclusion

Burp Suite and OWASP ZAP are essential tools for web application security testing.

They provide:

  • Full HTTP/HTTPS request interception
  • Powerful fuzzing and scanning capabilities
  • Integration with CLI tools (e.g., Nmap, Metasploit, ProxyChains)
  • Extendable architecture for custom needs

This guide is based on my personal notes from Web Proxies Module from HackTheBox. Follow me on Medium for more cybersecurity insights!

Thanks for reading! If you have any tips? Share them in the comments!