The power of chaining ethical hacking tools such as burp suite, OWASP ZAP, SQLmap and others

5 min readMay 23, 2023

Setting Upstream Proxy of ZAP to Burp Suite: Complementing Features for Better Security Testing


When it comes to web application security testing, Burp Suite is a popular tool among security professionals. However, the free version, Burp Community Edition, has limited features compared to the paid version. This is where OWASP ZAP (Zed Attack Proxy) comes in. ZAP is a free and open-source web application security scanner that offers a wider range of features than Burp Community Edition. By setting the upstream proxy of ZAP to Burp Suite, we can make use of the full features of both tools and complement each other’s weaknesses.

Setting Upstream Proxy of ZAP to Burp Suite

To set the upstream proxy of ZAP to Burp Suite, follow these steps:

  1. Open Burp Suite and go to the “Proxy” tab. Make note of the listening port (default is 8080).
  2. Open ZAP and go to “Tools” > “Network” > “Connection”.
  3. Under “HTTP proxy”, enter “localhost” as the hostname and the port number that Burp Suite is listening on (default is 8080).
  4. Click “OK” to save the settings.

Now, ZAP will route all of its traffic through Burp Suite, allowing us to take advantage of both tools’ features.

Complementing Features

By setting the upstream proxy of ZAP to Burp Suite, we can complement each other’s features and weaknesses. For example:

  • Burp Suite has a powerful intercepting proxy, which allows us to modify requests and responses in real-time. ZAP’s intercepting proxy is not as robust, but it has a more extensive set of active and passive scanning options.
  • Burp Suite’s Intruder tool is excellent for brute-force attacks and fuzzing, while ZAP’s “Attack” mode provides more advanced options, such as SQL injection and XSS attacks.
  • ZAP has a built-in spider that can crawl a website and discover new URLs to test. Burp Suite’s spider is not as advanced, but it has a…




No b*llshit Hacking tutorials with extreme value in short bursts