How can I replace particular file body returned to browser by remote server but leave the original respond header mostly unchanged/intact/unaffected/unaltered/untouched? (I don't know which English word is best in this context so please: fix my question!)
This probably may be done using penetration testing proxy (Burp, OWASP ZAP, Charles, Fiddler, Paros etc.) but I don't find suitable option to mapping respond body to local file body without dropping important header fields (Set-Cookie, Content-Type etc.). There is not problem with rewriting only part of body using regular expression pattern. There is also not problem with remapping whole file (based on URL), however, it generates a new header instead of duplicating the original returned by server. I know that my local file may be differ in size from that on the server so Content-Length field should be altered by proxy. There are probably other fields in header that should be modified by penetration testing tool but fields such as Set-Cookie, Content-Type and some other selected and as well all customized fields (as the ones prefixed by X-) should be preserved.
Should I write an extension or some kind of script to any of these tools? If so, then I can search for API reference of chosen tool but which penetration testing tool should I chose to write in my favorite language which is Python? Any help in pointing to particular API needed for this purpose will be appreciated. This script should:
Content-Length header fieldThe above list suggests which elements of API are needed to point me to. Ideally it would be if there is embedded option for described task in any tool but if such option does not exist then API of which tool should I learn to code in Python and on which API parts should I pay special attention? Because of portability, chosen tool should not be dependent on .NET (so using Fiddler will be a problem in this situation). Java-dependent tools are OK because there is no problem with using portable Java runtime environment.
Yes, you can do this with OWASP ZAP.
ZAP supports lots of scripting languages including python (actually jython;). You can change anything to do with requests and responses using proxy scripts. You have full access to all of the information about the requests and responses, all of the ZAP functionality and your local filestore.
We have some examples here: https://github.com/zaproxy/community-scripts/tree/master/proxy None of those examples actually use python, but there is an example python script in https://github.com/zaproxy/community-scripts/tree/master/payloadgenerator You will need to install the python scripting add-on which includes the necessary templates: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsJythonJython
If you have specific questions about ZAP scripting then we have a group just for that purpose: http://groups.google.com/group/zaproxy-scripts