RatSec

RatSec Blog

The power of chaining ethical hacking tools such as burp suite, zap, SQLmap and wfuzz

- Posted in tools by

Setting Upstream Proxy of ZAP to Burp Suite: Complementing Features for Better Security Testing

Introduction

When it comes to web application security testing, Burp Suite is a popular tool among security professionals. However, the free version, Burp Community Edition, has limited features compared to the paid version. This is where OWASP ZAP (Zed Attack Proxy) comes in. ZAP is a free and open-source web application security scanner that offers a wider range of features than Burp Community Edition. By setting the upstream proxy of ZAP to Burp Suite, we can make use of the full features of both tools and complement each other's weaknesses.

Setting Upstream Proxy of ZAP to Burp Suite

To set the upstream proxy of ZAP to Burp Suite, follow these steps:

  1. Open Burp Suite and go to the "Proxy" tab. Make note of the listening port (default is 8080).
  2. Open ZAP and go to "Tools" > "Network" > "Connection”.
  3. Under "HTTP proxy", enter "localhost" as the hostname and the port number that Burp Suite is listening on (default is 8080).

  4. Click "OK" to save the settings.

Now, ZAP will route all of its traffic through Burp Suite, allowing us to take advantage of both tools' features.

Complementing Features

By setting the upstream proxy of ZAP to Burp Suite, we can complement each other's features and weaknesses. For example:

  • Burp Suite has a powerful intercepting proxy, which allows us to modify requests and responses in real-time. ZAP's intercepting proxy is not as robust, but it has a more extensive set of active and passive scanning options.
  • Burp Suite's Intruder tool is excellent for brute-force attacks and fuzzing, while ZAP's "Attack" mode provides more advanced options, such as SQL injection and XSS attacks.
  • ZAP has a built-in spider that can crawl a website and discover new URLs to test. Burp Suite's spider is not as advanced, but it has a better scanner that can detect more vulnerabilities.

Together, ZAP and Burp Suite offer a more comprehensive set of tools for web application security testing.

Setting Upstream Proxy of SQLmap to Burp Suite

SQLmap is a popular tool for SQL injection testing, and like Burp Suite and ZAP, it can benefit from being paired with Burp Suite. By setting the upstream proxy of SQLmap to Burp Suite, we can take advantage of Burp Suite's intercepting proxy and modify requests and responses in real-time.

To set the upstream proxy of SQLmap to Burp Suite, follow these steps:

  1. Open Burp Suite and go to the "Proxy" tab. Make note of the listening port (default is 8080).
  2. Open SQLmap and use the -proxy flag to specify the hostname and port number that Burp Suite is listening on (e.g., -proxy=http://localhost:8080).

Now, SQLmap will route all of its traffic through Burp Suite, allowing us to modify requests and responses in real-time.

Setting Upstream Proxy of Nuclei to Burp Suite

Nuclei is a relatively new tool for finding vulnerabilities in web applications. Like ZAP, it is free and open-source, and it offers a wide range of templates for detecting vulnerabilities. By setting the upstream proxy of Nuclei to Burp Suite, we can take advantage of Burp Suite's intercepting proxy and modify requests and responses in real-time.

To set the upstream proxy of Nuclei to Burp Suite, follow these steps:

  1. Open Burp Suite and go to the "Proxy" tab. Make note of the listening port (default is 8080).
  2. Open Nuclei and use the -proxy flag to specify the hostname and port number that Burp Suite is listening on (e.g., -proxy http://localhost:8080).

Now, Nuclei will route all of its traffic through Burp Suite, allowing us to modify requests and responses in real-time.

Setting Upstream Proxy of Nikto to Burp Suite

Nikto is a popular web server scanner that can benefit from being paired with Burp Suite. By setting the upstream proxy of Nikto to Burp Suite, we can take advantage of Burp Suite's intercepting proxy and modify requests and responses in real-time.

To set the upstream proxy of Nikto to Burp Suite, follow these steps:

  1. Open Burp Suite and go to the "Proxy" tab. Make note of the listening port (default is 8080).
  2. Open Nikto and use the useproxy flag to specify the hostname and port number that Burp Suite is listening on (e.g., useproxy http://localhost:8080).

Now, Nikto will route all of its traffic through Burp Suite, allowing us to modify requests and responses in real-time.

Setting Upstream Proxy of Dirbuster to Burp Suite

Dirbuster is a popular web application brute-forcing tool that can benefit from being paired with Burp Suite. By setting the upstream proxy of Dirbuster to Burp Suite, we can take advantage of Burp Suite's intercepting proxy and modify requests and responses in real-time.

To set the upstream proxy of Dirbuster to Burp Suite, follow these steps:

  1. Open Burp Suite and go to the "Proxy" tab. Make note of the listening port (default is 8080).
  2. Open Dirbuster and go to "Options" > "Proxy".
  3. Under "Proxy settings", enter "localhost" as the hostname and the port number that Burp Suite is listening on (default is 8080).

Now, Dirbuster will route all of its traffic through Burp Suite, allowing us to modify requests and responses in real-time.

Setting Upstream Proxy of Gobuster to Burp Suite

Gobuster is a popular web application directory and file brute-forcing tool that can benefit from being paired with Burp Suite. By setting the upstream proxy of Gobuster to Burp Suite, we can take advantage of Burp Suite's intercepting proxy and modify requests and responses in real-time.

To set the upstream proxy of Gobuster to Burp Suite, follow these steps:

  1. Open Burp Suite and go to the "Proxy" tab. Make note of the listening port (default is 8080).
  2. Open Gobuster and use the p flag to specify the hostname and port number that Burp Suite is listening on (e.g., p http://localhost:8080).

Now, Gobuster will route all of its traffic through Burp Suite, allowing us to modify requests and responses in real-time.

Other Relevant Tools

The process of setting the upstream proxy of other relevant tools may vary. However, the general idea is the same: set the hostname and port number of Burp Suite as the upstream proxy. By doing so, we can take advantage of Burp Suite's intercepting proxy and modify requests and responses in real-time.

Overall, setting the upstream proxy of relevant tools to Burp Suite is a simple process that can greatly enhance the capabilities of both tools. By complementing each other's features and weaknesses, we can perform more thorough and effective security testing.

Conclusion

Setting the upstream proxy of ZAP to Burp Suite is a simple process that can greatly enhance the capabilities of both tools. By complementing each other's features and weaknesses, we can perform more thorough and effective security testing. Whether you are a seasoned security professional or just starting out, using both ZAP and Burp Suite together can help you find vulnerabilities and secure your web applications.