# Match and Replace Match and Replace allows you to modify HTTP requests before they are sent during active scanning. This is useful for changing request methods, modifying headers, or transforming request content. ## 📡 HTTP Method Change The `changeHttpRequest` and `changeHttpRequestType` fields control HTTP method transformation: ```json { "changeHttpRequest": true, "changeHttpRequestType": 1 } ``` | changeHttpRequestType | Behavior | | --------------------- | ------------------------------------------------ | | 1 | 🔄 **POST → GET** — Convert POST requests to GET | | 2 | 🔄 **GET → POST** — Convert GET requests to POST | | 3 | 🔁 **Toggle** — Switch between GET and POST | ### 🎯 Use Cases * 🔓 **Testing for method-based access control bypasses** — Some endpoints enforce different authorization on GET vs POST * 🔍 **Testing parameter handling** — Check if parameters are processed the same way in different methods * 🛡️ **Bypassing WAF rules** — Some WAF rules only apply to specific HTTP methods ## 📋 Header Match and Replace The `Header` field defines find/replace rules applied to request headers before sending: ```json { "Header": [ { "type": "Request", "match": "Content-Type: application/x-www-form-urlencoded", "replace": "Content-Type: application/json", "regex": "String" } ] } ``` ### ⚙️ Header Object Fields | Field | Description | Values | | --------- | --------------------------------- | -------------------------------------------------------- | | `type` | 📍 Where to apply the replacement | `Request` (request headers), `Payload` (payload content) | | `match` | 🔍 The pattern to find | String or regex pattern | | `replace` | 🔄 The replacement value | Replacement string | | `regex` | ⚙️ Matching mode | `String` (literal match), or regex pattern | ### 📚 Examples **📄 Change Content-Type:** ```json { "type": "Request", "match": "Content-Type: application/x-www-form-urlencoded", "replace": "Content-Type: application/json", "regex": "String" } ``` **➕ Add a custom header:** ```json { "type": "Request", "match": "\r\n\r\n", "replace": "\r\nX-Custom-Header: value\r\n\r\n", "regex": "String" } ``` **🗑️ Remove a header:** ```json { "type": "Request", "match": "X-Unwanted-Header: .*\r\n", "replace": "", "regex": "Regex" } ``` **💉 Modify payload content:** ```json { "type": "Payload", "match": "PLACEHOLDER", "replace": "actual_value", "regex": "String" } ``` ## 🔗 Combining with Other Features ### 🔄 Method Change + Header Modification ```json { "changeHttpRequest": true, "changeHttpRequestType": 1, "Header": [ { "type": "Request", "match": "Content-Type: application/x-www-form-urlencoded", "replace": "Content-Type: text/plain", "regex": "String" } ] } ``` This converts POST to GET and changes the Content-Type header. ### 📋 Header Modification + New Headers ```json { "isHeaderValue": true, "NewHeaders": ["Origin"], "Header": [ { "type": "Request", "match": "Referer: .*", "replace": "Referer: https://evil.com", "regex": "Regex" } ] } ``` This adds the payload as the Origin header value while also modifying the Referer header. ## ⚡ Application Order Match and Replace rules are applied in this order: 1. 🔄 HTTP method change (if `changeHttpRequest: true`) 2. 📋 Header match/replace rules (from `Header` array) 3. 💉 Payload injection into insertion points 4. 🔧 Variable replacement 5. 📡 Request is sent