When testing with a MiTM proxy such as Burp Suite or OWASP ZAP, we have to option to add a proxy or edit it. This is very useful if you want to change your proxies port number or interface (network card). We can add more than one proxy, however, have you seen this before? Every wonder why this is possible? They would not let you do this if there was no reason so let’s explore this magnificent feature.
To know why this feature is so useful, we first need to talk about how some hackers actually perform their trade. Sometimes they will simply hack a website and in that case, they usually only need 1 proxy but sometimes they can be hacking with multiple devices at the same time. An example we can think of is when hackers are doing mobile testing. They can test with several devices at the same time and of course, we can send all this traffic to one proxy, but that might make it harder to identify which call originates from which device.
One way to deal with this would be to start up multiple burp suite or ZAP instances, but them being java programs, they can demand quite a lot of resources so it would be like opening 50 chrome tabs at the same time per device that we are testing on. We could also choose to add multiple proxies at the same time, within one instance of our application.
OWASP ZAP leaves us the option to add, modify, delete, disable or enable several proxies in the “Tools > Options > Local proxies” window.
Currently, there is no option to filter in ZAP yet but imagine the following scenario:
You are the leader of a security testing team and your team goes over mobile security as well. You have 25 mobile devices in a device farm with some devices connected to network card X, some connected to card Y and some to Z. You do not want to start up 3 instances of your MiTM proxy so you can easily add multiple local proxies, making all your traffic appear in 1 spot.
Under “Proxy > Options” we can find the option to add, edit, remove, enable or disable as many proxies as we’d like just as in OWASP ZAP. We can imagine the same scenario of a lead managing a device farm here but we can add another good thing on top of that, we can even filter based on the proxy (port)
We can conclude that this option to add multiple proxies can be very helpful and increase productivity but we must also be realistic and recognize this is situational. That being said, I am sure the people who work with multiple devices and a MiTM proxy can sometimes be grateful these features exist.
Thank you all for reading, my name is Wesley but you may know me as “The XSS Rat” or “Uncle rat”. You can find me on youtube, Twitter, and Medium where I attempt to post regularly. If you can’t get enough of me, you can grab my courses on thexssrat.com. I hope you have an amazing period ahead of you and that I can see you in my next blog, video, vlog, or Twitter post. Join my discord: https://discord.gg/vBg2RM3ZgC