I chain HTTP debug proxies.
That way I can use features from all of them, at the same time:
BurpSuite passive sitemap building
ZAP's multiple breakpoints
I usually work on Windows, so the first proxy I start is Fiddler. Fiddler hooks into the windows system seamlessly without any additional config. All other proxies I point at Fiddler as the down stream proxy.
When fiddler is running. Test your setup by pointing your browser through Fiddler.
BurpSuite Options tab. Upstream Proxy Servers. Add an entry for Fiddler:
- Destination Host: *
- Proxy Host: localhost
- Proxy Port: 8888
At this point - test your setup again. Don’t chain everything together and then try and figure out where the problem is. Point your browser at BurpSuite and check you can see traffic through them all.
If you get stuck, use the Alerts tab in BurpSuite to check for errors.
Hint: Firefox and Opera maintain their proxy settings independently from the Windows settings so test your setup with Firefox or Opera.
Tools Options Connection. Then point it at BurpSuite
- Port: 8082 (or whatever you bound BurpSuite too)
Find the port you have bound ZAP to in Tools Options Local Proxy
And point the browser at this port now.
Voila, you should have it all chained.
If not, just revisit the last step. And don’t panic.
Step by step. check each part of the journey. If its not working, it will probably just be some stupid error where you had previous config left over from a previous session.
Just remember to unwind them when you are done.
I have a video in the Technical Web Testing 101 course that shows this in more detail.