# Introduction - Most modern web and mobile apps work by connecting to back-end servers to send and receive data, then by processing this data on the user's device such as within a web browser - Web proxies are specialized tools that can be set up between a browser/mobile application and a back-end server to capture and view all the web requests being sent between both ends, essentially acting as MITM tools - While the primary use of web proxies is to capture and replay HTTP requests, web proxies can also be used for the following tasks: - Web application vulnerability scanning - Web fuzzing - Web crawling - Web application mapping - Web request analysis - Web configuration testing - Code reviews # Burp Suite - Most common web proxy for pentesting, including a GUI with many features such as a built-in Chromium browser for testing web apps - Paid version includes: active web app scanner, fast Burp intruder, and ability to load certain Burp extension ## Burp Installation - Download from [Burp's Download Page](https://portswigger.net/burp/releases/) and follow installation steps - Relies on the Java Runtime Environment - Alternative install method: ```bash java -jar </path/to/burpsuite.jar> ``` ![[images/Pasted image 20251111105745.png]] # OWASP Zed Attack Proxy (ZAP) - Another common web proxy for pentesting - Free and open-source ## ZAP Installation - Download ZAP from the [download page](https://www.zaproxy.org/download/) - Alternatively can be launched with `java -jar` as above with Burp![[images/Pasted image 20251111105854.png]] # Initializing the Web proxy ## Pre-Configured Browser - Burp ![[images/Pasted image 20251111110025.png]] - ZAP ![[images/Pasted image 20251111110034.png]] ## Proxy Setup - In many cases, we may want to use a real browser for pentesting, like Firefox - To use Firefox with our web proxy tools, we must first configure it to use them as the proxy - We can manually go to Firefox preferences and set up the proxy to use the web proxy listening port. Both Burp and ZAP use port `8080` by default, but we can use any available port - As another option we can utilize a Firefox extension like [Foxy Proxy](https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/) to easily and quickly change the Firefox proxy - `Foxy Proxy` add profile ![[images/Pasted image 20251111110207.png]] - `Foxy Proxy` enable profile ![[images/Pasted image 20251111110222.png]] - We can import a CA cert to properly route HTTPS traffic - Burp: - Once we have `Foxy Proxy` enabled go to http://burp and download the cert ![[images/Pasted image 20251111110417.png]] - ZAP: - Go to Tools>Options>Network>Server Certs and click save ![[images/Pasted image 20251111110452.png]] - Once we have the certs, we can install them within `Firefox` - Browse to [about:preferences#privacy](about:preferences#privacy), scrolling to the bottom, and click View Certificates ![[images/Pasted image 20251111110622.png]] - Then, go to Authorities tab and import the CA certs ![[images/Pasted image 20251111110612.png]]