The HTTP Editor is one of the most flexible and widely used tools among the Acunetix Manual Tools suite (available to download for free). The HTTP Editor allows you to create, analyze, and edit client HTTP requests; as well as inspect server responses. It also includes an encoding and decoding tool to encode/decode text and URL’s to MD5 hashes, UTF-7 and other formats.
You can start using the HTTP Editor by launching the Acunetix Tools application, and selecting the HTTP Editor from the Tools Explorer.
The top pane in the HTTP Editor is where you can edit the HTTP request data and headers. The bottom pane displays the HTTP response headers and data received from the server.
Crafting an HTTP Request
The HTTP Editor allows you to create and edit HTTP requests, both through a graphical interface by clicking the Request tab; as well as the raw HTTP request by clicking the Text Only tab.
When the Request tab is active, the HTTP Editor displays a toolbar, with the following options.
- Add/Remove HTTP Header – Add or remove HTTP headers from the request
- Cookies – Specify the Cookie values to be included in the HTTP request
- Toggle HTTPS – Switch between HTTP and HTTPS
- Method – Select common HTTP methods such as GET, POST and HEAD. You can also specify a custom method by typing it in the ‘Method’ input field, such as OPTIONS, TRACE or DELETE
- Protocol – Select the HTTP Protocol (HTTP/1.0 or HTTP/1.1) version to be used for the request
- URL – Specify the URL, including the hostname of target object that you want to request (e.g. http://testphp.vulnweb.com). You can specify a relative URL without a hostname as long as you include a Host header in the Request Headers section
- Edit Request Variables – Edit query string (for GET requests) or request body (for POST requests)
The Request Headers tab shows the headers of the HTTP request. You can add, remove and edit any of the HTTP headers in the request by specifying the HTTP header name and corresponding value. In the following example a custom User-Agent header is set.
To send the HTTP Request click the Start button above the main toolbar.
To craft an HTTP request with request data, for example for use in a POST request, either enter the data directly in the ‘Request Data’ window.
Alternatively, if the HTTP request body you want to send is URL encoded (therefore the request body is not JSON or XML for example), you may use the Edit Request Variables button to edit either GET or POST variables (therefore, either variables in the URL’s query string, or inside of the HTTP response body).
This will launch the Variable Editor. Query variables are separated from the URL by a
? and are URL encoded. The Variable Editor can be used to edit query variables, cookies and other request data. You can add, remove, URL-encode and URL-decode variables using the toolbar at the bottom of the Variable Editor window. Click OK to store the changes and close the Variable Editor.
Of course, you are not limited to URL encoded data. If you wish to make an HTTP request with a JSON or XML body, you can use the data format you need by entering it directly into Request Data.
Specify the content length and the content type through the appropriate
Content-Type headers. In the case that no content length or type is specified, the HTTP Editor will use
application/x-www-form-urlencoded as the default content type and automatically calculate the content length.
The HTTP Editor also offers a built-in Encoder Tool which allows you to encode and decode any plain text data that you want to send in an HTTP request, or that has been returned in an HTTP response.
The HTTP Editor Encoder Tool supports the following encoding or hashing formats.
- URL encoding/decoding
- HTML encoding/decoding
- Base64 encoding/decoding
- C-style encoding/decoding
- MD5 hashing
- MD4 hashing
- SHA1 hashing
- UTF-7 encoding/decoding
Analyzing HTTP Responses
After the HTTP request is sent to the web server, the server response in the bottom pane of the HTTP Editor can be analyzed. The server response is shown in the tabs Response Headers, Response Data, View Page, and HTML Structure Analysis.
Upon receiving an HTTP response from the target server, you can analyze the request details using the Response Headers and Response Data tabs, as well as inspect the contents of the web page using the View Page and HTML Structural Analysis tabs as detailed below.
- Response Headers – Displays HTTP response headers
- Response Data – Displays the HTTP response data received from the web server
- View Page – Displays the web page stripped of images and styling. Clicking on any of the links and submitting any forms, will populate the HTTP Editor with the relevant request
- HTML Structure Analysis – Displays a list of links, comments, scripts, forms and meta tags found in the HTTP response
Acunetix is an automated web application security scanner and vulnerability management platform. In addition, Acunetix also provides a suite of manual pentesting tools that allow users to quickly and easily confirm vulnerabilities and take take automated testing further.