Skip to main content

Aug 1, 2021 - 2 minute read - API Testing API Challenges Evil Tester

Mirror Mode

This post and video shows how to use the Mirror Mode in API Challenges.

What are the API Challenges?

Our API Challenges Application has a fully functional cloud hosted API, and a set of challenges to work through.

Mirror Mode

The API has a mirror mode, this allows you to experiment with different verbs and configurations.

You will see, in your API tool, a response showing you the details of the request that you sent.

e.g.

GET https://apichallenges.herokuapp.com/mirror/request

Will return 200… everything (almost) returns a 200.

And…

GET http://apichallenges.herokuapp.com/mirror/request

Query Params
============

IP
=======
0:0:0:0:0:0:0:1

Headers
=======
Accept: */*
Content-Length: 0
Host: localhost:4567
User-Agent: insomnia/2021.2.2

Body
====


Only options and head respond differently… because options and head should respond differently.

Useful for getting started and getting used to your tooling.

If you want the response in XML or JSON then add the relevant Accept header.

Try the Mirror Mode Here

Mirror Mode Reflections

The mirror mode is another way of seeing the ‘true’ request received.

You can configure most API tools to use a Proxy like BurpSuite or OwaspZAP and you will see the actual request that the tool sends.

You can also use the Insomnia Timeline to see the request.

In Postman you can use the Postman Console to see the requests.

The Mirror Mode shows you the request received by the server. When run on Localhost there are no intermediate systems so you can see what the tooling sends.

When run on apichallenges.herokuapp.com you see that the Heroku environment adds additional headers in to the request.

Very often we are not aware of this level of amendment when testing and may not test for this.

The Mirror mode makes it clear that there are multiple systems involved in issuing a request and they can all pose a risk to the system.

Overview Video

Watch on YouTube

Patreon ad free version

Learn More and Start Testing


You will need a Github account to comment. Or you can contact me with your comment.

I reserve the right to delete spam comments e.g. if your comment adds no value and its purpose is simply to create a backlink to another site offering training, or courses, etc.