How to Manipulate Web Requests
A tool to add to your Software arsenal whether you’re a Software Developer or Cyber Enthusiast.
Purpose of this article:
- Demonstrate the ability to capture HTTP data as it is communicated between your browser and the server it is communicating with.
- Demonstrate the ability to modify this captured traffic before sending it to destination web servers.
Why? There are multiple reasons that a person would want to manipulate a web request: To itch a computer enthusiast’s curiosity, to help a developer test website input, or to give cyber professionals insight into a website’s security. Leave a comment if you can think of additional reasons, lets begin!
Also feel free to watch the video below if you would like to see these techniques used in action!
Where to Start
An old friend once told me that this technique is like ‘laying siege’ to a website. Although it won’t actually be a 6 month long battle, the phrase always excited me when we got to perform this kind of exploit at a CTF (Capture the Flag) event or in front of fellow colleagues.
Now we are going to start this adventure by opening up a random website on your browser of choice. (Hopefully your webpage has a form on it to better demonstrate the following steps).
- You’ll then use some sort of ‘man-in-the-middle’ proxy software to launch a proxy on your local machine. (I’ll be using
BurpeSuitebut other software exist likeMitmproxyand more). - Configure your browser settings to route traffic to this proxy temporarily.
Once these steps are complete, our ‘siege’ equipment is set up and ready to be used!
Viewing the Captured Request
You’ll know when your proxy is successfully configured when your web traffic starts to hang. This is because well… all web traffic is being routed to the proxy and stored in the proxies intercept-queue. We can forward the queued non relevant requests until we find the request that matters (Seen Below):
As we can see, this packet has metadata headers as well as the information payload at the bottom, with a payload being:
username=santa&password=password&submit=LoginManipulating Request
In BurpeSuite we can edit the request in the exact window that was previously displaying:
Simple as that, sweet, request manipulated! However, there are some additional features that come with BurpeSuite that I would like to go over when it comes to the packet manipulation:
- Intruder: used for automating custom attacks on a web application. It works by taking a base HTTP request and modifying the data in a systematic way. This systematic way involves defining ‘payload markers’ denoted by the § character, and then inserting a ‘payload’ in its place.
- Repeater: used for sending a web request a ‘repeated’ amount of times and analyzing the applications response.
- Sequencer: used for analyzing the quality of randomness in a sample of data items. You can use it to test an application’s session tokens or other important data items that are intended to be unpredictable, such as anti-CSRF tokens, password reset tokens, etc.
- Decoder: used for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.
Conclusion
Whether you a tech enthusiast, Software developer, or cyber security professional I hope you discovered a new tool in ‘web proxy’ software. By using this ‘man-in-the-middle’ approach we can manually throttle our web traffic to analyze the communication our machines are making to one another. Depending on the use case, we can also modify and experiment with sending different request data. Hope you enjoyed the quick walkthrough.
P.S. Don’t forget to reconfigure your browser’s proxy settings to ‘No Proxy’ after doing this exercise!
