- Introduced user registration

- Now using Spring Boot for classloading, this way local development does not need to restart the complete server
- Fixed all kinds of dependencies on the names of the lessons necessary to keep in mind during the creation of a lesson.
- Simplied loading of resources, by adding resource mappings in MvcConfig.
- Refactored plugin loading, now only one class is left for loading the lessons.
This commit is contained in:
Nanne Baars
2017-02-25 12:15:07 +01:00
parent 9b86aaba05
commit 259fd19c1b
221 changed files with 1179 additions and 1083 deletions

View File

@ -0,0 +1,25 @@
=== Use the intercept
To intercept a request, you start by clicking the green button. This will set a break point for the next request.
image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
NOTE: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
That's part of what hackers do ... explore!
Once you are intercepting requests and a request is made, it should look something like this:
image::images/proxy-intercept-details.png[ZAP history tab,1269,337,style="lesson-image"]
=== Intercept and modify a request
Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
modify it as follows.
* Change the Method to GET
* Add a header 'x-request-intercepted:true'
* Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes)
Then let the request continue through (by hitting the play button).
NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.

View File

@ -0,0 +1,20 @@
== HTTP Proxy Overview
Many times proxies are used as a way of accessing otehrwise blocked content. A user might connect to server A, which relays content from server B
... Because Server B is blocked wihtin the user's network. That's not the use case we will be dealing with here, but the concept is the same.
HTTP Proxies receive requesets from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
relationship to proxies.
=== Proxy Capabilities
Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses. You can also use the proxy to
modify (tamper) the requests and responses. Proxies also have automated or semi-automated functions that allow you to gain efficiency in testing and
analyzing the security of a website.
=== Other Uses for Proxies
ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment. This lesson does
not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
CI/CD with Jenkins, maven or other build processes.

View File

@ -0,0 +1,27 @@
== HTTP Proxy Setup
Since this is an OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
this will show you how to set up ZAP to act as a proxy on your localhost.
=== Setting up ZAP
Once you have 'installed' ZAP (you don't really install it, just unpack it and run it locally), we will need to:
* Start ZAP
* Configure the local proxy port
* Point the browser at the proxy
=== Start ZAP
When ZAP starts, you will be presented with a dialog such as the one below ...
image::images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
=== Configure Proxy's Port
. Select Tools > Options from the menu
. Select Local Proxy on the left
. Choose an available port ... Since WebGoat is using port 8080, use something different like 8090
. Click OK
image::images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]

View File

@ -0,0 +1,39 @@
== HTTP Proxy Setup: The Browser
There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
=== Firefox Proxy Config
. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.
. Select _Advanced_ on the left
. Select _Network_ in the in Advanced Pane
. Click _Settings_
. Select _Manual proxy configuration_
.. input *127.0.0.1* as the Proxy
.. input *8090* as the port
.. check the _Use this proxy server for all protocols_ checkbox
image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
=== Chrome Proxy Config
. Bring up Chrome's settings form the menu
. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
. Click the _Change proxy settings_ button
. Select the _proxies_ tab
. Select Web Proxy (HTTP)
. Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right)
. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
image::images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
=== Other Proxy Configuration Options
If you don't want to manage the proxy manually, there are extensions or plugins that can help you to do so without digging through as much config,
or based on URL patterns. Examples include:
* FoxyProxy for Firefox
* Proxy Switcher for Firefox
* Toggle Proxy for Firefox
* Still looking for suggestions for Chrome ...

View File

@ -0,0 +1,6 @@
=== Confirm it's working
You should now be able to browse somewhere. We suggest starting with a plain http host.
If it's working, ZAP's history tab will start to look something like this.
image::images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"]