Summary Web Proxy Tools: Burp Suite and OWASP ZAP
By 0x6a03448f4d
Published on June 1st, 2025

Burp Suite and OWASP ZAP are powerful web proxy tools used in penetration testing. Both are compatible with Windows, macOS, and Linux, and come pre-installed on security-focused distributions like Kali Linux and Parrot OS.
Burp Suite: Offers a user-friendly interface.
- Community Edition: Free with limitations (e.g., temporary projects, no saving).
- Pro/Enterprise Editions: Paid, with advanced features.
ZAP: Fully open-source and unrestricted, with functionality comparable to Burp Suite.
Installation and Configuration
Burp: portswigger.net
ZAP: zaproxy.org
Configure your browser proxy (e.g., using FoxyProxy for Firefox) to use port 8080
Install CA certificates to intercept HTTPS
- Burp Community supports only temporary projects
- ZAP allows persistent projects
CLI command to start either Burp or ZAP
java -jar </path/to/burpsuite.jar or zap.jar>
Web Proxies
These tools act as man-in-the-middle (MITM) proxies to intercept and manipulate HTTP/HTTPS traffic.
Common Use Cases
- Analyze HTTP requests/responses
- Fuzzing and crawling
- Application mapping
- Vulnerability testing (e.g., SQLi, XSS)
Key Features
Request Interception
- Burp: Proxy > Intercept
- ZAP: HUD or CTRL+B
→ Modify requests before reaching the server.
Automatic Modification
- Burp: Match and Replace
- ZAP: Replacer
→ Useful to modify headers (e.g., User-Agent) or request bodies (e.g., type="number" to type="text").
Request Repetition
- Burp: Repeater (CTRL+R)
- ZAP: Request Editor
→ Resend and test modified requests.
Encoding / Decoding
Support for various encoding formats:
- URL
- HTML
- Base64
- And more
Command-line Proxy Support
ProxyChains
ProxyChains GitHub → routes CLI tools through a proxy.
Edit /etc/proxychains.conf:
#socks4 127.0.0.1 9050
http 127.0.0.1 8080
Enable quiet mode:
# Un-comment quiet_mode
Run curl via ProxyChains:
proxychains curl http://SERVER_IP:PORT
Nmap
Use --proxies and other flags:
nmap --proxies http://127.0.0.1:8080 SERVER_IP -pPORT -Pn -sC
Metasploit
Configure proxy and run HTTP modules:
msfconsole
use auxiliary/scanner/http/robots_txt
set PROXIES HTTP:127.0.0.1:8080
set RHOST SERVER_IP
set RPORT PORT
run
Additional Features
Burp: Built-in Chromium browser, modify responses (e.g., re-enable disabled buttons)
ZAP: HUD overlay displays hidden HTML elements and comments
Request history: For detailed analysis
Fuzzing
Burp Intruder
Fuzz pages, directories, subdomains, and parameters
Community version is rate-limited (1 request/sec)
Configuration:
- Target
- Payload positions using: §DIRECTORY§
- Attack types: Sniper, Battering Ram, etc.
- Load custom wordlists (e.g., SecLists common.txt)
- Filtering:
- Use regex like ^\..*$ to skip certain lines
- Filter by HTTP response codes (e.g., 200 OK)
ZAP Fuzzer
No speed limitations
Built-in payloads (e.g., FuzzDB)
Configure:
- Fuzzing location
- Payload (e.g., Dirbuster list)
- Thread settings
- Filter results by status code or response size
Scanning
Burp Scanner (Pro only)
Includes:
- Crawler: Builds a site map
- Passive Scan: Detects issues in responses (headers, cookies, etc.)
- Active Scan: Finds exploitable vulnerabilities (e.g., XSS, SQLi)
→ Reports are filterable and exportable with remediation suggestions.
ZAP Scanner
- Spider (normal and AJAX): Crawls the web app
- Passive Scan: E.g., missing security headers
- Active Scan: Probes for vulnerabilities
→ Reports available in HTML, XML, and Markdown.
Extensions
Burp BApp Store
Add-ons for hashing, encoding, automation
Some require Burp Pro or dependencies like Jython
ZAP Marketplace
Add-ons like FuzzDB Files, Offensive Payloads
Supports stable and experimental add-ons (Release / Beta / Alpha)
Conclusion
Burp Suite and OWASP ZAP are essential tools for web application security testing.
They provide:
- Full HTTP/HTTPS request interception
- Powerful fuzzing and scanning capabilities
- Integration with CLI tools (e.g., Nmap, Metasploit, ProxyChains)
- Extendable architecture for custom needs
This guide is based on my personal notes from Web Proxies Module from HackTheBox. Follow me on Medium for more cybersecurity insights!

Thanks for reading! If you have any tips? Share them in the comments!
