I don't see why your poll has the same question twice (would've been better with a yes or no poll), but yes, you can use burp or paros, as they won't automatically give you root like Metasploit with e.g., Armitage can do :)
Sometimes, you have to use an intercepting proxy to perform specific types of web application attacks, and the spider function is just to help you find available files to perhaps play with.
(You still have to use other tools or do it manually afterward, and don't rely 100% on the tools in case they fail, because they can do that a lot when it comes to filters and e.g., unusual SQL Injection.)
Tamper Data in FireFox, is much like an intercepting proxy too except that it doesn't have a spider function as far as I know, but you can definitely use that.
An intercepting proxy is not really cheating, as it allows you to intercept and modify requests, before they're sent, which is useful for e.g., modifying headers. If you didn't use an intercepting proxy of some sort, you would have to e.g., capture the traffic in Wireshark and write scripts in perhaps Python with custom headers, in case a header was an injection point.
About the actual exam, it'll most likely be like a blackbox pentest just as described on the website. You will get more info about this, when you do the actual exam.
Last edited by MaXe
on Sat Feb 25, 2012 8:18 am, edited 1 time in total.
I'm an InterN0T'er