Day 2 - The Edge of Tomorrow - Replaying and Tampering with Requests
Fuzzing and tampering are like the primitives upon which we design tests to evaluate functionality and flaws. Here’s how I’m using these terms:
Tampering is taking a request and modifying it manually, and then issuing the modified version against the server. The initial (unmodified) request is most commonly one that ZAP captured while I was using the application normally. Tampering can also be iterative, in that I might modify and send the request, and then, based on the result, modify it further.
Fuzzing is taking a request, and using a tool (in this case, a tool that’s built into ZAP) to issue many modified versions of the request, based on a list of values. A simple example would be this: imagine I’m a QA person, and I have a list of 30 special characters that I try one at a time in every form input, to make sure they’re gracefully handled. That would be a pretty labor-intensive process. With my interception proxy and its fuzzing tool, I can submit the input once normally, and then have the tool do the work of issuing 30 more requests, each with a value from my list substituted into the field.
For now, we’re only looking at the replaying and tampering of requests, while we’ll look at fuzzing a little bit later in the series. If you happen to be looking at Burp Suite for these same tasks, check out the Tactical Burp Suite 2.0 video on our YouTube channel, or our blog post on using Burp Repeater.
Request Tampering with the ZAP Request Editor
Once you have some request traffic in your proxy, you can pick an interesting request to explore further. If you right-click it in the history list, you’ll get a context menu with an entry for Open/Resend with Request Editor.
Selecting this will open up a dialog where you can freely modify the request, and then send it again with the Send button.
Sending the request will switch you to the Response tab so you can see the result of your action.
If you want to edit and resend again, just switch back to the Request tab and modify it some more. The modified requests you’ve sent will appear in the History tab, with the source column indicating it was a Manual request.
One more option…
The green plus-sign next to the Request and Response tabs in ZAP’s main window has an option to add Requester, shown below.
Requester works essentially the same way as the Request Editor, but it persists multiple requests in a tabbed interface. Double-clicking the tab number will open a dialog to rename the tab as well.
This is an essential tool for manually testing app functionality. As I said, these are primitives to build on. Request tampering, combined with your knowledge of applications, is a powerful tool for designing and conducting tests to prove whether security controls are in place, and if they’re working correctly.
Check out Day 3 for an introduction to validating that your auth controls are doing what you expect.