Twelve Days of ZAPmas - Day 2 - The Edge of Tomorrow

Twelve Days of ZAPmas - Day 2 - The Edge of Tomorrow
Mic Whitehorn
Author: Mic Whitehorn
Share:

Day 2 - The Edge of Tomorrow - Replaying and Tampering with Requests

Fuzzing and tampering are like the primitives upon which we design tests to evaluate functionality and flaws. Here’s how I’m using these terms:

  • Tampering is taking a request and modifying it manually, and then issuing the modified version against the server. The initial (unmodified) request is most commonly one that ZAP captured while I was using the application normally. Tampering can also be iterative, in that I might modify and send the request, and then, based on the result, modify it further. 

  • Fuzzing is taking a request, and using a tool (in this case, a tool that’s built into ZAP) to issue many modified versions of the request, based on a list of values. A simple example would be this: imagine I’m a QA person, and I have a list of 30 special characters that I try one at a time in every form input, to make sure they’re gracefully handled. That would be a pretty labor-intensive process. With my interception proxy and its fuzzing tool, I can submit the input once normally, and then have the tool do the work of issuing 30 more requests, each with a value from my list substituted into the field.

For now, we’re only looking at the replaying and tampering of requests, while we’ll look at fuzzing a little bit later in the series. If you happen to be looking at Burp Suite for these same tasks, check out the Tactical Burp Suite 2.0 video on our YouTube channel, or our blog post on using Burp Repeater.

Request Tampering with the ZAP Request Editor

List of requests in ZAP's history tab with the POST to the /authenticate route highlighted.

Once you have some request traffic in your proxy, you can pick an interesting request to explore further. If you right-click it in the history list, you’ll get a context menu with an entry for Open/Resend with Request Editor.

ZAP's right-click context menu with Open/Resend with Request Editor highlighted.

Selecting this will open up a dialog where you can freely modify the request, and then send it again with the Send button.

Request in the ZAP Manual Request Editor with the Send button highlighted.

Sending the request will switch you to the Response tab so you can see the result of your action.

Response in the ZAP Manual Request Editor with the Request and Response tabs highlighted.

If you want to edit and resend again, just switch back to the Request tab and modify it some more. The modified requests you’ve sent will appear in the History tab, with the source column indicating it was a Manual request.

History pane in ZAP with the source column highlighted on one particular request, showing the value is Manual while the others listed have a value of Proxy.

One more option…

The green plus-sign next to the Request and Response tabs in ZAP’s main window has an option to add Requester, shown below.

ZAP window with highlights showing the Add button on the Quickstart/Request/Response toolbar and the numbered tabs below. The Requester tool is in focus, showing a Request and Response side-by-side with replay controls.

Requester works essentially the same way as the Request Editor, but it persists multiple requests in a tabbed interface. Double-clicking the tab number will open a dialog to rename the tab as well.

In Summary…

This is an essential tool for manually testing app functionality. As I said, these are primitives to build on. Request tampering, combined with your knowledge of applications, is a powerful tool for designing and conducting tests to prove whether security controls are in place, and if they’re working correctly.

Check out Day 3 for an introduction to validating that your auth controls are doing what you expect.

Join the professionally evil newsletter