15

Are there any free tools available that let me intercept and modify HTTP requests for testing?

I am looking for tools which allow me to send custom HTTP headers.

M'vy
  • 13,033
  • 3
  • 47
  • 69
James T
  • 1,853
  • 1
  • 17
  • 26

13 Answers13

16

I personally am partial to Fiddler, a free download from MS.
There are many other decent interactive http proxies, but that one serves me the best.

AviD
  • 72,138
  • 22
  • 136
  • 218
11

As mentioned above, there are a number of HTTP proxies that allow intercepting and modifying requests and responses.

Here is a list of the ones I know about:

  • WebScarab (disclaimer: I wrote it)
  • Paros
  • Burp
  • ZAP (Z Attack Proxy - an updated version of Paros)
  • Fiddler/Fiddler2
  • Achilles
  • HTTPush
  • Exodus (disclaimer: I wrote it, and it is really old)

If you wish to write your own intercepting proxy, you might like to take a look at OWASP Proxy, a Java library that implements all the necessary HTTP protocol functionality so you don't have to.

Rogan Dawes
  • 445
  • 2
  • 4
10

A while ago I used the Tamper Data Firefox Add-on and found it to be quite effective. It has some good features like being able to choose what requests you wish to tamper with and also has some predefined exploits that you can use to populate field values with.

alt text

Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
6

Burp now rocks. Portswigger has made some excellent developments in the last 2 years. From the website, Burp can:

  • Intercept and modify all HTTP/S traffic passing in both directions.
  • Easily analyze all kinds of content, with automatic colorizing of request and response syntax, rendering of web content, and parsing of serialization schemes like AMF.
  • Apply fine-grained rules to determine which requests and responses are intercepted for manual testing.
  • View all traffic in the detailed proxy history, with advanced filters and search functions.
  • Send interesting items to other Burp Suite tools with a single click.
  • Save all of your work, and resume working later.
  • Quickly search and highlight interesting content within HTTP messages.
  • Work with custom SSL certificates and non-proxy-aware clients.
  • Define rules to automatically modify requests and responses without manual intervention.

And I would definitely recommend the entire burp suite!

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
4

You can use the Firefox add-on Live HTTP Headers so you can view and replay them.

James T
  • 1,853
  • 1
  • 17
  • 26
3

The Fiddler HTTP debugging proxy has been around for years and is actively maintained. It allows for interception and modification of traffic, crafting custom requests, replaying requests, and is fully scriptable and extendable. It's a Windows-only tool.

It also has extensions for passive and active security testing. Disclaimer - I co-authored those.

Weber
  • 1,006
  • 1
  • 6
  • 10
  • Ah thanks for the props, feature requests, bugs, and new ideas for security checks are always welcome! – Weber Dec 06 '10 at 20:57
3

Paros and Burp are the 2 most common open-source options. There is a commercial version of Burp available as well. They are both written in Java.

chs
  • 51
  • 2
2

Paros Proxy and Burp both function as proxies, allowing you to intercept and modify HTTP requests and responses.

Crunge
  • 2,106
  • 1
  • 12
  • 5
2

Owasp has released a tool called Web Scarab

Lareau
  • 121
  • 3
1

I've used Paros, webscarab and burp extensively and burp wins hands down. There is a free version, but the full version is also very good value at £150/year.

0

I like MITM Proxy: http://mitmproxy.org/

(Careful, there's another project with the same name.)

It has a really lean, interfaces (looks like ncurses), if you like that sort of thing. It has the same capture/view/edit/replay capabilities as many others, but it's very keyboard-friendly. It can also proxy SSL connections!

Mark E. Haase
  • 1,902
  • 2
  • 15
  • 24
0

Just to add (as it seems to have been missed so far) that if you're using Firefox, there's a collection called "Samurai Web Testing Framework" created by Raul Siles that comes with all cool webapp-sec related plugins included in the collection - https://addons.mozilla.org/en-US/firefox/collections/rsiles/samurai/.

Mark Hillick
  • 2,124
  • 11
  • 14
0

An rare occasions, I've had to use wfetch (another free download from MS), to handle raw bytage over the HTTP stream. The specific problem being that almost all other tools, especially proxies and browser plugins, necessarily URL-encode any non-printable characters... and sometimes, you just really want to send that chr(9)....

AviD
  • 72,138
  • 22
  • 136
  • 218
  • Burp Suite will let you turn off the auto-encoding of those metacharacters – atdre Nov 15 '10 at 05:47
  • @atdre, really? You can send e.g. raw NULL bytes? Hadn't seen that... Might go back to Burp sometime, it's been a while... Thanks for that – AviD Nov 15 '10 at 07:05