Introduction
Web debugging from a security perspective goes beyond watching network requests in DevTools. It involves understanding the full request/response cycle, intercepting and modifying traffic, and identifying where application logic can be manipulated.
This guide covers the tools and techniques used in day-to-day security research and penetration testing.
Browser DevTools — The Starting Point
Every security test starts here. The Network tab is your primary window into what an application is doing.
Key DevTools Techniques
Preserve logs across navigations:
Network tab → ✅ Preserve logEssential for capturing redirects and auth flows that clear the history.
Filter by request type:
Network tab → XHR/Fetch → See all API callsReplay and modify requests:
- Right-click any request → “Copy as curl”
- Modify and replay in terminal
- Or use DevTools → Network → Right-click → “Edit and Resend” (Firefox)
Override responses:
Sources tab → Overrides → Enable local overrides
Select a JS file → Make edits → Changes persist across reloadsThis is useful for patching client-side validation or modifying JavaScript logic.
Intercepting HTTPS with Burp Suite
Burp Suite is the industry standard for web security testing. Setting it up correctly is critical.
Setup
-
Install Burp Certificate Authority:
- Start Burp → Proxy → Options → Export CA Certificate
- Add to system/browser trust store
- Or visit
http://burpin a proxied browser
-
Configure Browser Proxy:
- Browser → Network Settings → Manual proxy
- Host:
127.0.0.1, Port:8080
-
Intercept traffic:
- Proxy → Intercept → Intercept is on
- Browse the target application
- Requests appear for inspection and modification
Essential Burp Workflows
Intruder for parameter fuzzing:
Right-click request → Send to Intruder
Mark injection points with §
Attack type: Sniper for single parameter, Cluster bomb for multipleRepeater for manual testing:
Right-click request → Send to Repeater
Modify and resend to test individual changes
Compare responses systematicallyScanner for automated discovery:
Right-click target → Scan
Configure audit checks → Run
Review findings in Dashboardmitmproxy — Scriptable Interception
mitmproxy is a powerful open-source HTTPS proxy with a Python scripting API. It’s ideal for automation and custom manipulation.
Installation
pip install mitmproxy
# or
brew install mitmproxy # macOSBasic Usage
# Interactive terminal UI
mitmproxy --listen-port 8080
# Dump all requests to terminal
mitmdump --listen-port 8080
# With upstream proxy (for corporate environments)
mitmproxy --mode upstream:http://corporate-proxy:8080Custom Addon Scripts
The real power of mitmproxy is scripting. Save as addon.py:
from mitmproxy import http
class ModifyRequests:
def request(self, flow: http.HTTPFlow) -> None:
# Log all API calls
if "api." in flow.request.pretty_host:
print(f"API: {flow.request.method} {flow.request.url}")
# Modify Authorization headers
if "Authorization" in flow.request.headers:
print(f"Token: {flow.request.headers['Authorization'][:50]}...")
def response(self, flow: http.HTTPFlow) -> None:
# Capture and log JSON responses
if "application/json" in flow.response.headers.get("content-type", ""):
print(f"Response: {flow.response.text[:200]}")
# Remove security headers for testing
flow.response.headers.pop("Content-Security-Policy", None)
flow.response.headers.pop("X-Frame-Options", None)
addons = [ModifyRequests()]Run with:
mitmproxy --listen-port 8080 -s addon.pyUseful One-Liners
# Save all requests to a HAR file
mitmdump --listen-port 8080 --save-stream-file capture.mitm
# Filter only specific domains
mitmdump --listen-port 8080 --flow-detail 3 "~d target.com"
# Modify a specific parameter in all POST bodies
mitmdump -s <(echo '
from mitmproxy import http
import json
def request(flow):
if flow.request.method == "POST":
try:
body = json.loads(flow.request.text)
if "role" in body:
body["role"] = "admin"
flow.request.text = json.dumps(body)
except:
pass
')Debugging Authentication Flows
Security testing often involves understanding complex auth flows (OAuth, SAML, JWT). Here’s a systematic approach:
JWT Analysis
# Decode JWT without verification (for analysis only)
echo "eyJhbGciOiJIUzI1NiJ9..." | cut -d. -f2 | base64 -d | python3 -m json.tool
# Check for weak signing key
hashcat -a 0 -m 16500 jwt.txt wordlist.txtIn Burp, the JWT Editor extension automatically detects and highlights JWTs, and provides modification/attack capabilities.
OAuth Flow Interception
- Enable Burp intercept
- Trigger OAuth login flow
- Capture the
codeexchange at the callback - Analyse state parameter for CSRF vulnerabilities
- Test for open redirect in the
redirect_uri
Automated Request Modification
For complex scenarios, combine tools:
#!/bin/bash
# Capture API calls, extract tokens, and test with modified parameters
# Step 1: Use mitmdump to capture a session token
mitmdump --listen-port 8080 --save-stream-file session.mitm &
MITM_PID=$!
# Step 2: Let the user authenticate (manual step)
echo "Authenticate in your browser (proxied through 8080)..."
sleep 30
# Step 3: Extract token from captured traffic
TOKEN=$(python3 -c "
import mitmproxy.io
with open('session.mitm', 'rb') as f:
reader = mitmproxy.io.FlowReader(f)
for flow in reader:
auth = flow.request.headers.get('Authorization', '')
if auth.startswith('Bearer '):
print(auth[7:])
break
")
kill $MITM_PID
echo "Captured token: ${TOKEN:0:20}..."Common Findings from Web Debugging
Through systematic web debugging, you’ll commonly find:
- Sensitive data in URL parameters — tokens, IDs, user data in GET parameters that end up in logs
- Insecure direct object references (IDOR) — change a numeric ID in a request to access other users’ data
- Missing authorization on API endpoints — endpoints that work without authentication
- Client-side security controls — disabled by modifying JavaScript or DOM
- Verbose error messages — stack traces, database errors in API responses
- Weak CORS configuration —
Access-Control-Allow-Origin: *on authenticated endpoints - JWT algorithm confusion —
alg: noneaccepted or RS256 confused with HS256
Recommended Toolchain
| Task | Tool |
|---|---|
| Day-to-day web testing | Burp Suite Community/Pro |
| Scripted automation | mitmproxy + Python |
| Quick browser inspection | Chrome DevTools |
| API testing | Bruno or Postman |
| JWT analysis | jwt.io + Burp JWT Editor |
| Traffic recording | Burp Enterprise / HAR export |
| Mobile app traffic | Burp + Android emulator or iOS simulator |