# Match and Replace Match and Replace allows you to modify HTTP requests before they are sent during active scanning. This is useful for changing request methods, modifying headers, or transforming request content. ## 📡 HTTP Method Change The `changeHttpRequest` and `changeHttpRequestType` fields control HTTP method transformation: ```json { "changeHttpRequest": true, "changeHttpRequestType": 1 } ``` | changeHttpRequestType | Behavior | | --------------------- | ------------------------------------------------ | | 1 | 🔄 **POST → GET** — Convert POST requests to GET | | 2 | 🔄 **GET → POST** — Convert GET requests to POST | | 3 | 🔁 **Toggle** — Switch between GET and POST | ### 🎯 Use Cases * 🔓 **Testing for method-based access control bypasses** — Some endpoints enforce different authorization on GET vs POST * 🔍 **Testing parameter handling** — Check if parameters are processed the same way in different methods * 🛡️ **Bypassing WAF rules** — Some WAF rules only apply to specific HTTP methods ## 📋 Header Match and Replace The `Header` field defines find/replace rules applied to request headers before sending: ```json { "Header": [ { "type": "Request", "match": "Content-Type: application/x-www-form-urlencoded", "replace": "Content-Type: application/json", "regex": "String" } ] } ``` ### ⚙️ Header Object Fields | Field | Description | Values | | --------- | --------------------------------- | -------------------------------------------------------- | | `type` | 📍 Where to apply the replacement | `Request` (request headers), `Payload` (payload content) | | `match` | 🔍 The pattern to find | String or regex pattern | | `replace` | 🔄 The replacement value | Replacement string | | `regex` | ⚙️ Matching mode | `String` (literal match), or regex pattern | ### 📚 Examples **📄 Change Content-Type:** ```json { "type": "Request", "match": "Content-Type: application/x-www-form-urlencoded", "replace": "Content-Type: application/json", "regex": "String" } ``` **➕ Add a custom header:** ```json { "type": "Request", "match": "\r\n\r\n", "replace": "\r\nX-Custom-Header: value\r\n\r\n", "regex": "String" } ``` **🗑️ Remove a header:** ```json { "type": "Request", "match": "X-Unwanted-Header: .*\r\n", "replace": "", "regex": "Regex" } ``` **💉 Modify payload content:** ```json { "type": "Payload", "match": "PLACEHOLDER", "replace": "actual_value", "regex": "String" } ``` ## 🔗 Combining with Other Features ### 🔄 Method Change + Header Modification ```json { "changeHttpRequest": true, "changeHttpRequestType": 1, "Header": [ { "type": "Request", "match": "Content-Type: application/x-www-form-urlencoded", "replace": "Content-Type: text/plain", "regex": "String" } ] } ``` This converts POST to GET and changes the Content-Type header. ### 📋 Header Modification + New Headers ```json { "isHeaderValue": true, "NewHeaders": ["Origin"], "Header": [ { "type": "Request", "match": "Referer: .*", "replace": "Referer: https://evil.com", "regex": "Regex" } ] } ``` This adds the payload as the Origin header value while also modifying the Referer header. ## ⚡ Application Order Match and Replace rules are applied in this order: 1. 🔄 HTTP method change (if `changeHttpRequest: true`) 2. 📋 Header match/replace rules (from `Header` array) 3. 💉 Payload injection into insertion points 4. 🔧 Variable replacement 5. 📡 Request is sent --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bountysecurity.ai/profiles/match-and-replace.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.