How to capture POST Requests on Webserver / Website

Sometimes you just want to see what someone is sending to your website. But how? Access logs by themselves can be pretty vanilla, you can see that a user made a POST request, but what exactly did they send?

Caution: This could include sensitive information like log in credentials, credit card information, and other sensitive data. Oh yeah, it will create massive log files that could create Disk I/O issues as well. Recommend doing this in a testing, troubleshooting, capacity only.

You can see what’s in the POST request by using the dumpio module for Apache

#a2enmod dump_io

Note: Fedora, CentOS and Red Hat enable this module by default.

Restart Apache after enabling the module.

#systemctl restart apache2

Now enable the module on the domain you are interested in by updating the vhosts file:

DumpIOInput On
DumpIOOutput On
LogLevel dumpio:trace7

It will sit inside your <virtualhost> directive, so something like this:

<VirtualHost *:443>
    ServerAdmin  ...
    DocumentRoot ...
    
    ErrorLog ...
    CustomLog ...

    DumpIOInput On
    DumpIOOutput On
    LogLevel dumpio:trace7
</VirtualHost>

Restart apache

#systemctl restart apache2

Test it by sending a post request to your site. You can do this using something like curl:

# curl -d "user=user1&pass=abcd" -X POST https://defragged.org/

Now parse your error log to find the output:

# cat /var/log/apache2/defragged.error.log | grep "user1"

Should see something like this:

[Tue May 11 20:14:17.972056 2021] [dumpio:trace7] [pid 10215] mod_dumpio.c(103): [client [ip-address]:56886] mod_dumpio: dumpio_in (data-TRANSIENT): user=user1&pass=abcd

While being cool, it also serves as a great administration tool for network / site / security administrators trying to understand what users are doing on their website.

Leave a Reply