Testing for HTTP Incoming requests (OTG-INPVAL-017)
This section describes how to monitor all incoming/outgoing http requests on both client or web server side. The purpose of this testing is to verify if there is unnecessary or suspicious http request sending in the background.
Most of Web security testing tools (i.e. AppScan, BurpSuite, ZAP) act as Http Proxy. This will require changes of proxy on client side application or browser. The testing techniques listed below is primary focused on how we can monitor Http requests without changes of client side which will be more close to production usage scenario.
1. Monitor all incoming and outgoing http requests to the Web Server to inspect any suspicious requests.
2. Monitor http traffic without changes of end user Browser proxy or client-side application.
How to Test
TCP-level Network Traffic Capture
- Charles Web Debugging Proxy