Day 3: Manual Testing with Burp Suite & OWASP ZAP

Burp Suite and ZAP: Web Proxy Interception Mastery

Manual testing is a cornerstone of web application penetration testing, allowing security professionals to analyze and manipulate HTTP/HTTPS traffic to identify vulnerabilities that automated tools may miss. Parrot OS, a Debian-based Linux distribution optimized for cybersecurity, includes powerful proxy tools like Burp Suite and OWASP ZAP for this purpose. On Day 3 of this 7-day web application hacking series, we focus on mastering web proxy interception and manual testing techniques. This article covers setting up Burp Suite and OWASP ZAP with Firefox, intercepting and modifying requests, crawling and spidering websites, and utilizing tools like Repeater, Intruder, and passive scans. All commands use example.com as the illustrative target, but testing should be conducted on your local lab (e.g., DVWA or OWASP Juice Shop from Day 1) to ensure ethical practices. Both graphical user interface (GUI) and command-line interface (CLI) methods are explained where applicable, with additional coverage of Burp Suite extensions and ZAP scripting to achieve approximately 3000 words. By mastering these tools, you will gain precise control over web traffic analysis and vulnerability discovery.

Verifying the Test Lab

Ensure your test lab from Day 1 (DVWA and OWASP Juice Shop) is operational before proceeding with manual testing.

1. Check LAMP Stack:

   sudo systemctl status apache2
   sudo systemctl status mysql

   Verify that Apache and MySQL are running.
2. Access DVWA: Navigate to http://localhost/dvwa, log in with admin/password, and set the security level to “Low.”
3. Access Juice Shop: Navigate to http://localhost:3000 to confirm OWASP Juice Shop is running.

Ethical Note: All commands use example.com for illustrative purposes. Only test on systems you own or have explicit permission to scan, such as your local lab. Unauthorized testing of live systems like example.com is illegal and unethical.

Outcome: Your test lab is ready for manual testing with Burp Suite and OWASP ZAP.

Setting Up Burp Suite with Firefox

Burp Suite is a powerful web proxy tool for intercepting, analyzing, and modifying HTTP/HTTPS traffic. It is available in Parrot OS in both Community (free) and Professional editions.

GUI Setup

1. Launch Burp Suite:
   • Open Burp Suite from the Parrot menu or run:

     burpsuite

   • Select “Temporary Project” and click “Start Burp.”
2. Configure Firefox Proxy:
   • Open Firefox, go to Preferences > Network Settings > Manual Proxy Configuration.
   • Set HTTP Proxy to 127.0.0.1, Port 8080 (Burp’s default).
   • Enable “Use this proxy for HTTPS.”
3. Install Burp’s CA Certificate:
   • Navigate to http://burp in Firefox and click “CA Certificate” to download.
   • In Firefox, go to Preferences > Privacy & Security > Certificates > View Certificates > Import, and import the downloaded certificate.
4. Verify Proxy: Browse to http://example.com or http://localhost/dvwa and confirm requests appear in Burp’s “Proxy > HTTP History” tab.

CLI Interaction (Burp Professional)

Burp Suite Professional supports CLI for automation via the Burp REST API or scripting.

• Start Burp in Headless Mode:

  burpsuite --headless --project-file=project.burp

  Launches Burp without the GUI, saving to project.burp.
• Automate Scanning (requires Professional edition):

  curl -X POST -d '{"urls":["http://example.com"]}' http://127.0.0.1:8080/api/scan

  Initiates a scan via the REST API (requires setup; see Burp documentation).

Outcome: You can configure Burp Suite for proxy interception using both GUI and CLI methods.

Setting Up OWASP ZAP with Firefox

OWASP ZAP (Zed Attack Proxy) is an open-source web proxy tool for manual and automated testing, included in Parrot OS.

GUI Setup

1. Launch OWASP ZAP:
   • Open ZAP from the Parrot menu or run:

     zaproxy

   • Choose “Persist Session” and save to a file (e.g., zap_session).
2. Configure Firefox Proxy:
   • In Firefox, go to Preferences > Network Settings > Manual Proxy Configuration.
   • Set HTTP Proxy to 127.0.0.1, Port 8080 (ZAP’s default).
   • Enable “Use this proxy for HTTPS.”
3. Install ZAP’s CA Certificate:
   • In ZAP, go to Tools > Options > Dynamic SSL Certificates, and export the certificate.
   • In Firefox, import the certificate via Preferences > Privacy & Security > Certificates > Import.
4. Verify Proxy: Browse to http://example.com or http://localhost/juice-shop and confirm requests appear in ZAP’s “History” tab.

CLI Interaction

ZAP supports CLI for automation and scripting.

• Start ZAP in Daemon Mode:

  zaproxy -daemon -port 8080 -host 127.0.0.1

  Runs ZAP as a background proxy.
• Run a Quick Scan:

  zaproxy -quickurl http://example.com -quickout zap_report.html

  Performs a quick scan and saves results to zap_report.html.

Outcome: You can configure OWASP ZAP for proxy interception using both GUI and CLI methods.

Intercepting and Modifying Requests

Web proxies allow you to intercept and modify HTTP/HTTPS requests to test for vulnerabilities like insecure input handling.

Burp Suite: Interception

• GUI:
  • In Burp’s “Proxy” tab, ensure “Intercept is on.”
  • Browse to http://example.com or http://localhost/dvwa.
  • View intercepted requests in the “Intercept” tab.
  • Modify a parameter (e.g., change a form input value) and click “Forward.”
  • Example: In DVWA’s login form, change username=admin to test SQL injection patterns.
• CLI (Scripting): Use Burp’s REST API or Python scripts with libraries like burp-api (requires Professional edition):

  curl -X POST -d '{"request":"GET / HTTP/1.1\nHost: example.com"}' http://127.0.0.1:8080/api/proxy

  Sends a custom request (setup required).

OWASP ZAP: Interception

• GUI:
  • In ZAP’s “Break” tab, enable the break point for HTTP requests.
  • Browse to http://example.com or http://localhost/juice-shop.
  • Modify intercepted requests (e.g., alter a POST parameter) and click “Continue.”
  • Example: In Juice Shop’s search field, test for XSS vulnerabilities through proper form input.
• CLI:

  zaproxy -script -script run_script.js

  Runs a custom ZAP script to modify requests (requires a script; see ZAP documentation).

Outcome: You can intercept and manipulate web traffic to test application behavior.

Crawling and Spidering the Site

Crawling and spidering map a website’s structure, identifying pages, forms, and endpoints for further testing.

Burp Suite: Crawling

• GUI:
  • In the “Target > Site Map” tab, right-click example.com or localhost/dvwa and select “Add to Scope.”
  • Go to “Crawler” tab, configure settings (e.g., max depth), and start a crawl.
  • Review the site map for discovered pages and endpoints.
• CLI (Professional):

  curl -X POST -d '{"url":"http://example.com","scope":"http://example.com"}' http://127.0.0.1:8080/api/crawl

  Initiates a crawl via the REST API.

OWASP ZAP: Spidering

• GUI:
  • In the “Sites” pane, right-click example.com or localhost/juice-shop and select “Spider.”
  • Configure options (e.g., max depth, include forms) and start the spider.
  • View results in the “Spider” tab.
• CLI:

  zaproxy -spider http://example.com -o zap_spider_results.html

  Runs the spider and saves results.

Outcome: You can map a website’s structure to identify testable endpoints.

Repeater, Intruder, and Passive Scan Usage

These tools allow for targeted testing and automated vulnerability scanning.

Burp Suite: Repeater

• GUI:
  • In “Proxy > HTTP History,” right-click a request to example.com or localhost/dvwa and select “Send to Repeater.”
  • Modify the request (e.g., change a parameter value) and click “Send.”
  • Example: Test a login form by altering password values repeatedly.
• CLI: Use scripting with Burp’s REST API for repetitive requests (Professional edition).

Burp Suite: Intruder

• GUI:
  • Send a request to “Intruder,” set attack positions (e.g., a form parameter like id=§1§).
  • Load a payload list (e.g., /usr/share/wordlists/rockyou.txt) and start the attack.
  • Example: Test parameter values on localhost/dvwa.
• CLI: Automate Intruder attacks via scripts (Professional edition).

Burp Suite: Passive Scan

• GUI:
  • Enable passive scanning in “Scanner > Options.”
  • Browse example.com or localhost/dvwa to trigger scans.
  • Review findings in the “Issues” tab (e.g., missing headers, insecure cookies).

OWASP ZAP: Repeater

• GUI:
  • Right-click a request in the “History” tab and select “Open in Manual Request Editor.”
  • Modify and resend the request to test responses.
• CLI: Use ZAP scripts for repetitive testing.

OWASP ZAP: Active Scan

• GUI:
  • Right-click example.com or localhost/juice-shop in the “Sites” pane and select “Active Scan.”
  • Configure scan policies and start the scan.
  • Review vulnerabilities in the “Alerts” tab.
• CLI:

  zaproxy -quickurl http://example.com -quickout zap_active_scan.html

OWASP ZAP: Passive Scan

• GUI:
  • Enable passive scanning in “Tools > Options > Passive Scan.”
  • Browse the target to generate alerts automatically.

Outcome: You can perform targeted manual testing and automated scanning with Burp Suite and ZAP.

Advanced Features: Burp Extensions and ZAP Scripting

Burp Suite and ZAP offer advanced features to enhance testing capabilities.

Burp Suite Extensions

• GUI:
  • In “Extensions > BApp Store,” install extensions like “Active Scan++” or “Turbo Intruder.”
  • Example: Use “Active Scan++” to enhance vulnerability detection on example.com.
• CLI: Manage extensions via the Burp REST API (Professional edition).

ZAP Scripting

• GUI:
  • In “Scripts” tab, create a new script (e.g., JavaScript) to automate tasks like modifying requests.
  • Example: Write a script to test various input validation methods.
• CLI:

  zaproxy -script -script myscript.js

  Runs a custom script for automation.

Outcome: You can extend Burp and ZAP functionality with advanced features.

Practical Exercise

1. Configure Burp Suite and OWASP ZAP with Firefox, installing CA certificates.
2. Intercept and modify a request to http://localhost/dvwa/vulnerabilities/sqli in both tools.
3. Crawl http://example.com and http://localhost/juice-shop using Burp and ZAP.
4. Use Burp’s Repeater and Intruder to test a DVWA form, and run passive scans in both tools.
5. Install a Burp extension and create a ZAP script for request logging.

Conclusion

Day 3 of this 7-day web application hacking series has equipped you with manual testing skills using Burp Suite and OWASP ZAP on Parrot OS. By mastering proxy setup, request interception, crawling, and tools like Repeater, Intruder, and passive scans, you can analyze web applications with precision. GUI and CLI methods, along with advanced extensions and scripting, enhance your testing capabilities. Continue practicing in your local lab environment, and prepare for Day 4, where you will explore exploitation techniques like SQL injection and XSS.

Next Steps:

• Experiment with additional Burp extensions and ZAP scripts.
• Test more complex DVWA and Juice Shop vulnerabilities.
• Engage with cybersecurity communities on platforms like X to share insights and learn best practices.