Support
Scans

HTTP Request Builder

This document is for:
Invicti Standard

The Request Builder tool allows you to work with HTTP requests, including:

  • Sending requests to the target
  • Modifying imported HTTP requests
  • Creating your own HTTP requests, when doing a manual vulnerability assessment, troubleshooting a particular problem or trying to identify logical web vulnerabilities
  • Further analyze and exploit a vulnerability that the web vulnerability scanner identified during a scan
  • Analyzing the HTTP response the target web application sends back

The HTTP Request Builder is available only in Invicti Standard.

Working with HTTP Requests and the Request Builder

The Request Builder is a handy tool that allows you to create your own HTTP requests. You can even modify imported HTTP requests and send them to the target. Because the tool is very user friendly, it is also easy to analyze the HTTP response the target sends back.

The HTTP Method, Protocol, FQDN and Path

This screenshot shows an example of the first part of the HTTP request, in which we configure the HTTP Method (also known as HTTP verb), the protocol, FQDN, port number, path and protocol version.

This table lists and explains every configurable parameter.

Parameter

Description

HTTP Method

This is the HTTP method:

  • GET means that you want information from the target web application
  • POST means you want to post information to the target web application
  • HEAD means you want to get the header information only

For further information, see HTTP methods.

Protocol

This is the protocol. It can be either HTTP or HTTPS.

Fully Qualified Domain Name (FQDN)

This is the FQDN of the web application to which you want to send the request (e.g. www.netsparker.com).

Port Number

This is the port number on which to contact the web application. It will be automatically populated, unless your web application is running on a non-default port, in which case you'll have to enter it manually here.

Path

This is the path you'd like to access.

Protocol Version

This is the protocol version of HTTP. In most cases HTTP/1.1 is used. In case you need to use the earlier version of the protocol, you can switch this to HTTP/1.0.

HTTP Headers and Parameters

This is the second part of the HTTP request: the HTTP headers and parameters.

HTTP Headers

  • From the Type column, select Header, and specify its value in the Value column.

This table lists and explains each header.

Header

Description

Accept

This header is used to specify which content-types are acceptable for the response (what type of content can the client sending the request understand).

User-Agent

This header is used to identify the type of software that is used by the client. For example, every web browser has a unique user agent string.

Host

The host header is used to request the web application that the client would like to access, in case the web server hosts multiple web applications. This is the only mandatory header.

Note: HTTP headers are typically used to send the cookie with the request, to specify what type of compression the client supports and much more. The above is just an example of the most basic HTTP request. See HTTP Headers article on Wikipedia for further information.

GET/POST Parameters

  • To add a parameter select GET Parameter or POST Parameter from the Type drop down menu and specify the parameter's value in the Value column.
  • GET parameters will be appended to the query string.
  • For POST parameters, a request body will be generated. The Content-Type will be application/x-www-form-urlencoded by default.

File Parameters

  • File parameters can be used to simulate file upload requests. To add a File parameter, select File Parameter from Type drop down menu and click the ellipsis icon () that will open up a dialog for selecting a file.

Encoding the Headers and Parameters Values

  • If the checkbox in the Encoding column is checked for a header or parameter, it means that the value you entered is encoded and will be sent as it is
  • If it is not checked then it means that the value you specified is not encoded, and it will be encoded when it is sent to the target

How to Export an HTTP Request to the Request Builder

  1. First run a scan and display its results.

  1. In the Sitemap panel, locate the relevant vulnerability (e.g. Password Transmitted over HTTP), right click and select Send to Request Builder.

  1. The Central Panel now displays the Request Builder tab.
  2. Once exported, you can use the Request Builder to modify the HTTP request. For example, you can modify either the Value or the Name of an existing header, and add or remove an HTTP header. The same applies for GET and POST methods (for example) in the HTTP request. You can also manually edit the HTTP request by clicking the RAW tab, which displays the raw HTTP request (in plain text format).

Optional: Add a Request Body in the HTTP Request

If you need to add further data into the HTTP request body, select Enable Raw Request Body underneath the HTTP headers and parameters section, and enter the data.

If you do not enabled raw request body, a request body with the added POST parameters will be automatically generated.

How to Send the HTTP Request and Analyze the HTTP Response

  1. With a scan open and complete, when an HTTP request is complete in Invicti Standard, click the RAW tab. This displays the raw HTTP request (the format in which it is actually sent to the target).

  1. Click Send Request to send the HTTP request and receive the HTTP response.

  1. Once you receive a response, you can view the response in raw format (the actual HTTP headers and HTML code) in the RAW tab. Note that you can also search for a specific text in the response when viewing it in this format.

  1. Click on the Headers tab to see the HTTP headers and the Browser View to see how the response is displayed in a browser. Note that when in browser mode, all sorts of scripts are disabled, which is why you can only see the structure of the response.

Log Requests Option

You can also keep a record of all the HTTP requests you have built, or imported and sent to the target by enabling the Log Requests option.

This means that all HTTP requests are kept in the History window:

  • From there, you can easily reload an HTTP request by double clicking it.
  • You can also modify the loaded HTTP request and resend it. This modified version will also be recorded in the History window as a different HTTP request (and the old version of that HTTP request won't be overwritten).
  • The history of the sent HTTP requests is only kept for the existing session. Once you shut down or restart Invicti Standard, the HTTP Request Builder history is lost. Also, the Log Requests option is disabled by default. So, if you want to store HTTP requests, enable it before you start working on them.