Reputation: 3
Replace/remap server response body while preserving most of original header fields served to browser
How can I replace particular file body returned to browser by remote server but leave the original respond header mostly unchanged/intact/unaffected/unaltered/untouched? (I don't know which English word is best in this context so please: fix my question!)
This probably may be done using penetration testing proxy (Burp, OWASP ZAP, Charles, Fiddler, Paros etc.) but I don't find suitable option to mapping respond body to local file body without dropping important header fields (Set-Cookie, Content-Type etc.). There is not problem with rewriting only part of body using regular expression pattern. There is also not problem with remapping whole file (based on URL), however, it generates a new header instead of duplicating the original returned by server. I know that my local file may be differ in size from that on the server so Content-Length field should be altered by proxy. There are probably other fields in header that should be modified by penetration testing tool but fields such as Set-Cookie, Content-Type and some other selected and as well all customized fields (as the ones prefixed by X-) should be preserved.
Should I write an extension or some kind of script to any of these tools? If so, then I can search for API reference of chosen tool but which penetration testing tool should I chose to write in my favorite language which is Python? Any help in pointing to particular API needed for this purpose will be appreciated. This script should:
- intercept HTTP response by setting break point on particular URL
- read and remember header returned by server
- load local file associated with requested URL
- check file size and modify
Content-Lengthheader field - send modified header
- send loaded file
The above list suggests which elements of API are needed to point me to. Ideally it would be if there is embedded option for described task in any tool but if such option does not exist then API of which tool should I learn to code in Python and on which API parts should I pay special attention? Because of portability, chosen tool should not be dependent on .NET (so using Fiddler will be a problem in this situation). Java-dependent tools are OK because there is no problem with using portable Java runtime environment.
Upvotes: 0
Views: 1050
Answers (1)
Reputation: 6226
Yes, you can do this with OWASP ZAP.
ZAP supports lots of scripting languages including python (actually jython;). You can change anything to do with requests and responses using proxy scripts. You have full access to all of the information about the requests and responses, all of the ZAP functionality and your local filestore.
We have some examples here: https://github.com/zaproxy/community-scripts/tree/master/proxy None of those examples actually use python, but there is an example python script in https://github.com/zaproxy/community-scripts/tree/master/payloadgenerator You will need to install the python scripting add-on which includes the necessary templates: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsJythonJython
If you have specific questions about ZAP scripting then we have a group just for that purpose: http://groups.google.com/group/zaproxy-scripts
Upvotes: 0
Related Questions
- How to modify JSON response body with mitmproxy
- Replace server name with fake server name in response header in fastapi
- How to send back a fake response(header and body) from an intercepted request via mitmproxy
- Is there any way to intercept and "change" a python request response body?
- Stripping headers response - Python
- Python proxy - Need help to send HTTP header to the browser
- Python SimpleHTTPServer: change response header
- Access original raw headers with WSGI
- Using Python to Manipulate HTTP Headers
- Full control over HTTP headers in Python?