loading
Loading content
loading
Also known as HTTP proxy, Web proxy
An intercepting proxy routes a client's HTTP and HTTPS traffic through a tool the tester controls, pausing each request and response so it can be read or changed before it continues. By installing the proxy's certificate, the tester also decrypts TLS traffic and sees the cleartext exchange. Burp Suite and OWASP ZAP are the tools most people reach for.
The proxy is the central workbench for web application security testing. It lets you tamper with parameters the front end would normally lock down, replay a captured request with a different session token, and watch exactly what the server returns. That visibility is what makes manual testing of access control, input handling, and business logic possible at all.
Most proxies bundle more than interception. A repeater resends and tweaks a single request, an intruder-style module drives fuzzing across payload positions, and a passive scanner watches traffic for issues. These features also make a proxy the engine behind much dynamic application security testing.
In a Trickest workflow, the same idea runs headless: a programmatic proxy captures and mutates requests at scale, which is well suited to probing API security across many endpoints without a human clicking through each one.
Related terms