Intercepting and Modifying Requests

Break points represent ZAP's most powerful manual testing feature, allowing real-time request and response modification. Enable break points through the toolbar button or by pressing Ctrl+B. When active, ZAP pauses each request before sending it to the server, displaying it in the Break tab for modification. This capability enables testing scenarios impossible through normal browsing.

The Break tab interface provides comprehensive request editing capabilities. Modify any aspect of the request: URLs, parameters, headers, cookies, or body content. Common modifications include changing user IDs to test authorization, injecting special characters to test input validation, or removing security tokens to verify enforcement. The syntax highlighting helps identify different request components quickly.

Request modification techniques vary by vulnerability type being tested. For authorization testing, change user identifiers or role parameters to attempt privilege escalation. SQL injection testing involves adding quotes and SQL keywords to parameters. Path traversal testing uses "../" sequences to access unauthorized files. Each modification tests specific security controls, building understanding of application security posture.