Web App Testing — Burp, ZAP, Caido
Intercepting proxies and web app pentest platforms.
The intercepting proxy is the bread and butter of web app testing. Spider, intercept, modify, replay. For automated DAST / template scanning see Vulnerability Scanners (Nuclei) and Security Scanning. For defensive WAF-side coverage see WAF (ModSec, Coraza) and Bot Protection.
The big three
- ★ ★ Burp Suite (PortSwigger) — the industry reference. Community Edition free (manual proxy + basic Repeater/Intruder). Pro paid (~$475/yr) unlocks the active scanner, Intruder rate, BApp store, Collaborator. Pro is what 90% of pro pentesters and bug-bounty hunters run.
- ★ OWASP ZAP — the FOSS counterpart. Full active scanner, scripting, automation framework, Docker images for CI. No license cost, ever. Default for org-wide DAST in CI.
- ★ Caido — modern Burp alternative; Rust + web UI; explosive growth 2024–26. Free core; Pro paid ($60/yr individual) adds workflows, projects, AI assist. Many bug-bounty hunters now run Burp + Caido side-by-side.
Burp vs ZAP vs Caido in 2026
- Burp Pro still has the best Intruder, the deepest extension store, and Collaborator (out-of-band testing).
- ZAP is the best free option if you want a true active scanner with no strings.
- Caido has the cleanest UI, native HTTP/2, project-based workflows, and is winning new bug-bounty hunters.
Burp / ZAP / Caido extensions worth installing
Burp BApps:
- Autorize — auth/authz testing (replay as user B).
- Logger++, Hackvertor, JWT Editor, Param Miner, Turbo Intruder, Active Scan++, Backslash Powered Scanner.
- Burp AI (Pro 2024.6+) — AI-assisted recon and vuln explanation.
ZAP add-ons: Active Scan Rules - Alpha, Advanced SQLi scanner, GraphQL, OpenAPI support.
Caido plugins: ShiftCrops, Convert, AuthMatrix-style workflows.
Other intercepting tools
- ★ mitmproxy — Python; CLI/TUI/web UI; programmable; brilliant for automation, mobile testing, scripted MitM. Free.
- ★ HTTP Toolkit — friendly UI; one-click Android / iOS / Docker / browser interception. Free core, Pro paid for advanced rule scripting.
- Postman + Newman — API client + CLI runner; not a pentest tool, but invaluable for API recon. See API Clients.
- Insomnia — Postman alternative; nicer for OAuth/GraphQL.
- Charles Proxy — Mac classic; paid; mobile-friendly.
- Fiddler Classic / Fiddler Everywhere — Telerik; Windows-friendly; freemium.
Browser-side helpers
- FoxyProxy — quick proxy switching in Firefox / Chrome.
- Wappalyzer / WhatWeb — tech-stack fingerprinting.
- Cookie-Editor — auth-cookie management mid-test.
- Hack-Tools — quick payloads (XSS, SQLi, file-include) in a sidebar.
SSL / cert handling
- Trust Burp/ZAP/Caido CA in browser AND in your OS keychain (especially macOS / mobile).
- For Android 7+ you need a system-level cert (rooted) or a Frida hook — see Mobile Pentesting.
- Modern apps with cert pinning need Frida / objection to bypass.
CI integration
- ZAP Baseline / Full Scan Action — GitHub Action; runs ZAP against a URL on every PR.
- ZAP Automation Framework (YAML) — replaces older zap-cli; declarative scans.
- Burp Enterprise — paid; CI-friendly Burp Pro at scale.
- Caido CLI — headless runs (paid plan).
Pick this if…
- Default for a pro pentester / bug-bounty hunter: Burp Pro (+ Caido as second seat).
- Free / open-source full active scanner: OWASP ZAP.
- Modern UX, free, bug-bounty workflows: Caido (free) + bump to Pro if it sticks.
- Scriptable / mobile / automation: mitmproxy.
- Onboarding friendly mobile MitM: HTTP Toolkit.
- CI-side DAST in PR pipelines: OWASP ZAP Action.