The Request Builder tool in Netsparker Desktop allows you to create your own, or modify imported HTTP requests, send the requests to the target, and analyze the HTTP response the target sends back.
You can open the Netsparker HTTP Request Builder by clicking the Request Builder tab highlighted in the screenshot below.
You can use the HTTP Request Builder to build your own HTTP request when doing a manual vulnerability assessment, for example when troubleshooting a particular problem or when trying to identify logical web vulnerabilities.
You can also use it to further analyze and exploit a vulnerability that the web vulnerability scanner identified during a scan, and analyze the HTTP response that the target web application is sending back.
To export an HTTP request from a scan to the Request Builder, such as the HTTP request that was used to identify a cross-site scripting vulnerability, find the vulnerability in the Sitemap, and from the right click menu select Send to Request Builder.
You can also click the Send to Request Builder button in the toolbar when viewing the details of a vulnerability.
Once exported you can use the builder to easily modify the HTTP request. For example you can modify either the value or the name of an existing header, and add or remove an HTTP header. The same applies for GET and POST parameters in the HTTP request.
You can also manually edit the HTTP request by clicking the RAW tab, in which you can see the raw HTTP request (in plain text format).
To build an HTTP request you need to specify the URL, protocol and the HTTP method. HTTP headers (not mandatory) and if needed, parameters. The following section explains how to build a simple HTTP request that is typically used to buy the Netsparker Desktop Professional edition:
Below is a screenshot of our first part of the HTTP request, in which we configure the HTTP Method (also known as HTTP verb), the protocol, FQDN and the path.
Below is an explanation of what every configurable parameter means:
GET: This is the HTTP method. GET means that we want information from the target web application. Set the HTTP method to POST to post information to the target web application, HEAD to get the header information only etc. Refer to the list of HTTP methods for more information.
HTTPS: This is the protocol. It can be either HTTP or HTTPS.
www.netsparker.com: This is the FQDN (fully qualified domain name) of the web application we want to send the request to.
443: This is the port number on which to contact the web application. This will be automatically populated but if your web application is running on a non-default port, you have to enter it manually here.
/pricing/: This is the path which we would like to access. Therefore so far we have this part of the request built up: https://www.netsparker.com/pricing/.
HTTP/1.1: This is the protocol version. In most cases HTTP/1.1 is used though in case you need to use the earlier version of the protocol, switch this to HTTP/1.0.
Below is a screenshot of the second part of the HTTP request, the HTTP Headers and parameters.
Let’s take a look at what all of the above means.
To add an HTTP header select Header from the Type column and specify its value in the Value column.
Accept: This header is used to specify which content-types are acceptable for the response (what type of content can the client sending the request understand).
User-Agent: This header is used to identify the type of software that is used by the client. For example every web browser has a unique user agent string.
Host: The host header is used to request the web application that the client would like to access, in case the web server hosts multiple web applications. This is the only mandatory header.
Note: HTTP headers are typically used to send the cookie with the request, to specify what type of compression the client supports and much more. The above is just an example of the most basic HTTP request. Refer to the HTTP Headers article on Wikipedia for more detailed information.
To add a parameter select GET Parameter or Post Parameter from the Type drop down menu and specify the parameter’s value in the Value column.
edition: This is the parameter and its value that we will be appending to the HTTP request (https://www.netsparker.com/pricing/?edition=pro)
If the checkbox in the Encoding column is checked for a header or parameter it means that the value you entered is encoded and will be sent as it is. If it is not checked then it means that the value you specified is not encoded and it will be encoded when being sent to the target.
If you need to add additional data in the HTTP request body, enable the option Enable Raw Request Body underneath the HTTP headers and parameters section and enter the data.
The HTTP request is complete. Click the RAW tab to see the raw HTTP request, i.e. the format in which it is actually sent to the target:
Click the Send Request to make the HTTP request and receive the HTTP response. Once you receive a response, you can see the response in raw format (the actual HTTP headers and HTML code) in the RAW tab. Note that you can also search for a specific text in the response when viewing it in raw format.
Click on the Headers tab to see the HTTP headers and the Browser View to see how the response is seen in a browser. Note that when in browser mode, all sorts of scripts are disabled, hence why you can only see the structure of the response.
You can also keep a record of all the HTTP requests you have built, or imported and sent to the target by checking the option Log Requests. Upon doing so all the HTTP requests are kept in the History window.
Once stored in the History window you can easily reload an HTTP request by double clicking it. You can also modify the loaded HTTP request and send it again. The modified version of the HTTP request will also be recorded in the History window as another different HTTP request, i.e. the old version of that HTTP request won't be overwritten.
Note that the history of the sent HTTP requests is only kept for the existing session. Therefore upon shutting down or restarting the Netsparker Desktop web application security scanner the HTTP Request Builder history is lost. Also, the option Log Requests is disabled by default, hence should you wish to store the HTTP requests make sure you enable it before you start working on them.