Capture POST Requests on Webserver / Website

Sometimes you just want to see what someone is sending to your website. But how? Access logs by themselves can be pretty vanilla, you can see that a user made a POST request, but what exactly did they send?

Caution: This could include sensitive information like log in credentials, credit card information, and other sensitive data. Oh yeah, it will create massive log files that could create Disk I/O issues as well. Recommend doing this in a testing, troubleshooting, capacity only.

DumpIO Module for Apache

You can see what's in the POST request by using the dumpio module for Apache

# a2enmod dump_io
Note: Fedora, CentOS and Red Hat enable this module by default.

Restart Apache after enabling the module.

#systemctl restart apache2

Configure DumpIO Module

Now enable the module on the domain you are interested in by updating the vhosts file:

DumpIOInput On
DumpIOOutput On
LogLevel dumpio:trace7

It will sit inside your <virtualhost> directive, so something like this:

<VirtualHost *:443>
    ServerAdmin  ...
    DocumentRoot ...
    ErrorLog ...
    CustomLog ...

    DumpIOInput On
    DumpIOOutput On
    LogLevel dumpio:trace7

Restart apache

#systemctl restart apache2

Confirm Module is Working

Test it by sending a post request to your site. You can do this using something like curl:

# curl -d "user=user1&pass=abcd" -X POST

Now parse your error log to find the output:

# cat /var/log/apache2/defragged.error.log | grep "user1"

Should see something like this:

[Tue May 11 20:14:17.972056 2021] [dumpio:trace7] [pid 10215] mod_dumpio.c(103): [client 
[ip-address]:56886] mod_dumpio: dumpio_in (data-TRANSIENT): user=user1&pass=abcd
This serves as a great administration tool for network / site / security administrators 
trying to understand what users are doing on their website.

Posted in   Networking_Tips   Troubleshooting   Linux   Apache     by noc_team

Improve Your Websites Speed and Security