Portswigger's Burp Suite and OWASP ZAP are both programs with one Proxy Server, which run on your local device. They allow you to intercept and examine requests sent to a website. In this article we will show you the most important functions of both programs and discuss the differences.
Burp Suite is probably the best-known web application pentesting tool. The free Community Edition includes the most important main functions. There is also the Professional Edition and the Enterprise Edition with additional functions. In this post, however, we will (with one exception) only deal with the free tools of Burp Suite.
An alternative to the Burp Suite is OWASP's Zed Attack Proxy (ZAP). This is an open source project maintained by volunteers. The tool basically offers similar options as Burp Suite, but can also be expanded via the "ZAP Marketplace" with tools created by the community.
This feature is a Web spiders/crawlers, which allows you to browse the content of a web application. Your goal is to create a list of Endpoints to investigate functionality and identify potential vulnerabilities. The more endpoints you discover, the more attack surface you have during testing.
With the proxy you can process inquiries and responsesbefore they arrive at their destination. The request/response is intercepted before it reaches either the target server or you. You can also forward the requests to other tools. This makes your work easier because you don't have to copy everything manually.
The repeater allows you to resend a custom request. You can use this to Website and server parameters zu test. Among other things, you can test which value the server expects for an input in a header or whether it is tested that the data entered by the user is also checked. For example, is it checked whether an e-mail address is actually entered in an e-mail address field?
With the decoder, Burp provides you with a simple tool with which you can create a listing. It shows you which ones encoding methods be used by default (e.g. HTML, Base64 or Hex (hexadecimal)). You mainly use the tool to extract data or values headers to analyze or if you have one inject payload and want to encode it.
With the Intruder, Burp offers you a so-called Fuzzer. With this you can default, mostly invalid values to an input field send. You can then monitor the responses in terms of length and whether they were successful or unsuccessful. An unusual answer usually has a different one response code (e.g. 200, which means "ok"), while a 403 status code means "forbidden". Unusual answers may also be longer or shorter than the rest. With Burp Suite and the Intruder you can e.g. B. so-called "Brute Force Attacks" on login pages carry out. These include word list attacks on input fields, which could be vulnerable to Cross Site Scripting or SQL Injections. You can also use it to test whether a Rate Limit exists, i.e. a limitation of the maximum number of requests allowed in a certain period of time.
Another tool that Burp offers you is the sequencer - a so-called "Entropy checker“. In short, entropy in IT is a value that describes the randomness of the bit string. The lower this value, the easier it is to predict "randomly" generated values and possibly use them to your advantage. With the sequencer you can check how close tokens come to a really randomly generated value or whether there is a certain scheme behind the Generation of the tokens hides. tokens are a type of access method that a web server uses for example authentications uses.
Unfortunately the scanner is not available in the Community Edition. It is still worth mentioning, however, since the ZAP offers a similar function for free. With the scanner you can Automatically scan websites for known vulnerabilities. The scan gives you information about the likelihood that a vulnerability exists and how difficult it would be to exploit it. The scanner is regularly updated to include new and lesser-known vulnerabilities.
In addition, Burp Suite in the Community Edition also offers you the option of integrating external components. These are called "BApps" and work similarly to browser extensions. You can do this via this Extender Window Install, view and adjust if necessary. However, not everything can be used in the Community Edition, some BApps require the license-based Professional Edition.
Here is a small example of how a request can be manipulated via the proxy in Burp.
As an example we will use the OWASP Juice Shop and there a Modify rating via the intruder.
First, as the registered user, in our case we are logged in as "bender@juice-sh.op", we enter a rating on the Juice Shop website, but do not press "Submit" yet.
Before we continue working, we have to den in the proxy at Burp Intercept to "On" place. This intercepts Burp's requests before they are sent to the server.
After we have done this, we simply click on the rating that we want to give.Submit“. Burp now shows us the individual requests that were intercepted and we can forward them to the server manually using the "Forward" button. We do this until we get to the request where our review should be submitted. This then looks like this:
We can now do this request Bearbeiten. Now let's change the user ID from 3 to 2 (this ID belongs to user Jim) change the rating from 2 to 4 and the displayed email address from "***nder@juice-sh.op" which goes to belongs to our user Bender, now to "jim@juice-sh.op". This shows that Jim gave the rating and the rating is also linked to his user ID.
As before, in the highlighted box we see our rating as a bender with a rating of 2 and the comment "Everything is bad", which then looks like this after editing:
Now we can simply use the "Forward“ Forward button until everything is submitted. We can then view our manipulated rating on the website.
We have now successfully manipulated a rating using the Burp Proxy. It should be noted that the process would be roughly the same if we were to use the ZAP, only of course it looks different and the individual steps might differ.
Now we come to the OWASP ZAP, which also provides various tools. OWASP also has one official documentation their tools with deeper explanations of the function as well as examples. You can do this on the OWASP official site just download it. The ZAP offers you the following tools:
With the Spider Tool you can URLs of a web application, which you test, automatically to the so-called "Scope" add to. The scope is the area to which the tests are limited. Here they will Responses are automatically searched for hyperlinks. These are then called up and also searched. The whole thing works as long as new URLs are discovered.
With the so-called "Forced Browse Scan" you can find URLs or resources that are not linked in the web application, but can be queried at any time (e.g. a hidden folder). ZAP uses preconfigured lists for this and then calls up the specified paths.
With Active Scan you can identify potential vulnerabilities in a web application. The Active Scan tries this through known types of attacks, which are used frequently. The active scan is already counted as an active attack.
Similar to Burp Suite's "Proxy" module, you can use the Manual Request Editor Modify requests manually and send it to the web server to then evaluate the response.
As already mentioned, you can easily expand the OWASP ZAP via the Marketplace. There you can install various add-ons and then adjust them locally.
Basically, Burp Suite and ZAP can do the same thing: Both programs offer you a large selection of tools and add-ons to make general web application pentesting easier. Both programs allow you a lot automate (e.g. spidering or the ability to run scans that will show you the potential vulnerabilities).
However, it must be said that web application pentesting is particularly important with regard to broken access control very high technical understanding and requires a lot of experience. Despite the possibilities for automation, it requires a lot manual work and the tools are not always able to provide an adequate analysis. Much can escape the tools and will only come to light through active testing. It is therefore all the more important to have the web application tested by an experienced pentester who is well versed in web application pentesting.
