This post and video shows how to use the Mirror Mode in API Challenges.
What are the API Challenges?
Our API Challenges Application has a fully functional cloud hosted API, and a set of challenges to work through.
Mirror Mode
The API has a mirror mode, this allows you to experiment with different verbs and configurations.
You will see, in your API tool, a response showing you the details of the request that you sent.
e.g.
GET https://apichallenges.herokuapp.com/mirror/request
Will return 200… everything (almost) returns a 200.
And…
GET http://apichallenges.herokuapp.com/mirror/request
Query Params
============
IP
=======
0:0:0:0:0:0:0:1
Headers
=======
Accept: */*
Content-Length: 0
Host: localhost:4567
User-Agent: insomnia/2021.2.2
Body
====
Only options and head respond differently… because options and head should respond differently.
Useful for getting started and getting used to your tooling.
If you want the response in XML or JSON then add the relevant Accept header.
Mirror Mode Reflections
The mirror mode is another way of seeing the ’true’ request received.
You can configure most API tools to use a Proxy like BurpSuite or OwaspZAP and you will see the actual request that the tool sends.
You can also use the Insomnia Timeline to see the request.
In Postman you can use the Postman Console to see the requests.
The Mirror Mode shows you the request received by the server. When run on Localhost there are no intermediate systems so you can see what the tooling sends.
When run on apichallenges.herokuapp.com you see that the Heroku environment adds additional headers in to the request.
Very often we are not aware of this level of amendment when testing and may not test for this.
The Mirror mode makes it clear that there are multiple systems involved in issuing a request and they can all pose a risk to the system.
