diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html index 7af1444ae..59113e121 100644 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html @@ -2,7 +2,14 @@ -
+
+ + +
+
+ +
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html deleted file mode 100644 index a41ca8309..000000000 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html +++ /dev/null @@ -1,29 +0,0 @@ -
-

Lehrplan: Http Basics

-
- -

Lehrinhalt:

- Diese Lektion stellt die Verständnis-Grundlagen für den Datentransport zwischen Browser und Webapplikation dar.
-
-

-So funktioniert HTTP: -

-Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem Kφrper. -Der Client initiiert eine Transaktion wie folgt:
-
- Der Client kontaktiert den Server und sendet eine Dokumentenanfrage
-
-
- - Als nächstes sendet der Client optionale Kopfzeilen (Header) um den Server über die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.
-
- -Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet. -
-

Grundsätzliche(s) Ziel(e):

- -Geben Sie Ihren Namen in das Eingabefeld ein und drόcken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zurόckschicken. Dies stellt eine vollständige HTTP Transaktion dar! -

-Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Knφpfe für Hinweise (Hints), für das Anzeigen von Parametern(Parameters) oder Cookies und für das Anzeigen von Java-Quellcode ausprobiert werden. -Auίerdem, können Sie hier WebScarab gut ausprobieren. - \ No newline at end of file diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc new file mode 100644 index 000000000..6344750d7 --- /dev/null +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc @@ -0,0 +1,20 @@ + +== HTTP Proxy Overview + +Many times proxies are used as a way of accessing otehrwise blocked content. A user might connect to server A, which relays content from server B + ... Because Server B is blocked wihtin the user's network. That's not the use case we will be dealing with here, but the concept is the same. +HTTP Proxies receive requesets from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to +use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in +relationship to proxies. + +=== Proxy Capabilities + +Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses. You can also use the proxy to +modify (tamper) the requests and responses. Proxies also have automated or semi-automated functions that allow you to gain efficiency in testing and +analyzing the security of a website. + +=== Other Uses for Proxies + +ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment. This lesson does +not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a +CI/CD with Jenkins, maven or other build processes. \ No newline at end of file diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc index f61485bd3..7502cf15b 100644 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc @@ -1,9 +1,7 @@ -= HTTP Basics : Proxy - + == HTTP Proxy Setup -HTTP Proxies are tools that allow an attacker, developer or researcher to act as a man-in-the-middle on requests and responses. Since this is an -OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise, +Since this is an OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise, this will show you how to set up ZAP to act as a proxy on your localhost. === Setting up ZAP @@ -27,4 +25,3 @@ image::plugin_lessons/plugin/HttpProxies/images/zap-start.png[ZAP Start,548,256, . Click OK image::plugin_lessons/plugin/HttpProxies/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"] - diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc index cf200141d..a0f127e69 100644 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc @@ -1,11 +1,9 @@ == HTTP Proxy Setup: The Browser -=== Point Browser at Proxy - There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome. This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now: -==== Firefox Proxy Config +=== Firefox Proxy Config . Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu. . Select _Advanced_ on the left @@ -18,7 +16,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"] -==== Chrome Proxy Config +=== Chrome Proxy Config . Bring up Chrome's settings form the menu . In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button. @@ -28,4 +26,14 @@ image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox . Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right) . You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to -image::plugin_lessons/plugin/HttpProxies/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"] \ No newline at end of file +image::plugin_lessons/plugin/HttpProxies/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"] + +=== Other Proxy Configuration Options + +If you don't want to manage the proxy manually, there are extensions or plugins that can help you to do so without digging through as much config, +or based on URL patterns. Examples include: + +* FoxyProxy for Firefox +* Proxy Switcher for Firefox +* Toggle Proxy for Firefox +* Still looking for suggestions for Chrome ... \ No newline at end of file diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html deleted file mode 100644 index ec21ec7ed..000000000 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html +++ /dev/null @@ -1,33 +0,0 @@ -
-

НазваниС ΡƒΡ€ΠΎΠΊΠ°: ΠžΡΠ½ΠΎΠ²Ρ‹ Http

-
- -

Π’Π΅ΠΌΠ° изучСния:

-Π’ Π΄Π°Π½Π½ΠΎΠΌ ΡƒΡ€ΠΎΠΊΠ΅ прСдставлСны основы Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΡ‹Π΅ для понимания процСсса ΠΏΠ΅Ρ€Π΅Π΄Π°Ρ‡ΠΈ Π΄Π°Π½Π½Ρ‹Ρ… ΠΌΠ΅ΠΆΠ΄Ρƒ Π±Ρ€Π°ΡƒΠ·Π΅Ρ€ΠΎΠΌ ΠΈ Π²Π΅Π±-ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅ΠΌ.
-
-

-Как Ρ€Π°Π±ΠΎΡ‚Π°Π΅Ρ‚ HTTP: -

-ВсС обращСния ΠΏΠΎ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Ρƒ HTTP ΠΈΠΌΠ΅ΡŽΡ‚ ΠΎΠ΄ΠΈΠ½ основной Ρ„ΠΎΡ€ΠΌΠ°Ρ‚. ΠšΠ°ΠΆΠ½Ρ‹ΠΉ запрос ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π° ΠΈΠ»ΠΈ ΠΎΡ‚Π²Π΅Ρ‚ сСрвСра состоит ΠΈΠ· Ρ‚Ρ€Ρ‘Ρ… частСй: -строка запроса ΠΈΠ»ΠΈ ΠΎΡ‚Π²Π΅Ρ‚Π°, Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΎΠΊ ΠΈ Ρ‚Π΅Π»ΠΎ. ΠšΠ»ΠΈΠ΅Π½Ρ‚ Π½Π°Ρ‡ΠΈΠ½Π°Π΅Ρ‚ ΠΏΡ€Π΅Π΄Π°Ρ‡Ρƒ Π΄Π°Π½Π½Ρ‹Ρ… ΡΠ»Π΅Π΄ΡƒΡŽΡ‰ΠΈΠΌ ΠΎΠ±Ρ€Π°Π·ΠΎΠΌ:
-
- Он соСдиняСтся с сСрвСром ΠΈ отправляСт запрос для получСния Π΄ΠΎΠΊΡƒΠΌΠ΅Π½Ρ‚Π°
-
-
- -Π”Π°Π»Π΅Π΅ ΠΎΠ½ ΡˆΠ»Ρ‘Ρ‚ Ρ€Π°Π·Π»ΠΈΡ‡Π½ΡƒΡŽ ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΡŽ Π² Ρ€Π°Π·Π΄Π΅Π»Π΅ Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠ° Ρ‡Ρ‚ΠΎΠ± ΡƒΠ²Π΅Π΄ΠΎΠΌΠΈΡ‚ΡŒ сСрвСр ΠΎ своСй ΠΊΠΎΠ½Ρ„ΠΈΠ³ΡƒΡ€Π°Ρ†ΠΈΠΈ ΠΈ возмоТностях -(Π½Π°ΠΏΡ€ΠΈΠΌΠ΅Ρ€ ΠΊΠ°ΠΊΠΈΠ΅ ΠΊΠΎΠ΄ΠΈΡ€ΠΎΠ²ΠΊΠΈ ΠΈ Ρ‚ΠΈΠΏΡ‹ Π΄ΠΎΠΊΡƒΠΌΠ΅Π½Ρ‚ΠΎΠ² ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΈΠ²Π°ΡŽΡ‚ΡΡ ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠΌ).
-
- -ПослС ΠΎΡ‚ΠΏΡ€Π°Π²ΠΊΠΈ запроса ΠΈ Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠΎΠ² ΠΊΠ»ΠΈΠ΅Π½Ρ‚ ΠΌΠΎΠΆΠ΅Ρ‚ ΠΎΡ‚ΠΏΡ€Π°Π²ΠΈΡ‚ΡŒ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡ‚Π΅Π»ΡŒΠ½Ρ‹Π΅ Π΄Π°Π½Π½Ρ‹Π΅. Они Π² Π±ΠΎΠ»ΡŒΡˆΠΈΠ½ΡΡ‚Π²Π΅ случаСв -ΠΏΡ€Π΅Π΄Π½Π°Π·Π½Π°Ρ‡Π°ΡŽΡ‚ΡΡ для CGI-ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΡŽΡ‰ΠΈΡ… ΠΌΠ΅Ρ‚ΠΎΠ΄ POST для принятия ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΠΈ.
-

ΠžΡΠ½ΠΎΠ²Π½Ρ‹Π΅ Ρ†Π΅Π»ΠΈ ΠΈ Π·Π°Π΄Π°Ρ‡ΠΈ:

- -Π’Π²Π΅Π΄ΠΈΡ‚Π΅ вашС имя Π² ΠΏΠΎΠ»Π΅ располоТСнноС Π½ΠΈΠΆΠ΅ ΠΈ Π½Π°ΠΆΠΌΠΈΡ‚Π΅ "Π’ΠΏΠ΅Ρ€Ρ‘Π΄!" для ΠΎΡ‚ΠΏΡ€Π°Π²ΠΊΠΈ Ρ„ΠΎΡ€ΠΌΡ‹. Π‘Π΅Ρ€Π²Π΅Ρ€ ΠΏΡ€ΠΈΠΌΠ΅Ρ‚ ваш запрос, выстроит -ΠΏΠΎΠ»ΡƒΡ‡Π΅Π½Π½ΡƒΡŽ строку Π² ΠΎΠ±Ρ€Π°Ρ‚Π½ΠΎΠΌ порядкС ΠΈ Π²Ρ‹Π²Π΅Π΄Π΅Ρ‚ Ρ€Π΅Π·ΡƒΠ»ΡŒΡ‚Π°Ρ‚ Π½Π° экран. Π”Π°Π½Π½Ρ‹ΠΉ ΠΏΡ€ΠΈΠΌΠ΅Ρ€ ΠΈΠ»Π»ΡŽΡΡ‚Ρ€ΠΈΡ€ΡƒΠ΅Ρ‚ основы ΠΎΠ±Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ Π΄Π°Π½Π½Ρ‹Ρ… -ΠΏΠΎΠ»ΡƒΡ‡Π΅Π½Π½Ρ‹Ρ… ΠΈΠ· HTTP-запроса. -

-ΠŸΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΡŽ Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΠΎ ознакомится с использованиСм Ρ„ΡƒΠ½ΠΊΡ†ΠΈΠΉ WebGoat, Ρ‚Π°ΠΊΠΈΡ… ΠΊΠ°ΠΊ просмотр подсказок, ΠΎΡ‚ΠΎΠ±Ρ€Π°ΠΆΠ΅Π½ΠΈΠ΅ ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€ΠΎΠ² HTTP-запроса, -ΠΎΡ‚ΠΎΠ±Ρ€Π°ΠΆΠ΅Π½ΠΈΠ΅ Cookies ΠΈ исходных ΠΊΠΎΠ΄ΠΎΠ² Java. ΠŸΠ΅Ρ€Π²ΠΎΠ΅ врСмя, Π² качСствС ΠΏΡ€Π°ΠΊΡ‚ΠΈΠΊΠΈ, для просмотра ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€ΠΎΠ² ΠΈ Cookies -запросов Π²Ρ‹ ΠΌΠΎΠΆΠ΅Ρ‚Π΅ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ WebScarab. - \ No newline at end of file diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc deleted file mode 100644 index a6293919c..000000000 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc +++ /dev/null @@ -1,5 +0,0 @@ -= HTTP Basics - -== Solution - -Solution goes here \ No newline at end of file diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html deleted file mode 100644 index 42219764e..000000000 --- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - -
- - -
-
- - - \ No newline at end of file