The HTTP Editor tool allows you to create, analyze and edit client HTTP requests and server responses. This allows you to further fine tune attacks and check if vulnerabilities were solved.
You can start the HTTP Editor from the ‘Tools’ node within the Tools Explorer window pane.
The Top pane in the HTTP editor displays the HTTP request data and headers. The bottom pane displays the HTTP response headers data.
Editing a HTTP Request
1. From a Scan or crawl, right click a file and select ‘Edit with HTTP Editor’.
2. From the HTTP Editor Toolbar, the following options can be edited:
- Method – Select one of the standard HTTP methods such as GET, POST and HEAD. You can also specify a custom method by typing it in the ‘Method’ input field, such as OPTIONS, TRACE or DELETE.
- Protocol – Select the HTTP Protocol (HTTP/1.0 or HTTP/1.1) version to be used for the request.
- URL – Specify the URL, including the hostname of target object that you want to request (e.g. http://192.168.0.28/). You can specify a relative URL without hostname and request the hostname via the request headers.
3. The Request tab shows the headers of the HTTP request. You can edit any of the headers by specifying the Header name e.g. Cookie or User-Agent and assigning the header value associated to it, e.g. ID=1.
4. To craft a HTTP request with request data apart from the headers (e.g. a POST request with variables), enter the data in the ‘Request Data’ window. Variables’ data can also be edited by the Variable Editor.
The Variable Editor can be launched by clicking on the ‘Edit query Variables’ button. Query variables are separated from the URL by a “?” and are encoded in the URL-Encode standard. With the variable editor you can edit query variables, cookies and other request data. You can add, remove, URL-encode and URL-decode variables using the buttons in the small toolbar at the bottom of the variable editor window. Click ‘OK’ to store the changes and close the Variable Editor.
You can supply data other than the URL encoded variables, such as XML documents for PROPFIND request. Specify the content length and the content type through the appropriate (‘content length’ and ‘content type’) headers. In the case that no content length or type is specified, the HTTP Editor will use “application/x-www-form-urlencoded” as the default content type, whilst the content length is automatically calculated.
5. Use the toolbar at the top of the request page to add and remove request headers, add cookie variables, open the encoder-decoder tool and to toggle between HTTP and HTTPS.
6. Click the ‘Encoder Tool’ button to encode-decode any text data that you want to send with a HTTP request or that you got back in response. This tool makes use of Base64 and URL-encoding techniques to convert plain text data to send in a request. Click ‘Start’ to request to URL.
Note: For websites with AcuSensor Technology enabled, you can manually add AcuSensor Technology headers to the HTTP request. To do this, right click the ‘Request Headers’ window pane and select ‘Add AcuSensor headers’. If AcuSensor Technology is enabled, you can view specific AcuSensor Technology related data in the response tab ‘AcuSensor Data’.
Text Only Tab
This tab displays the request in plain text. You can make changes to the request by editing the text directly on display.
Analyzing HTTP Responses
After the HTTP request is sent to the web server, the server response in the bottom pane of the HTTP Editor can be analyzed. The server response is shown in the tabs ‘Response headers’, ‘Response data’, ‘View Page’, and ‘HTML structure analysis’.
Once a HTTP response is received from the target server, you can analyze the request details using the response tabs below:
- Response Headers – Displays HTTP response headers.
- Response Data – Displays the HTTP response data received from the web server (similar to web browsers’ option view source).
- View Page – Displays the web page without relevant images or CSS. Clicking on any of the links will display the request of that link in the ‘Request Headers’ tab and will update the URL in the HTTP Editor toolbar.
- HTML Structure Analyses – Displays a list of links, commencts, client scripts, web forms and META tages found in the HTTP response.
- AcuSensor Data – Displays a list of AcuSensor Technology parameters if AcuSensor headers are added in the HTTP request and AcuSensor is Enabled.