Tooling

Web App Testing — Burp, ZAP, Caido

Intercepting proxies and web app pentest platforms.

The intercepting proxy is the bread and butter of web app testing. Spider, intercept, modify, replay. For automated DAST / template scanning see Vulnerability Scanners (Nuclei) and Security Scanning. For defensive WAF-side coverage see WAF (ModSec, Coraza) and Bot Protection.

The big three

  • ★ ★ Burp Suite (PortSwigger) — the industry reference. Community Edition free (manual proxy + basic Repeater/Intruder). Pro paid (~$475/yr) unlocks the active scanner, Intruder rate, BApp store, Collaborator. Pro is what 90% of pro pentesters and bug-bounty hunters run.
  • OWASP ZAP — the FOSS counterpart. Full active scanner, scripting, automation framework, Docker images for CI. No license cost, ever. Default for org-wide DAST in CI.
  • Caido — modern Burp alternative; Rust + web UI; explosive growth 2024–26. Free core; Pro paid ($60/yr individual) adds workflows, projects, AI assist. Many bug-bounty hunters now run Burp + Caido side-by-side.

Burp vs ZAP vs Caido in 2026

  • Burp Pro still has the best Intruder, the deepest extension store, and Collaborator (out-of-band testing).
  • ZAP is the best free option if you want a true active scanner with no strings.
  • Caido has the cleanest UI, native HTTP/2, project-based workflows, and is winning new bug-bounty hunters.

Burp / ZAP / Caido extensions worth installing

Burp BApps:

  • Autorize — auth/authz testing (replay as user B).
  • Logger++, Hackvertor, JWT Editor, Param Miner, Turbo Intruder, Active Scan++, Backslash Powered Scanner.
  • Burp AI (Pro 2024.6+) — AI-assisted recon and vuln explanation.

ZAP add-ons: Active Scan Rules - Alpha, Advanced SQLi scanner, GraphQL, OpenAPI support.

Caido plugins: ShiftCrops, Convert, AuthMatrix-style workflows.

Other intercepting tools

  • mitmproxy — Python; CLI/TUI/web UI; programmable; brilliant for automation, mobile testing, scripted MitM. Free.
  • HTTP Toolkit — friendly UI; one-click Android / iOS / Docker / browser interception. Free core, Pro paid for advanced rule scripting.
  • Postman + Newman — API client + CLI runner; not a pentest tool, but invaluable for API recon. See API Clients.
  • Insomnia — Postman alternative; nicer for OAuth/GraphQL.
  • Charles Proxy — Mac classic; paid; mobile-friendly.
  • Fiddler Classic / Fiddler Everywhere — Telerik; Windows-friendly; freemium.

Browser-side helpers

  • FoxyProxy — quick proxy switching in Firefox / Chrome.
  • Wappalyzer / WhatWeb — tech-stack fingerprinting.
  • Cookie-Editor — auth-cookie management mid-test.
  • Hack-Tools — quick payloads (XSS, SQLi, file-include) in a sidebar.

SSL / cert handling

  • Trust Burp/ZAP/Caido CA in browser AND in your OS keychain (especially macOS / mobile).
  • For Android 7+ you need a system-level cert (rooted) or a Frida hook — see Mobile Pentesting.
  • Modern apps with cert pinning need Frida / objection to bypass.

CI integration

  • ZAP Baseline / Full Scan Action — GitHub Action; runs ZAP against a URL on every PR.
  • ZAP Automation Framework (YAML) — replaces older zap-cli; declarative scans.
  • Burp Enterprise — paid; CI-friendly Burp Pro at scale.
  • Caido CLI — headless runs (paid plan).

Pick this if…

  • Default for a pro pentester / bug-bounty hunter: Burp Pro (+ Caido as second seat).
  • Free / open-source full active scanner: OWASP ZAP.
  • Modern UX, free, bug-bounty workflows: Caido (free) + bump to Pro if it sticks.
  • Scriptable / mobile / automation: mitmproxy.
  • Onboarding friendly mobile MitM: HTTP Toolkit.
  • CI-side DAST in PR pipelines: OWASP ZAP Action.

On this page