We've now learned how to conduct full vulnerability scans using Nessus, find web server misconfigurations using Nikto, and identify sensitive files and directories using DirBuster. However, none of these tools show us how a web application may actually be communicating with a potential client browser. In order to see this level of communication, we need to use what's called an intercepting proxy.
You've probably heard of a proxy before—something you can bounce your web traffic off, in order to have a different source IP address or to avoid certain types of firewalls—but an intercepting proxy is something different altogether. While you're still bouncing your traffic somewhere else, in the case of an intercepting proxy, you're proxying to yourself and then using a piece of software to potentially modify that request.
One of the most common intercepting proxies in the security industry is Burp Suite, which has a "community" edition (free) and a "professional...