The challenge for Day Eight is – Use a proxy tool to observe web traffic in a web or mobile application.
For this challenge I could look back at using Burp Suite as that has a Proxy function, but another couple I’ve used are Fiddler and Charles Proxy.
I’m more familiar with Charles and have used it on various test cycles in uTest where they give a pretty decent tutorial on how to set up the service and record logs.
A proxy allows you to view and record the requests between a users’ browser and the web application server.
It can highlight GET, POST and other useful information that identifies how the application works, and how data is sent/stored.
As demonstrated with Burp, it is possible to intercept and modify requests between a client and a server. This makes it possible to do some pretty hairy stuff such as changing quantities in orders, or to copy a user’s cookie and impersonate them at a later stage.
Thanks for reading my post and following my progress through the 30 Days of Security Testing.
Feel like joining in? Sign into the WeTest Slack group and get involved!