Day 3! I traveled a little bit today, so I’m realy tired. I might not be able to finish the whole module today, but I’ll try to cover as much as I can.

Web Proxies

Web proxies are specialized tools that can be set up between a browser/mobile application and a back-end server to capture and view all the web requests being sent between both ends, essentially acting as man-in-the-middle (MITM) tools. While other Network Sniffing applications, like Wireshark, operate by analyzing all local traffic to see what is passing through a network, Web Proxies mainly work with web ports such as, but not limited to, HTTP/80 and HTTPS/443.

Intro to Web Proxies

While the primary use of web proxies is to capture and replay HTTP requests, they have many other features that enable different uses for web proxies. The following list shows some of the other tasks we may use web proxies for:

• Web application vulnerability scanning
• Web fuzzing
• Web crawling
• Web application mapping
• Web request analysis
• Web configuration testing
• Code reviews

Burp Suite

I use this all the time

Burp Suite (Burp) -pronounced Burp Sweet- is the most common web proxy for web penetration testing. It has an excellent user interface for its various features and even provides a built-in Chromium browser to test web applications. Certain Burp features are only available in the commercial version Burp Pro/Enterprise, but even the free version is an extremely powerful testing tool to keep in our arsenal.

Some of the paid-only features are:

• Active web app scanner
• Fast Burp Intruder
• The ability to load certain Burp Extensions

I hate the ratelimit on Burp Intruder

OWASP Zed Attack Proxy (ZAP)

I’ve been meaning to try this one for a while

OWASP Zed Attack Proxy (ZAP) is another common web proxy tool for web penetration testing. ZAP is a free and open-source project initiated by the Open Web Application Security Project (OWASP) and maintained by the community, so it has no paid-only features as Burp does. It has grown significantly over the past few years and is quickly gaining market recognition as the leading open-source web proxy tool.

Just like Burp, ZAP provides various basic and advanced features that can be utilized for web pentesting. ZAP also has certain strengths over Burp, which we will cover throughout this module. The main advantage of ZAP over Burp is being a free, open-source project, which means that we will not face any throttling or limitations in our scans that are only lifted with a paid subscription. Furthermore, with a growing community of contributors, ZAP is gaining many of the paid-only Burp features for free.

Setting up

I already have Burp set up, so I’ll just download ZAP

Well I’ve installed ZAP, the next topic is configuring the browser to work with the proxy which I’ve done before so I’ll skip that too

And that’s how much I got done today, I’m really tired. I’ll try to finish the module tomorrow. See you then!