Manuel Walder

In pen testing, it is a standard practice for testers to record and analyze the HTTP-based data flow of an application to gain an understanding of the application and its function. This is usually done using tools such as the open source Zed Attack Proxy (ZAP) or similar tools. The browser’s traffic is intercepted and stored in the tool and is then available visually. However, the same methodology is rarely used in other security practices, although it can provide significant added value with little effort.

However, recording and visualizing the HTTP data flow across all functions of a web application has proven to be a value-add for us in many practices. In this context, a record of the data flow between the browser and the backend creates transparency and visualizes the real interaction with a function in a more understandable way. Let me share some examples.

In threat modeling sessions of already existing functions, the implementation of a function may significantly diverge from the developer’s description or the function’s documentation. Initiating threat modeling sessions with a recording of the data flow provides participants with an overview. This recording can serve as a foundational basis to create a data flow diagram showing the real implementation of a functionality and also showing the ...