Using Web Proxies

  • Web proxies are tools that can be set up between a browser/mobile application and a back-end server to capture and view all the web requests being sent between both ends, acting as a man-in-the-middle.

  • The two most common web proxies are BurpSuite and OWASP ZAP. BurpSuite has both free and paid versions, while ZAP is fully free.

  • There are three main tools in web proxies:

    • Interceptor/Proxy: Used to intercept both requests and responses live and modify them if needed. It also includes an option to automatically replace specified text in both requests and responses. Additionally, there is a history section that shows all the requests made and their relevant responses, even if they weren't intercepted.

    • Repeater/Request Editor: Used for repetitive testing, such as when trying to find the exact payload for a specific injection vulnerability.

    • Intruder: Used for fuzzing and has various applications (Check "Attacking Web Applications With Ffuf" for a list of applications). It also includes processors that can edit a payload before sending it.

  • While there are other tools/features in both applications, the three mentioned above are the most commonly used. Both applications also have an automated scanner; however, in BurpSuite, this feature is part of the paid version, while in ZAP, it's free.

  • There are also various extensions (plugins) that can be added to both software; for BurpSuite, some are free while others are paid.

CAN EITHER ADD MORE OR REMOVE THE SECTION OR MOVE AND COMBINE IT WITH AN OTHER SECTION

PreviousWeb ExploitationNextAttacking Web Applications With Ffuf

Last updated