The Awesome HTTPView

Hacking Without HTTP Proxies

Fri Feb 03 2017 09:22:13 GMT+0000 (GMT)

One the most fundamental tools you learn first when starting with web application security is the almighty proxy - and there is a good reason for this. HTTP proxies has been around for ages and paved the way to many information security researchers over the years. Proxies are indispensable tools which provide a low level look at how things are actually working and from security point of view this is exactly the thing we need in order to discover some pretty awesome vulnerabilities.

HTTP Proxies are not dead (look we even built our own in recent years) but we would like to show you an alternative, which offers the same features you will find in common proxies but without all the drawbacks such as dealing with SSL issues, maintaining sessions stores, slow (because buffered) responses, streaming issues, proxy switching, etc.

The Advanced HTTP Interception Tool

HTTPView is an advanced HTTP interception tool part of our online Suite of tools. It requires no installation and no configuration. It works straight from your own browser and it is perfect for penetration testing.

Let's explore some of the features, shall we? OK, let's go!

Filter -> Filter -> Filter

HTTPView supports filters and you can chain them for maximum flexibility. For example you can filter GET requests which are also parametarized. These are two different filters which are combined with the and operator as shown bellow.

This is pretty good but we can do better. For example, often when you do a penetration test you do not want to see the entire history of your hacking session. In fact, in many cases, you are just concerned what happened in the last 10 minutes and perhaps you are only looking at requests that are parametarized which you can play with. This is easily achieved by chaining the Requests in the last 10 minutes filter with the Parametarized Requests filter like the screenshot bellow. And just like that magic happens.

Code Generators

When hacking, sometimes it is required to take your investigation to a whole new level and get down and dirty with the task. We offer many tools to help you avoid doing this but it will be silly to say that we cover all angles as there are plenty of use cases we are not even aware of. This is where the code generators come into play.

With a single click you can convert the current request into a raw HTTP, curl and CSRF attack payload with more code generators coming in the upcoming weeks that will help you do Python, Perl, Ruby and many more compiled and scripting languages. Now scripting is simple to help you tackle even the most daunting tasks that may require hours of research on StackOverflow and the web in general.

Oh Pretty Me

This week we discussed all the prettification features part of our Rest client. Well, these features are not isolated from the rest of the toolkit and HTTPView has prettification built into it by default.

The builtin prettifier can handle it all. From re-formatting JSON, XML, CSS, JavaScript and HTML input to breaking down urlencoded and even multi-part requests to tables of fields - you know how difficult and nasty multi-part requests are - especially those that are nested. No longer because we have you covered.

HTTP Recording

To start recording HTTP session all you need is to press the blue dot in your toolbar - it should immediately turn into red, meaning it is recording anything you do in other tabs in your browser. That is all it takes.

So there you go - 4 awesome features you can start using today and get your hacking to another level.

Comments Powered ByDisqus