That’s a great question.

An intercepting proxy is commonly used by security professionals in order to understand how an application communicates with a server, and to attempt to find security vulnerabilities by manipulating that traffic. An intercepting proxy is a tool we frequently use in penetration testing, but they are also used by developers.

Fundamentally an intercepting proxy is designed to allow somebody to intercept and manipulate network traffic in-transit from a client to a server. Typically, they are talked about in the context of web-based traffic (HTTP). It’s worth noting that technically any proxy will intercept the traffic, but when talking about intercepting proxies, people often mean tools for security professionals.

Most intercepting proxies support the following features:

• View all requests and responses made between a client and a server.
• The ability to trap requests/responses in transit and modify them.
• Support for HTTP/1.1, HTTP/2, and websockets
• Decryption of encrypted traffic (assuming the encryption keys are loaded into the client)
• Taking a request and making further manual requests based on it.
• A level of automation, for example the ability to make requests with enumerating numbers (1-100) to find direct object reference vulnerabilities, or the ability to take a payload list and inject that into a part of the request - for example to carry out password brute forcing.

It’s also really important that they can record a history of requests, so that if you need to go back and check something weeks after you’ve filled a bug report, you can do so.

In addition to the standard features, a proxy may also contain other features, such as:

• Decoding parts of requests which have been encoded.
• The ability to write arbitrary scripts to carry out specific exploits.
• Built-in scans to help find issues.
• Automatically replacing parts of requests.
• Defining a project’s scope and providing warnings if the user is about to go out of scope.

Summary

An intercepting proxy is an essential tool to help security professionals find vulnerabilities. While it is technically possible to use tools built into modern web browsers, or built in system tools, using a proxy makes the job significantly easier. This allows consultants to find more vulnerabilities in a shorter amount of time. While we’re biassed, and obviously we like Pākiki Proxy, there are plenty of other options available as well.