dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding ZAP content for HTTP Basics

Browse Source
This commit is contained in:
Jason White
2016-12-22 16:37:57 -05:00
parent 35055eeb3c
commit 282073ed2d
10 changed files with 122 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html
View File

@ -85,4 +85,25 @@
</div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
</div>
</html>

BIN
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/chrome-manual-proxy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 279 KiB

BIN
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/firefox-proxy-config.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 KiB

BIN
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/zap-history.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 406 KiB

BIN
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/zap-local-proxy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 210 KiB

BIN
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/zap-start.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 79 KiB

30
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro1.adoc Normal file
View File

@ -0,0 +1,30 @@
= HTTP Basics : Proxy
== HTTP Proxy Setup
HTTP Proxies are tools that allow an attacker, developer or researcher to act as a man-in-the-middle on requests and responses. Since this is an
OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
this will show you how to set up ZAP to act as a proxy on your localhost.
=== Setting up ZAP
Once you have 'installed' ZAP (you don't really install it, just unpack it and run it locally), we will need to:
* Start ZAP
* Configure the local proxy port
* Point the browser at the proxy
=== Start ZAP
When ZAP starts, you will be presented with a dialog such as the one below ...
image::plugin_lessons/plugin/HttpBasics/images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
=== Configure Proxy's Port
. Select Tools > Options from the menu
. Select Local Proxy on the left
. Choose an available port ... Since WebGoat is using port 8080, use something different like 8090
. Click OK
image::plugin_lessons/plugin/HttpBasics/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]

31
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro2.adoc Normal file
View File

@ -0,0 +1,31 @@
== HTTP Proxy Setup: The Browser
=== Point Browser at Proxy
There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
==== Firefox Proxy Config
. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.
. Select _Advanced_ on the left
. Select _Network_ in the in Advanced Pane
. Click _Settings_
. Select _Manual proxy configuration_
.. input *127.0.0.1* as the Proxy
.. input *8090* as the port
.. check the _Use this proxy server for all protocols_ checkbox
image::plugin_lessons/plugin/HttpBasics/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
==== Chrome Proxy Config
. Bring up Chrome's settings form the menu
. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
. Click the _Change proxy settings_ button
. Select the _proxies_ tab
. Select Web Proxy (HTTP)
. Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right)
. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
image::plugin_lessons/plugin/HttpBasics/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]

6
webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro3.adoc Normal file
View File

@ -0,0 +1,6 @@
=== Confirm it's working
You should now be able to browse somewhere. We suggest starting with a plain http host.
If it's working, ZAP's history tab will start to look something like this.
image::plugin_lessons/plugin/HttpBasics/images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"]