When you test an API, you usually see the response's body and decide if the API call is the one you need. That works especially well for JSON APIs - our prettification option makes you immediately aware of the structure of the object, which in turn helps you determine if that call is what you need. But what if you are testing a website for a security vulnerability. You average web page has hundreds of lines of code -- will you be able to spot if the attack has succeeded? Most likely not. Fortunately, we have a new feature that can help.
Introducing HTML Preview
HTML Preview is like a browser within the browser. It lets you preview the server's response with the exact look and feel as if you are executing the request straight from your browser, giving you a visual sense of what your request has acheived. Here is a quick demo of its capabilities:
Say you want to check if a certain field is vulnerable to HTML injection. You craft your request carefully and decide it is time to check if it works. How do you know if it worked? Well, one way is to compare the server's responses before and after your request and analyse them to spot the differences. Can you easily spot from the screenshot if it worked?
A smarter approach would be to find these differences with diff-checker and closely observe what the tool has found. This is a very powerful technique but might be an overkill for the simple cases. What works quite well for both simple and complex cases, however, is achieved by the HTML Preview feature. More often then not, what you are trying to do has some visual implications so it makes sense to inspect it in a visual way. Can you now spot if the attack has succeeded?
Did you notice that secapps.com hyperlink that says "Hover Me!" - yes, we have managed to inject an <a>
tag into this dummy website that will redirect everyone who place their mouse over it to secapps.com. And we have managed to identify we were successful at it by just previewing the website.
Conclusion
All the techniques mentioned (as well as others) have their place when it comes to analysing server's responses. However, the visual preview is what I believe to be a great starting point - it is not guaranteed to succeed every time, but when it does - and it does quite often - it saves time and effort!