Interception proxies and tampering with HTTP requests
The following tip comes from OWASP, it's a small collection of tools for interception proxies and tampering with HTTP requests. This list comes from the OWASP Testing Guide 3.0. Each tool description has been taken from it's respective website.
WebScarab: WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms.
Burp Proxy: Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications. It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.
Paros Proxy: Through Paros's proxy, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.
TamperIE: TamperIE is a useful tool for security testing your web applications, in order to ensure you don't make foolish assumptions about the data sent by client browsers. Since the tool exposes and allows tampering with otherwise inconvenient input, many user-input security flaws immediately become apparent.
Tamper Data: Use tamperdata to view and modify HTTP/HTTPS headers and post parameters. Trace and time http response/requests. Security test web applications by modifying POST parameters.
The only one I've used (and I highly recommend) is WebScarab. While writing this, I did play around a bit with Tamper Data, and I suspect I'll find a use for that tool as well in future testing efforts.
June 17th, 2009 - 03:24
I was wonder that… What is your method for testing products on multiple operating systems and test environments?
We do it with virtual machines.
June 19th, 2009 - 10:02
Hi Mike – I’ve used Burp Proxy for years, and it is a great little utility.
It comes in handy for checking the values that are being passed to the web server to diagnose bugs or just to get a better picture of what is going on with the application. I also use it to test the system by replacing values that are derived from dropdowns with ones that are much bigger or smaller than a user could enter via the web form. Sometimes this is useful for testing convenience (for instance, creating an enormous list that has everything you want for retrieval and analysis without having to page), or for security testing against threats from anyone with a proxy tool like this who could use it to try to hack the system.
I’m sure I’ve only scratched the surface of its capabilities.
June 29th, 2009 - 10:57
At our company, we’ve also used RESTTest Firefox addon to send custom HTTP requests. You can find it here: https://addons.mozilla.org/en-US/firefox/addon/5946