Using ModHeader for HTTP authorization

Overview

Most websites typically accept the Authorization request header or some form of cookie for authentication. The value is usually either some form of internal ID or a JSON web token (JWT). By passing in different Authorization request header (or cookie), one can turn on / off logged-in state, switch users, change user's role, etc.

Benefits of testing authorization

Changing the authorization header during web development can have several benefits:

User Role Testing: Modifying the authorization header allows developers to test different user roles and permissions within the application. This helps in verifying that the appropriate access and restrictions are enforced based on user roles.
Security Testing: Changing the authorization header can be useful for testing the security of an application. It allows developers to simulate different authorization scenarios, such as testing for unauthorized access or attempting to bypass authentication mechanisms.
Integration Testing: When integrating multiple services or APIs, changing the authorization header enables developers to test different authentication methods and validate the integration points. This ensures smooth communication between different components of the system.
Error Handling: Manipulating the authorization header allows developers to test how the application handles invalid or missing authentication credentials. This helps identify vulnerabilities and improve error handling mechanisms.
Performance Testing: By changing the authorization header, developers can simulate different user profiles and test the performance of the application under varying levels of authorization. This helps ensure that the application can handle different user loads efficiently.
Compliance Testing: Changing the authorization header can assist in compliance testing, such as verifying that sensitive information is properly protected and access controls are implemented as required by regulatory standards.

Overall, changing the authorization header in web development offers developers the flexibility to test various authorization scenarios, enhance security measures, validate integrations, improve error handling, optimize performance, and meet compliance requirements.

Changing Authorization header

Using ModHeader, you can quickly change the authorization header using the following steps:

Click on , and select Request header
Add Authorization header with the desired value.
Now visit your web server. It should have the Authorization header passed to it.
Going one step further, you can click on , and select URL filter to enable the Authorization header override only on your domains. This way, you will not accidentally leak your authorization header to other third-party websites.
To turn off the feature, simply uncheck the Authorization request header row
You can also add additional Authorization header rows so you can easily switch between different users.
Alternatively, you can right-click on the profile badge on the left hand side, and select Clone profile, then update the Authorization header value in the new profile. You can quickly switch between different Authorization headers by switching profile. You can click on , then select Keyboard shortcuts to assign custom shortcut keys to each profile.

Changing Cookie value

If you are using cookie-based authentication, you can also use ModHeader to quickly change its value using the following steps:

Click on , and select Cookie header
Add the desired cookie name and value.
Now visit your web server. It should have the cookie passed to it.
Going one step further, you can click on , and select URL filter to enable the cookie header override only on your domains. This way, you will not accidentally leak your authorization header to other third-party websites.
Similar to the Authorization header approach above, you can easily turn on/off the modification with the checkbox on the left hand side, and use multiple profiles to quickly toggle between different cookie value.