March 28, 2023
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
Burp Suite by Portswigger and OWASP ZAP are both programs with a proxy server that run on your local device. With them you can intercept and examine requests sent to a website. In this article we will show you the main features of both programs and go into differences.
Burp Suite is probably the most popular web application pentesting tool. The free Community Edition contains the most important main functions. There is also the Professional Edition and the Enterprise Edition with additional features. However, in this article we will only cover the free Burp Suite tools (with one exception).
An alternative to the Burp Suite is the Zed Attack Proxy (ZAP) from OWASP. This is an open source project that is maintained by volunteers. The tool basically offers similar possibilities as Burp Suite, but can also be extended with tools created by the community via the "ZAP Marketplace".
This function is a web spider/crawler that allows you to search the content of a web application. Your goal is to find a list of endpoints to examine functionality and find potential vulnerabilities. The more endpoints you find, the more attack surface you have during testing.
The proxy allows you to process requests and responses before they arrive at the destination. The request/response is intercepted before it reaches either the target server or you. You can also forward the requests to other tools. This makes your work easier, because you don't have to copy everything manually.
The repeater allows you to resend a custom request. You can use this to test various parameters of the website and the server. Among other things, you can test what value the server expects for an input in a header or whether it tests that the data entered by the user is also checked. For example, is it checked whether an e-mail address field actually contains an e-mail address?
Through the decoder, Burp provides you with a simple tool with which you can create a listing. It shows you which encoding methods are used by default (e.g. HTML, Base64 or Hex (Hexadecimal)). You use the tool mainly to analyze data or values from headers or if you want to inject a payload and encode it.
With the Intruder Burp offers you a so-called fuzzer. With this you can send given, mostly invalid values to an input field. You can then monitor the responses in terms of length and whether they were successful or failed. An unusual response usually has a different response code (e.g. 200, which stands for "ok"), while a 403 status code stands for "forbidden". Unusual responses can also be longer or shorter than the rest. With Burp Suite and the Intruder, for example, you can perform so-called "brute force attacks" on login pages. Among other things, these are word list attacks on input fields, which could be susceptible to cross site scripting or SQL injections. You can also use it to test whether there is a rate limit, i.e. a limit on the maximum number of requests allowed in a certain period of time.
Another tool that Burp offers you is the Sequencer - a so-called "Entropy Checker". In short, entropy in IT is a value that describes the randomness of the bit chain. The lower this value, the easier it is to predict "randomly" generated values and possibly use them to your advantage. With the Sequencer you can check how close tokens come to a really randomly generated value or if there is a certain scheme behind the generation of the tokens. Tokens are a kind of access method that a web server uses for authentication, for example.
Unfortunately, the scanner is not available in the Community Edition. However, it is worth mentioning, since ZAP offers a similar function for free. With the scanner you can automatically scan websites for known vulnerabilities. The scan gives you information about the likelihood that a vulnerability is present and how difficult it would be to exploit it. The scanner is regularly updated to include new and also less known vulnerabilities.
In addition, Burp Suite in the Community Edition also offers you the possibility to integrate external components. These are called "BApps" and work similar to browser extensions. You can install, view and customize them via the Extender Window. However, not everything can be used in the Community Edition, some BApps require the license-based Professional Edition.
Now here is a small example of how a request can be manipulated via the proxy in Burp.
As an example, we will use the OWASP Juice Shop and modify a rating there about the Intruder.
First, as the logged in user, in our case we are logged in as "bender@juice-sh.op", we enter a review on the Juice Shop website, but do not press "Submit" yet.
Now, before we continue, we need to set the intercept to "On" in the proxy at Burp. This will intercept the requests from Burp before they are sent to the server.
After we have done this, we simply click "Submit" on our rating that we want to submit. Now Burp will show us the individual requests that were intercepted and we can manually forward them to the server using the "Forward" button. We do this until we get to the request where we want our rating to be submitted. This then looks like this:
We can now process this request. We now change the user ID from 3 to 2 (this ID belongs to the user Jim) change the rating from 2 to 4 and the displayed e-mail address from "***nder@juice-sh.op", which belongs to our user Bender, now to "jim@juice-sh.op". Thus, it is displayed that Jim had submitted the rating and the rating is also linked to his user ID.
As before, in the highlighted box we see our rating as Bender with a rating of 2 and the comment "Everything is bad", which then looks like this after modifying it:
Now we can simply forward them using the "Forward" button until everything is submitted. Then we can view our manipulated rating on the website.
We have now successfully manipulated a rating using the Burp Proxy. It should be noted that the process would be about the same if we use the ZAP, but of course it looks different and the individual steps might differ.
Now we come to the OWASP ZAP, which also provides various tools. OWASP also has an official documentation of their tools with deeper explanations of the function as well as examples. This can be easily downloaded from the official site of OWASP. The following tools are provided by ZAP:
With the Spider tool you can automatically add URLs of a web application you are testing to the so-called "Scope". The scope is the area to which the tests are limited. Here the responses are automatically searched for hyperlinks. These are then called and searched as well. The whole thing works as long as new URLs are discovered.
With the so-called "Forced Browse Scan" you can find URLs or resources that are not linked in the web application but can be queried at any time (e.g. a hidden folder). ZAP uses preconfigured lists for this and then calls the predefined paths.
With the Active Scan you can find potential vulnerabilities of a web application. The Active Scan attempts to do this using known attack types that are frequently used. The Active Scan is already counted as an active attack.
Similar to Burp Suite's "Proxy" module, you can use the Manual Request Editor to manually modify requests and send them to the web server, then evaluate the response.
You can extend the ZAP of OWASP as already mentioned very easily via the Marketplace. There you can install various add-ons and then customize them locally.
Basically, Burp Suite and ZAP can do the same thing: both programs offer you a wide range of tools and add-ons to facilitate general web application pentesting. Both programs allow you to automate some things (e.g. spidering or the possibility to run scans that show you the potential vulnerabilities).
However, it must be said that web application pentesting, especially with regard to broken access control, requires a very high level of technical understanding and a lot of experience. Despite the possibilities for automation, it requires a lot of manual work and the tools are not always able to provide a sufficient analysis. Much can escape the tools and will only come to light through active testing. Therefore, it is even more important to have the web application tested by an experienced pentester who is well versed in web application pentesting.
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
Our co-founder Immanuel was a guest at Radio Bonn/ Rhein-Sieg and told the presenter team Nico Jansen and Jasmin Lenz and
When cyber insurance and penetration testers work together, the result is great value for all involved. Why this is so and