Landing The Enhanced HTTP Request Editor

Wed Aug 13 2014 10:22:50 GMT+0100 (BST)

When we develop tools, we build them with simplicity in mind first. For example, for long time we were reluctant extending the HTTP request editor with tables, buttons and fields, we thought are unnecessary for most part. Although UI features can be helpful they can also obstruct us from doing simplest things. However, working with HTTP can be frustrating especially for inexperienced users. All those encodings, format specifiers are just painful. Now we have a solution you will love.

websecurify rest in action

Working with text has one indisputable advantage over UI controls and that is that it is easily manipulatable. You can copy and paste it. You can easily share it everywhere - everywhere. We thought that HTTP is hard to work with because of the many encodings you need to keep in mind but if only we can transform HTTP into another, much easier format, we can present the user with an interface that will make everything so much simpler and more comfortable.

So, this is what we did. Now you can enable what we call "Request Friendly View". It is conveniently available via an escapemode command. Simply press the ESC key and type request_friendly_view. In an instance a complex request like this one:

POST http://target/?a=b&c=d HTTP/1.1
Content-Type: application/x-www-form-urlencoded

field1=This%20is%20field%201!&field2=This%20is%20field%202!&field3=This%20is%20field%203!&field4=This%20is%20field%204!&field5=This%20is%20field%205!&field6=This%20is%20field%206!&field7=This%20is%20field%207!&field8=This%20is%20field%208!&field9=This%20is%20field%209!

...will be transformed into something much more convinient like this:

General:
  method: POST
  protocol: "http:"
  host: target
  port: null
  path: /
Query:
  a: b
  c: d
Body:
  field1: "This is field 1!"
  field2: "This is field 2!"
  field3: "This is field 3!"
  field4: "This is field 4!"
  field5: "This is field 5!"
  field6: "This is field 6!"
  field7: "This is field 7!"
  field8: "This is field 8!"
  field9: "This is field 9!"
Headers:
  content-type: application/x-www-form-urlencoded

Now this makes sense. We can easily edit the request without thinking much about how data is encoded at the end. We do not need to know the exact format for multipart or mixed content. We do not need to think about URL encoding. We can still do that if we want to, by switching back to normal view, but we do not have to deal with it unless we really want to. I personally belive that is going to make manual penetration testing of complex apps a much more pleasant experience. I like this kind of innovative solutions.

On another note, you can also change the editor theme via two escapemode commands: list_editor_themes and editor_theme. Just type ?, while in escapemode, to get the complete list of commands available. This feature used to be available in older versions of the toolkit but was removed when we wrote the apps at the beginning of the year.

I hope you love this feature as much as we do. Let us know what do you think.

Comments Powered ByDisqus