Security DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement




Assessing Web App Security with Mozilla
Pages: 1, 2, 3, 4, 5

You can observe both HTTP GET and POST requests going to and from the browser. Keep browsing and you will be able to view all the requests that the utility generates and captures. You can discover many pieces of security-related information:



  • Session- and application-level cookies going back and forth between the web browser and the web application.
  • Hidden variables passed from the web browser to the web application via forms. This is present only in HTTP POST requests.
  • Actual HTTP response code and redirect information.
  • Any Referer directive going from the web browser to the web application and any decision taken on the basis of this directive.
  • Complete HTTP communication tracing between browser and client, with or without SSL.

This is a great wealth of information! With this data about HTTP in place, the next step is to manipulate HTTP requests and observe the response from the web application.

HTTP protocol manipulation with LiveHTTPHeaders

LiveHTTPHeaders has added an interesting new feature to replay HTTP requests that the browser has already sent. This feature is useful to manipulate HTTP requests and evaluate the web application's response. Figure 5 shows an HTTP request's selection list.

Selecting from an HTTP request list
Figure 5. Selecting from an HTTP request list

Select a request that the browser has already sent to the application, then click on Replay. A window will open, as shown in Figure 6.

Replaying a previous HTTP request
Figure 6. Replaying a previous HTTP request

You can change and manipulate HTTP requests in the text block by selecting and replaying the request, which will send HTTP requests to the server. The server responses will appear in the browser. You can also manipulate POST requests.

Pages: 1, 2, 3, 4, 5

Next Pagearrow






Sponsored by: