- Introduced user registration
- Now using Spring Boot for classloading, this way local development does not need to restart the complete server - Fixed all kinds of dependencies on the names of the lessons necessary to keep in mind during the creation of a lesson. - Simplied loading of resources, by adding resource mappings in MvcConfig. - Refactored plugin loading, now only one class is left for loading the lessons.
This commit is contained in:
@ -0,0 +1,25 @@
|
||||
=== Use the intercept
|
||||
|
||||
To intercept a request, you start by clicking the green button. This will set a break point for the next request.
|
||||
|
||||
image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
|
||||
|
||||
NOTE: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
|
||||
That's part of what hackers do ... explore!
|
||||
|
||||
Once you are intercepting requests and a request is made, it should look something like this:
|
||||
|
||||
image::images/proxy-intercept-details.png[ZAP history tab,1269,337,style="lesson-image"]
|
||||
|
||||
=== Intercept and modify a request
|
||||
|
||||
Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
|
||||
modify it as follows.
|
||||
|
||||
* Change the Method to GET
|
||||
* Add a header 'x-request-intercepted:true'
|
||||
* Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes)
|
||||
|
||||
Then let the request continue through (by hitting the play button).
|
||||
|
||||
NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.
|
@ -0,0 +1,20 @@
|
||||
|
||||
== HTTP Proxy Overview
|
||||
|
||||
Many times proxies are used as a way of accessing otehrwise blocked content. A user might connect to server A, which relays content from server B
|
||||
... Because Server B is blocked wihtin the user's network. That's not the use case we will be dealing with here, but the concept is the same.
|
||||
HTTP Proxies receive requesets from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
|
||||
use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
|
||||
relationship to proxies.
|
||||
|
||||
=== Proxy Capabilities
|
||||
|
||||
Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses. You can also use the proxy to
|
||||
modify (tamper) the requests and responses. Proxies also have automated or semi-automated functions that allow you to gain efficiency in testing and
|
||||
analyzing the security of a website.
|
||||
|
||||
=== Other Uses for Proxies
|
||||
|
||||
ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment. This lesson does
|
||||
not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
|
||||
CI/CD with Jenkins, maven or other build processes.
|
@ -0,0 +1,27 @@
|
||||
|
||||
== HTTP Proxy Setup
|
||||
|
||||
Since this is an OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
|
||||
this will show you how to set up ZAP to act as a proxy on your localhost.
|
||||
|
||||
=== Setting up ZAP
|
||||
|
||||
Once you have 'installed' ZAP (you don't really install it, just unpack it and run it locally), we will need to:
|
||||
|
||||
* Start ZAP
|
||||
* Configure the local proxy port
|
||||
* Point the browser at the proxy
|
||||
|
||||
=== Start ZAP
|
||||
When ZAP starts, you will be presented with a dialog such as the one below ...
|
||||
|
||||
image::images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
|
||||
|
||||
=== Configure Proxy's Port
|
||||
|
||||
. Select Tools > Options from the menu
|
||||
. Select Local Proxy on the left
|
||||
. Choose an available port ... Since WebGoat is using port 8080, use something different like 8090
|
||||
. Click OK
|
||||
|
||||
image::images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]
|
@ -0,0 +1,39 @@
|
||||
== HTTP Proxy Setup: The Browser
|
||||
|
||||
There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
|
||||
This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
|
||||
|
||||
=== Firefox Proxy Config
|
||||
|
||||
. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.
|
||||
. Select _Advanced_ on the left
|
||||
. Select _Network_ in the in Advanced Pane
|
||||
. Click _Settings_
|
||||
. Select _Manual proxy configuration_
|
||||
.. input *127.0.0.1* as the Proxy
|
||||
.. input *8090* as the port
|
||||
.. check the _Use this proxy server for all protocols_ checkbox
|
||||
|
||||
image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
|
||||
|
||||
=== Chrome Proxy Config
|
||||
|
||||
. Bring up Chrome's settings form the menu
|
||||
. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
|
||||
. Click the _Change proxy settings_ button
|
||||
. Select the _proxies_ tab
|
||||
. Select Web Proxy (HTTP)
|
||||
. Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right)
|
||||
. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
|
||||
|
||||
image::images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
|
||||
|
||||
=== Other Proxy Configuration Options
|
||||
|
||||
If you don't want to manage the proxy manually, there are extensions or plugins that can help you to do so without digging through as much config,
|
||||
or based on URL patterns. Examples include:
|
||||
|
||||
* FoxyProxy for Firefox
|
||||
* Proxy Switcher for Firefox
|
||||
* Toggle Proxy for Firefox
|
||||
* Still looking for suggestions for Chrome ...
|
@ -0,0 +1,6 @@
|
||||
=== Confirm it's working
|
||||
|
||||
You should now be able to browse somewhere. We suggest starting with a plain http host.
|
||||
If it's working, ZAP's history tab will start to look something like this.
|
||||
|
||||
image::images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"]
|
Reference in New Issue
Block a user