Proxy Scripts for Request/Response Manipulation

1 min read Security Testing & Tools

Proxy Scripts for Request/Response Manipulation

Proxy scripts modify traffic in real-time, enabling sophisticated testing scenarios. These scripts can inject headers, modify parameters, or transform responses. Common uses include adding authentication tokens, bypassing client-side validation, or simulating specific test conditions:

# Proxy script to add custom authentication headers
def proxyRequest(msg)
    # Add authentication header to all requests
    msg.getRequestHeader().setHeader("X-Custom-Auth", "Bearer test-token-12345")
    
    # Modify User-Agent for specific testing
    if msg.getRequestHeader().getURI().toString().include?("/api/")
        msg.getRequestHeader().setHeader("User-Agent", "ZAP-Security-Tester/1.0")
    end
    
    # Log modified requests for debugging
    puts "Modified request to: " + msg.getRequestHeader().getURI().toString()
    
    return true  # Continue processing
end

def proxyResponse(msg)
    # Remove security headers to test client-side enforcement
    msg.getResponseHeader().setHeader("X-Frame-Options", nil)
    msg.getResponseHeader().setHeader("Content-Security-Policy", nil)
    
    # Inject testing markers into HTML responses
    if msg.getResponseHeader().getHeader("Content-Type").include?("text/html")
        body = msg.getResponseBody().toString()
        body = body.gsub("</body>", "<!-- ZAP-TESTED --></body>")
        msg.setResponseBody(body)
    end
    
    return true  # Continue processing
end

Proxy scripts execute for every request and response, requiring careful performance consideration. Implement filters to process only relevant traffic, use efficient string operations, and avoid blocking operations. These scripts prove invaluable for complex testing scenarios requiring consistent traffic modification.