Interceptor Guide - PhantomYerra Help

What the Interceptor Does

The Interceptor operates as a local man-in-the-middle proxy. All traffic from your browser flows through PhantomYerra before reaching the target. You can pause any request, inspect it, modify it, and then forward or drop it. This is the foundation of manual web application testing — it gives you full visibility and control over every byte that leaves the browser.

Full request/response capture — Every HTTP/HTTPS request and response is logged with headers, body, timing, and TLS details.
Live modification — Edit any part of a request (method, URL, headers, cookies, body) before it reaches the server.
WebSocket interception — Capture and modify WebSocket frames in both directions (client-to-server and server-to-client).
Breakpoints — Pause requests matching specific criteria (URL pattern, method, header value, body content) for manual inspection.
TLS interception — Transparent HTTPS decryption with PhantomYerra's CA certificate installed in the browser.
Evidence-grade logging — Every intercepted request/response pair is SHA-256 hashed and timestamped for forensic-quality evidence.
Scope filtering — Only intercept traffic to in-scope targets. Out-of-scope requests pass through untouched.

Step 1: Proxy Setup

PhantomYerra runs a local proxy on 127.0.0.1:8080 by default. You need to configure your browser to route traffic through this proxy.

Default Proxy Settings

Setting	Value
Proxy Address	`127.0.0.1`
HTTP Port	`8080`
SOCKS Port	`8081` (optional)
Protocol	HTTP/HTTPS/WebSocket

Custom Port: If port 8080 is already in use, change the proxy port in Settings → Interceptor → Proxy Port. PhantomYerra will validate the port is available before binding.

Browser Configuration

Option A: Use PhantomYerra's Built-in Browser

PhantomYerra includes an embedded Chromium browser pre-configured with the proxy and CA certificate. Click Interceptor → Open Browser to launch it. No manual configuration needed.

Option B: Configure Firefox

1

Open Network Settings

Navigate to Settings → General → Network Settings → Settings...
2

Set Manual Proxy

Select Manual proxy configuration. Set HTTP Proxy to 127.0.0.1, Port 8080. Check Also use this proxy for HTTPS.
3

Set No Proxy For

Leave the "No proxy for" field empty, or add addresses you want to exclude from interception (e.g., localhost, 127.0.0.1 if testing a local app).

Option C: Configure Chrome

1

Launch with Proxy Flag

Close all Chrome windows. Launch Chrome from the command line:

chrome.exe --proxy-server="http://127.0.0.1:8080"

Or use PhantomYerra's Launch Chrome with Proxy button, which does this automatically.
2

System Proxy (Alternative)

On Windows: Settings → Network & Internet → Proxy → Manual proxy setup. Set address 127.0.0.1, port 8080.

Step 2: CA Certificate Installation

To intercept HTTPS traffic, your browser must trust PhantomYerra's Certificate Authority (CA). Without this, the browser will show certificate warnings for every HTTPS site.

Export the Certificate

Click Interceptor → Export CA Certificate. PhantomYerra saves the CA certificate as phantomyerra-ca.pem to your chosen directory.

Install in Firefox

1

Import Certificate

Go to Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import. Select the exported phantomyerra-ca.pem file.
2

Trust Settings

Check Trust this CA to identify websites. Click OK.

Install in Chrome / Edge (Windows)

1

Open Certificate Manager

Press Win+R, type certmgr.msc, press Enter.
2

Import to Trusted Root

Navigate to Trusted Root Certification Authorities → Certificates. Right-click → All Tasks → Import. Select the phantomyerra-ca.pem file and complete the wizard.

Install on Linux

sudo cp phantomyerra-ca.pem /usr/local/share/ca-certificates/phantomyerra-ca.crt sudo update-ca-certificates

Auto-Install: Click Interceptor → Install CA Certificate and PhantomYerra will attempt to install the certificate automatically on your operating system. You may need to approve an administrator prompt.

Step 3: Intercepting and Modifying Requests

Enabling Interception

Toggle the Intercept switch to ON. When enabled, requests matching your scope and breakpoint rules will pause and appear in the Interceptor panel for manual review.

The Interceptor Panel

When a request is intercepted, you see:

Request tab — Full HTTP request: method, URL, headers, cookies, and body. All fields are editable.
Response tab — After forwarding, the server response appears here. Also editable before the browser receives it.
Hex tab — Raw hex view of the request/response body. Useful for binary protocols.
WebSocket tab — WebSocket frames displayed in a sequential message log.

Actions on an Intercepted Request

Action	Shortcut	Description
Forward	`F`	Send the (possibly modified) request to the server.
Drop	`D`	Discard the request. The browser receives no response (connection reset).
Forward All	`Shift+F`	Forward this and all currently queued requests without pausing.
Send to Repeater	`Ctrl+R`	Copy the request to the Repeater for manual testing.
Send to Intruder	`Ctrl+I`	Copy the request to the Intruder for fuzzing.
Capture Evidence	`Ctrl+E`	Hash and timestamp the request/response pair as evidence.

Modifying a Request

With a request paused in the Interceptor, you can edit any field:

# Original intercepted request POST /api/transfer HTTP/1.1 Host: banking-app.com Cookie: session=eyJhbGciOi... Content-Type: application/json {"from_account": "12345", "to_account": "67890", "amount": 100} # Modified before forwarding — testing IDOR {"from_account": "99999", "to_account": "67890", "amount": 100} # Changed from_account to another user's account ID

Breakpoints

Breakpoints let you selectively intercept only the requests you care about, rather than pausing on every single request. Configure breakpoints from Interceptor → Breakpoints.

Breakpoint Types

Type	Match On	Example
URL Pattern	Request URL (regex)	`/api/admin.*` — intercept all admin API calls
Method	HTTP method	`POST, PUT, DELETE` — intercept all state-changing requests
Header Match	Header name:value	`Authorization: Bearer.*` — intercept requests with auth tokens
Body Contains	Request body content	`password` — intercept any request containing "password" in the body
Status Code	Response status (response breakpoint)	`401, 403` — pause when server returns unauthorized/forbidden
MIME Type	Response content type	`application/json` — only intercept JSON responses

Combining Breakpoints

Multiple breakpoints combine with AND/OR logic. For example: intercept only POST requests to /api/transfer that contain amount in the body.

WebSocket Interception

Modern web applications often use WebSockets for real-time communication. PhantomYerra intercepts WebSocket connections and displays individual frames.

Frame log — Every WebSocket frame is displayed with direction (client/server), timestamp, opcode (text, binary, ping, pong), and payload.
Frame editing — Pause outgoing frames, modify the payload, and forward. Test for injection in WebSocket-based APIs.
Auto-detect JSON — JSON payloads in WebSocket frames are automatically pretty-printed and syntax-highlighted.
Match & Replace — Define rules to automatically modify WebSocket frames matching a pattern, without manual interception.

# WebSocket frame log example [14:32:01] CLIENT → {"action":"getBalance","accountId":"12345"} [14:32:01] SERVER ← {"balance":5000.00,"currency":"USD"} [14:32:05] CLIENT → {"action":"getBalance","accountId":"99999"} <— MODIFIED (IDOR test) [14:32:05] SERVER ← {"balance":125000.00,"currency":"USD"} <— DIFFERENT USER'S DATA

HTTP History

All traffic flowing through the Interceptor is logged in the HTTP History panel, whether or not interception is enabled. This gives you a complete record of every request and response.

History Features

Searchable — Filter by URL, method, status code, MIME type, response size, or response time.
Color-coded — Requests are highlighted by type: blue for API calls, orange for authentication, red for errors, green for static resources.
Tagging — Tag interesting requests for later review. Tags are searchable and persist across sessions.
Export — Export history to HAR format for sharing or analysis in other tools.
Compare — Select two requests and compare them side-by-side, highlighting differences in headers and body.

Match & Replace Rules

Define persistent rules that automatically modify requests or responses flowing through the proxy. Useful for session manipulation, header injection, and response tampering tests.

Target	Match	Replace	Use Case
Request Header	`X-Forwarded-For: .*`	`X-Forwarded-For: 127.0.0.1`	IP restriction bypass testing
Request Body	`"role":"user"`	`"role":"admin"`	Privilege escalation testing
Response Header	`X-Frame-Options: DENY`	(remove)	Clickjacking testing with header removed
Response Body	`isAdmin":false`	`isAdmin":true`	Client-side authorization bypass

Scope Configuration

Define which hosts and paths are in scope for interception. Out-of-scope traffic passes through the proxy without being logged or intercepted.

Scope Rules

Include — Only intercept traffic matching these patterns. Example: *.target.com
Exclude — Never intercept traffic matching these patterns, even if it matches an include rule. Example: *.google.com, *.cdn.cloudflare.com
Protocol filter — Limit scope to HTTP, HTTPS, or both.
Port filter — Only intercept traffic on specific ports (e.g., 443, 8443).

Project scope sync: If you defined a target scope in the Scan Wizard, the Interceptor automatically inherits that scope. You can refine it further in the Interceptor settings.

Keyboard Shortcuts

Shortcut	Action
`F`	Forward intercepted request
`D`	Drop intercepted request
`Shift+F`	Forward all queued requests
`Ctrl+R`	Send to Repeater
`Ctrl+I`	Send to Intruder
`Ctrl+E`	Capture as evidence
`Ctrl+T`	Toggle interception on/off
`Ctrl+L`	Clear HTTP history
`Ctrl+F`	Search in current request/response
`Ctrl+B`	Add breakpoint from current request

Tip: Use Ctrl+T to quickly toggle interception. When you only need to observe traffic without modifying it, turn interception off — all traffic still appears in the HTTP History.

Interceptor — HTTP/WebSocket Proxy