dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changed the order of explanation of setting up ZAP/Burp a bit (feedback from workshop). This makes the necessary steps more explicit by moving all extra configuration for https etc to the back. So when you follow the lesson you will only setup the minimal and not get confused about things which are only necessary in certain cases

Browse Source
This commit is contained in:
Nanne Baars 2020-04-13 15:16:45 +02:00 committed by Nanne Baars
parent 9509993a8f
commit 122cc323f2
10 changed files with 141 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html
View File

@ -18,10 +18,6 @@
<div class="adoc-content" th:replace="doc:3browsersetup.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:4checksetup.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:5configurefilterandbreakpoints.adoc"></div>
</div>
@ -50,6 +46,9 @@
<div class="adoc-content" th:replace="doc:8httpsproxy.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:9burp.adoc"></div>
<div class="adoc-content" th:replace="doc:9manual.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:10burp.adoc"></div>
</div>
</html>

4
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/0overview.adoc
View File

@ -1,5 +1,5 @@
== What's an HTTP Proxy
== What's a HTTP Proxy
A proxy is some forwarder application that connects your http client to backend resources. HTTP clients can be browsers, or applications like curl, SOAP UI, Postman, etc. Usually these proxies are used for routing and getting access to internet when there is no direct connection to internet from the client itself.
HTTP proxies are therefore also ideal when you are testing your application. You can always use the proxy log records to see what was actually sent from client to server. So you can check the request and response headers and the XML, JSON or other payload.
@ -19,4 +19,4 @@ You can go through all lesson pages or click on these links to skip some pages.
* link:start.mvc#lesson/HttpProxies.lesson/5[Filtering] requests with ZAP
* link:start.mvc#lesson/HttpProxies.lesson/6[A proxy assignment] with ZAP
* link:start.mvc#lesson/HttpProxies.lesson/7[Replaying requests] with ZAP
* link:start.mvc#lesson/HttpProxies.lesson/9[Replaying requests] with Burp
* link:start.mvc#lesson/HttpProxies.lesson/8[Replaying requests] with Burp

71
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/9burp.adoc → webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/10burp.adoc
View File

@ -1,35 +1,36 @@
== Burp
Another proxy that is used a lot is Burp. One of the exercises in WebGoat can only be resolved with Burp and not yet with OWAP ZAP.
Burp community edition can be downloaded as a plain jar file https://portswigger.net/burp/communitydownload[Burp download,window=_blank]
java -jar burpsuite_community_v2.1.04.jar
Ignore the warning on using JDK11.
Choose `temporary project`, followed by `use burp defaults`.
Go to the proxy options and change it to use port 8090
image::images/burpproxy.png[Burp proxy options,style="lesson-image"]
On this page you can also export the Burp certificate and import it into your browser. Similar as in the instructions in previous pages.
Go to the proxy intercept page and click on the toggle so that intercept is switched off. (By default nd in the picture below it is switched on)
image::images/burpintercept.png[Burp intercept,style="lesson-image"]
The start a browser connected to the proxy and start using WebGoat.
Now adjust the intercept request setting by extending the rule on what not to intercept:
image::images/burpfilterclient.png[Burp client request filter,style="lesson-image"]
Use e.g.: (\^mvc$|^txt$|\^woff$|^lesson$|\^gif$|^jpg$|\^png$|^css$|\^js$|^ico$)
Then enable the intercept by click on the earlier mentioned toggle.
An intercept will look like:
image::images/burpintercepted.png[Burp client request filter,style="lesson-image"]
Finally you can look at the history and add filters for the history and replay requests, from this screen:
image::images/burpfilter.png[Burp history,style="lesson-image"]
== Burp
Another proxy that is used a lot is Burp. One of the exercises in WebGoat can only be resolved with Burp and not yet with OWAP ZAP.
Burp can only be configured manually, please follow the steps described link:start.mvc#lesson/HttpProxies.lesson/8[here] first.
Burp community edition can be downloaded as a plain jar file https://portswigger.net/burp/communitydownload[Burp download,window=_blank]
java -jar burpsuite_community_v2.1.04.jar
Ignore the warning on using JDK11.
Choose `temporary project`, followed by `use burp defaults`.
Go to the proxy options and change it to use port 8090
image::images/burpproxy.png[Burp proxy options,style="lesson-image"]
On this page you can also export the Burp certificate and import it into your browser. Similar as in the instructions in previous pages.
Go to the proxy intercept page and click on the toggle so that intercept is switched off. (By default nd in the picture below it is switched on)
image::images/burpintercept.png[Burp intercept,style="lesson-image"]
The start a browser connected to the proxy and start using WebGoat.
Now adjust the intercept request setting by extending the rule on what not to intercept:
image::images/burpfilterclient.png[Burp client request filter,style="lesson-image"]
Use e.g.: (\^mvc$|^txt$|\^woff$|^lesson$|\^gif$|^jpg$|\^png$|^css$|\^js$|^ico$)
Then enable the intercept by click on the earlier mentioned toggle.
An intercept will look like:
image::images/burpintercepted.png[Burp client request filter,style="lesson-image"]
Finally you can look at the history and add filters for the history and replay requests, from this screen:
image::images/burpfilter.png[Burp history,style="lesson-image"]

27
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc
View File

@ -8,31 +8,6 @@ Since this is an OWASP project, we'll be using OWASP ZAP. If you are comfortable
* First download and install ZAP 2.8.0 for your operating system
* Start ZAP
* Configure the proxy to use a free port, e.g. 8090
* Export the ZAP root certificate
=== link:start.mvc#lesson/HttpProxies.lesson/3[Configuring your browser to use the ZAP proxy]
The example is for Firefox. It should work similarly for other browsers.
* Make sure you can change the certificate store and network proxy settings, use a portable browser version if necessary
* Import the ZAP root certificate in your trusted certificates
* Change the network proxy settings
=== Additional config when running locally
If you run the WebGoat application on localhost, Firefox and ZAP behave differently than when it's on a remote IP address.
* Adjust your hostfile and use a fake hostname, otherwise Firefox will not forward to the proxy
* For ZAP do not use the exclude from proxy option as it will drop the requests entirely
* Start the brower directly from ZAP
If you use the latest ZAP version (>= 2.8.0) you only need to start ZAP and click the browser button to be able to
proxy, see image below:
image::images/zap-browser-button.png[ZAP Start,style="lesson-image"]
{nbsp}+
To setup a different browser continue to the next page and read how to set it up in section: 'Configure the browser'.
In all other cases you can skip the next page and continue to the page titled 'Confirm it's working' to check whether it is working.

7
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/2zapsetup.adoc
View File

@ -4,7 +4,6 @@
. First download and install ZAP 2.8.0 for your operating system
. Start ZAP
. Configure the proxy to use a free port, e.g. 8090
. Export the ZAP root certificate
=== Start ZAP
@ -21,9 +20,3 @@ image::images/zap-local-proxy-8090.png[ZAP local proxy,style="lesson-image"]
In the options menu, you can also change the language. By default it is set with the language setting of your operating system. The examples are shown in English.
=== Export the certificate
Depending on the local installation of tools, ZAP can start a browser directly with some adjusted options like network settings and certificate adjustments. However, this step should be done if you want to start your browser independently of ZAP. To be able to use the browser, the browser needs the certificate, which can be exported here:
image::images/rootca.png[ZAP root CA,style="lesson-image"]
image::images/savecerts.png[ZAP save CA,style="lesson-image"]

80
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc
View File

@ -1,67 +1,27 @@
== Setting up browser
. Make sure you can change the certificate store and network proxy settings, use a portable browser version if necessary
. Import the ZAP root certificate in your trusted certificates
. Change the network proxy settings
. Use www.webgoat.local in stead of 127.0.0.1
.. adjust your host file and use www.webgoat.local
If you use the latest ZAP version (>= 2.8.0) you only need to start ZAP and click the browser button to be able to
proxy, see image below:
image::images/zap-browser-button.png[ZAP Start,style="lesson-image"]
{nbsp}+
In the browser type: http://localhost:8080/WebGoat you should see WebGoat and the OWASP ZAP Heads On Display (if you use OWASP ZAP as the proxy):
image::images/loginscreen.png[Browser with HUD,style="lesson-image"]
You might notice that this is the dutch login screen. This is determined from the language settings from your browser. For some of the pages there will be some local translations. You can contribute to WebGoat and add more for your preferred language.
You can disable the Heads On Display by clicking on the highlighted button.
You can learn about the OWASP ZAP HUD on their website. For now it is recommended to disable it as it kind of blocks the menu items.
You should see the following in OWASP ZAP on the history panel:
image::images/zap-history.png[ZAP History,style="lesson-image"]
On the next page we will show how you can filter these requests to see only relevant requests and how to configure the interceptor.
=== Import the OWASP ZAP root certificate
. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
. Search for _certificates_
. Click _View certificates_
. Import the ZAP root certificate that was saved (see previous page)
image::images/firefoxsettingscerts.png[Firefox Certificates,width="75%",style="lesson-image"]
image::images/importcerts.png[Firefox Cetificate import,width="75%",style="lesson-image"]
=== Firefox Proxy Config
. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
. Select _Advanced_ on the left
. Select _Network_ in the in Advanced Pane
. Click _Settings_
. Select _Manual proxy configuration_
.. input *127.0.0.1* as the Proxy
.. input *8090* as the port if running WebGoat locally and you updated ZAP to 8090 (otherwise, use *8080*)
.. check the _Use this proxy server for all protocols_ checkbox
image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
=== Use www.webgoat.local
*It is important to note that the latest versions of Firefox and Chrome no longer proxy traffic from localhost by default.*
The are a couple of options to bypass this restriction:
- Use the host name of your machine instead of `localhost`, you can find or add a host name in `/etc/hosts` on Linux and MacOSX and `C:\Windows\System32\drivers\etc` on Windows
image::images/newlocalhost.png[Hosts file,style="lesson-image"]
- To proxy localhost (and related addresses) with newer Firefox versions (>= 67) the preference network.proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true.
- To proxy localhost (and related addresses) with newer Chrome versions (>= 72) the command line argument --proxy-bypass-list=<-loopback> must be provided.
=== Chrome Proxy Config
. Bring up Chrome's settings form the menu
. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
. Click the _Change proxy settings_ button
. Select the _proxies_ tab
. Select Web Proxy (HTTP)
. Input 127.0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 if running WebGoat locally, otherwise 8080) in the second box (to the right)
. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
image::images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
(Mac config image above)
image::images/chrome-manual-proxy-win.png[Chrome Proxy, 394,346,style="lesson-image"]
(Win config image above)

19
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/4checksetup.adoc
View File

@ -1,19 +0,0 @@
=== Confirm Proxy, Host and Browser are ok
Now use the browser that has the ZAP certificate and proxy settings with the special local host address and confirm that your requests show up in the proxy.
Browse to: http://www.webgoat.local:8080/WebGoat (or https://www.webgoat.local:8443/WebGoat or similar)
You should see WebGoat and the OWASP ZAP Heads On Display (if you use OWASP ZAP as the proxy):
image::images/loginscreen.png[Browser with HUD,style="lesson-image"]
You might notice that this is the dutch login screen. This is determined from the language settings from your browser. For some of the pages there will be some local translations. You can contribute to WebGoat and add more for your preferred language.
You can disable the Heads On Display by clicking on the highlighted button.
You can learn about the OWASP ZAP HUD on their website. For now it is recommended to disable it as it kind of blocks the menu items.
You should see the following in OWASP ZAP on the history panel:
image::images/zap-history.png[ZAP History,style="lesson-image"]
On the next page we will show how you can filter these requests to see only relevant requests and how to configure the interceptor.

3
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/6assignment.adoc
View File

@ -4,9 +4,6 @@ Before we start diving into intercepting requests with ZAP we need to exclude th
framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat.
Basically a breakpoint is configured that will intercept requests when the request header contains a POST. Which are the most interesting ones. You can add other rules as long as the polling .mvc messages will be excluded. As this would be annoying.
*This differs from the previous ZAP versions where you choose "exclude from proxy" and used the green/red intercept button*
The exclude from proxy blocks the entire request when the IP address is the same as localhost. Using the breakpoint filter solves this issue.
Set the breakpoint as follows:
image::images/breakpoint.png[Set breakpoint,style="lesson-image"]

23
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/8httpsproxy.adoc
View File

@ -3,4 +3,25 @@
The OWASP ZAP proxy can also be configured to proxy *https* requests. It will terminate the https connection in OWASP Zap and then proxy it to the target using its own keystore. You can even proxy to sites with mutual TLS. In that case you configure OWASP ZAP with the keystore and key to use for the connection.
Go to Tools/Options/Client Certificate if you want to proxy to a mutual TLS https site.
Go to Tools/Options/Connection if you want to set timeouts and want to force the use of TLSv1.2 e.g.
Go to Tools/Options/Connection if you want to set timeouts and want to force the use of TLSv1.2 e.g.
=== Export the certificate
Depending on the local installation of tools, ZAP can start a browser directly with some adjusted options like network settings and certificate adjustments. However, this step should be done if you want to start your browser independently of ZAP. To be able to use the browser, the browser needs the certificate, which can be exported here:
image::images/rootca.png[ZAP root CA,style="lesson-image"]
image::images/savecerts.png[ZAP save CA,style="lesson-image"]
=== Import the OWASP ZAP root certificate
. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
. Search for _certificates_
. Click _View certificates_
. Import the ZAP root certificate that was saved (see previous page)
image::images/firefoxsettingscerts.png[Firefox Certificates,width="75%",style="lesson-image"]
image::images/importcerts.png[Firefox Cetificate import,width="75%",style="lesson-image"]

56
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/9manual.adoc Normal file
View File

@ -0,0 +1,56 @@
== Manually setting the proxy
This section is only necessary if you want to use Burp or running the browser through ZAP is not working in both
cases we need to do some extra configuration.
In the latest release of Chrome and Firefox no longer proxy traffic from localhost by default.
=== Option 1: Change settings of your browser
- To proxy localhost (and related addresses) with newer Firefox versions (>= 67) the preference network.proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true.
- To proxy localhost (and related addresses) with newer Chrome versions (>= 72) the command line argument --proxy-bypass-list=<-loopback> must be provided.
=== Option 2: Use www.webgoat.local
- Use the host name of your machine instead of `localhost`, you can find or add a host name in `/etc/hosts` on Linux and MacOSX and `C:\Windows\System32\drivers\etc` on Windows
image::images/newlocalhost.png[Hosts file,style="lesson-image"]
Then in your browser use http://www.webgoat.local:8080/WebGoat as the address.
=== Configure browser to use proxy
To manually configure a proxy in the browser follow one of the configuration below:
==== Firefox Proxy Config
. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
. Select _Advanced_ on the left
. Select _Network_ in the in Advanced Pane
. Click _Settings_
. Select _Manual proxy configuration_
.. input *127.0.0.1* as the Proxy (or www.webgoat.local depending on the choice you made above)
.. input *8090* as the port if running WebGoat locally and you updated ZAP to 8090 (otherwise, use *8080*)
.. check the _Use this proxy server for all protocols_ checkbox
image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
==== Chrome Proxy Config
. Bring up Chrome's settings form the menu
. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
. Click the _Change proxy settings_ button
. Select the _proxies_ tab
. Select Web Proxy (HTTP)
. Input 127.0.0.1 (or www.webgoatl.local depending on the choice you made) in the first box under _Web Proxy Server_ and your port # (8090 if running WebGoat locally, otherwise 8080) in the second box (to the right)
. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
image::images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
(Mac config image above)
image::images/chrome-manual-proxy-win.png[Chrome Proxy, 394,346,style="lesson-image"]
(Win config image above)