Kali comes with two great apps dedicated to testing and prodding web apps. BurpSuite is widely seen as the go-to when it comes to playing around on Kali, however, some of its more advanced features are stuck behind the paid, Pro version. One particular feature that is limited to the Pro version is the functionality dedicated to brute forcing. There is a hard limit of requests per minute, which can mean using a large wordlist can take forever. This is not really an option when it comes to time-based exams such as the OSCP.
Zap, a project sponsored by the Open Web Application Security Project (OWASP), does not have a hard limit on such a critical feature.
The great thing is we can have both BurpSuite and Zap setup at the same time, so we can enjoy the benefits and features of both. This guide will show you how to get both Burp Suite and Zap up on running on Kali along with the popular FoxyProxy plugin for Firefox.
We start by adding the popular FoxyProxy plugin to Kali’s in-built Firefox web browser. Foxy Proxy allows us to port switch between the two tools, or completely turn off the proxy feature altogether. There are two versions, however, we only need the Basic version. Simply Add it.
Head to the options section of FoxyProxy, and hit “Add”.
Make your first entry for BurpSuite by adding a title, as well as adding the local address 127.0.0.1 and port 8080.
Hit “Save & Add Another”. Make an entry for Zap, doing the same, however ensure the port is 8081.
You will now notice the dropdown options to select either off, Zap, or Burpsuite.
We now need to set up both BurpSuite and Zap to ensure they are able to send and receive traffic to Firefox on the desired port, depending on what we have FoxyProxy set as.
We also need to install the certificates for both Burp and Zap. This will allow us to navigate HTTPS traffic without giving us the encryption warnings, such as below;
Setup BurpSuite with FoxyProxy
Start up BurpSuite and head to the Proxy tab, and then Options. You should see an entry for your localhost, 127.0.01, and port 8080, such as below. These are the default settings for BurpSuite.
If the entry is not there, simply hit Add and add the information as below, and hit OK.
We now need to install the certificates. Ensure you have BurpSuite selected on FoxyProxy, and navigate to the following link;
You will see a splash screen such as below. Click on “CA Certificate”.
Save the Certificate somewhere on your Kali machine. Head to the options menu in Firefox and select preferences.
On the left-hand side, select Privacy & Security
…and then View Certificates.
From the Authorities tab, hit “Import”.
Import the certificate;
Ensure you select “Trust this CA to identify websites”, and hit OK.
We can now test that the certificate is imported correctly by visiting an HTTPS website with BurpSuite running and Burp being selected in FoxyProxy. It should load without errors.
Setup Zap With FoxyProxy
One of the main reasons we set up BurpSuite first was because when we move to Zap, it is smart enough to realize that port 8080 is already in use and offers us another port. Note that this only occurs if and when you still have BurpSuite up and running. If you are presented with the below option, simply select port 8081, which is what we set it up as in FoxyProxy.
If you were not presented with this opportunity to select the port on startup, simply head to Tools and then, Options.
On the left and about two-thirds the way down, select “Local Proxies”. Ensure the address is “localhost” and the port is set to 8081.
Now, like BurpSuite, we need to install the HTTPS certificates for Zap. Still, within the options menu, click on “Dynamic SSL Certificates” section.
A certificate will have already been generated, so simply hit “Save”, to save a local copy.
Once again, open Firefox and heat to the Privacy & Security menu options, and then “View Certificates”. On the Authorities tab, select import.
On the Authorities tab, select Import.
And once again, selecting the option to “Trust this CA to identify websites”, and select import.
To test everything was set up correctly, ensure Zap is up and running and FoxyProxy is select to Zap. Simply head to an HTTPS website, such as Google, which should load without error.
We hope you found the guide useful. Whilst there is plenty of guides out there to help you set up either Zap or BurpSuite, we thought it would be useful to show you how to set up both.