Using ModHeader for HTTP authorization
Most websites typically accept the
Authorization request header or some form of
cookie for authentication. The value is usually either some form of internal ID or a JSON web
token (JWT). By passing in different
Authorization request header (or cookie), one can
turn on / off logged-in state, switch users, change user's role, etc.
Benefits of testing authorization
Changing the authorization header during web development can have several benefits:
- User Role Testing: Modifying the authorization header allows developers to test different user roles and permissions within the application. This helps in verifying that the appropriate access and restrictions are enforced based on user roles.
- Security Testing: Changing the authorization header can be useful for testing the security of an application. It allows developers to simulate different authorization scenarios, such as testing for unauthorized access or attempting to bypass authentication mechanisms.
- Integration Testing: When integrating multiple services or APIs, changing the authorization header enables developers to test different authentication methods and validate the integration points. This ensures smooth communication between different components of the system.
- Error Handling: Manipulating the authorization header allows developers to test how the application handles invalid or missing authentication credentials. This helps identify vulnerabilities and improve error handling mechanisms.
- Performance Testing: By changing the authorization header, developers can simulate different user profiles and test the performance of the application under varying levels of authorization. This helps ensure that the application can handle different user loads efficiently.
- Compliance Testing: Changing the authorization header can assist in compliance testing, such as verifying that sensitive information is properly protected and access controls are implemented as required by regulatory standards.
Overall, changing the authorization header in web development offers developers the flexibility to test various authorization scenarios, enhance security measures, validate integrations, improve error handling, optimize performance, and meet compliance requirements.
Changing Authorization header
Using ModHeader, you can quickly change the authorization header using the following steps:
- Click on , and select Request header
Authorizationheader with the desired value.
- Now visit your web server. It should have the
Authorizationheader passed to it.
- Going one step further, you can click on , and select URL filter to enable the Authorization header override only on your domains. This way, you will not accidentally leak your authorization header to other third-party websites.
- To turn off the feature, simply uncheck the
Authorizationrequest header row
- You can also add additional
Authorizationheader rows so you can easily switch between different users.
- Alternatively, you can right-click on the profile badge on the left hand side, and select Clone profile, then update the
Authorizationheader value in the new profile. You can quickly switch between different
Authorizationheaders by switching profile. You can click on , then select Keyboard shortcuts to assign custom shortcut keys to each profile.
Changing Cookie value
If you are using cookie-based authentication, you can also use ModHeader to quickly change its value using the following steps:
- Click on , and select Cookie header
- Add the desired cookie name and value.
- Now visit your web server. It should have the cookie passed to it.
- Going one step further, you can click on , and select URL filter to enable the cookie header override only on your domains. This way, you will not accidentally leak your authorization header to other third-party websites.
- Similar to the
Authorizationheader approach above, you can easily turn on/off the modification with the checkbox on the left hand side, and use multiple profiles to quickly toggle between different cookie value.