[WEB SECURITY] Experience with using HTTP proxy tools for QA testers

psiinon psiinon at gmail.com
Sat Feb 26 05:08:48 EST 2011

Hi Rohit,

Not too surprisingly I'd recommend the OWASP Zed Attack Proxy:
http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project (I'm the
project lead).
It is specifically designed to be used by people with a wide range of
security experience and as such is ideal for developers and functional
testers who are new to penetration testing.
Its free, open source, cross platform, and is a fork of the open
source Paros Proxy.
Ease of use is a priority, and it has a significant amount of help
pages, both included with the tool and online.
I run courses in the company I work for in which I teach pen testing
techniques to QA testers, and on those courses ZAP has proved to be
very effective.

Let me know if you would like any more info about it, or any advice
and guidance for using it in training courses.
And if you have any suggestions as to how we could make ZAP more
suitable then please let me know - I want ZAP to be the most effective
tool for QA testers.

Many thanks,


On Fri, Feb 25, 2011 at 5:29 PM, Rohit Sethi <rklists at gmail.com> wrote:
> Does anyone have experience rolling out an HTTP Proxy tool for QA testers?
> What proxy tools have you seen successfully used by QA? We're looking for
> free tools in particular. While many security testers are comfortable with
> burp-suite, webscarab, fiddler, etc., some (but certainly not all) QA shops
> are looking for simpler-to-use tools with fewer features that work with IE
> 7+.
> Thanks,
> --
> Rohit Sethi
> Security Compass
> http://www.securitycompass.com
> twitter: rksethi
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list