From 2b31a19143fc7dae1128547e2b2ae8b7f000f76c Mon Sep 17 00:00:00 2001 From: Jason White Date: Fri, 27 Jan 2017 15:39:31 -0500 Subject: [PATCH] #319 --- .../plugin/HttpBasics/html/HttpBasics.html | 39 ----------- webgoat-lessons/http-proxies/pom.xml | 12 ++++ .../plugin/HttpBasicsInterceptRequest.java | 59 ++++++++++++++++ .../org/owasp/webgoat/plugin/HttpProxies.java | 63 ++++++++++++++++++ .../plugin/HttpProxies/html/HttpProxies.html | 44 ++++++++++++ .../images/chrome-manual-proxy.png | Bin .../images/firefox-proxy-config.png | Bin .../images/proxy-intercept-button.png | Bin .../images/proxy-intercept-details.png | Bin .../HttpProxies}/images/zap-history.png | Bin .../HttpProxies}/images/zap-local-proxy.png | Bin .../plugin/HttpProxies}/images/zap-start.png | Bin .../lessonPlans/de/HttpBasics.html | 29 ++++++++ .../en/HttpBasics_ProxyIntercept.adoc | 4 +- .../en/HttpBasics_ProxyIntro1.adoc | 4 +- .../en/HttpBasics_ProxyIntro2.adoc | 4 +- .../en/HttpBasics_ProxyIntro3.adoc | 2 +- .../lessonPlans/ru/HttpBasics.html | 33 +++++++++ .../en/HttpBasics_solution.adoc | 5 ++ .../lessonSolutions/html/HttpBasics.html | 14 ++++ .../plugin/i18n/WebGoatLabels.properties | 15 +++++ webgoat-lessons/pom.xml | 1 + 22 files changed, 282 insertions(+), 46 deletions(-) create mode 100644 webgoat-lessons/http-proxies/pom.xml create mode 100644 webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java create mode 100644 webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java create mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/images/chrome-manual-proxy.png (100%) rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/images/firefox-proxy-config.png (100%) rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/images/proxy-intercept-button.png (100%) rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/images/proxy-intercept-details.png (100%) rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/images/zap-history.png (100%) rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/images/zap-local-proxy.png (100%) rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/images/zap-start.png (100%) create mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/lessonPlans/en/HttpBasics_ProxyIntercept.adoc (80%) rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/lessonPlans/en/HttpBasics_ProxyIntro1.adoc (80%) rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/lessonPlans/en/HttpBasics_ProxyIntro2.adoc (84%) rename webgoat-lessons/{http-basics/src/main/resources/plugin/HttpBasics => http-proxies/src/main/resources/plugin/HttpProxies}/lessonPlans/en/HttpBasics_ProxyIntro3.adoc (63%) create mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html create mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc create mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html create mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html b/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html index c432070d5..d57a81e3a 100644 --- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html +++ b/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html @@ -85,43 +85,4 @@ -
- - -
-
- -
- - -
-
- -
- - -
-
- -
- -
-
-
-
- - - - -
-
-
-
-
\ No newline at end of file diff --git a/webgoat-lessons/http-proxies/pom.xml b/webgoat-lessons/http-proxies/pom.xml new file mode 100644 index 000000000..f11096287 --- /dev/null +++ b/webgoat-lessons/http-proxies/pom.xml @@ -0,0 +1,12 @@ + + 4.0.0 + http-proxies + jar + + org.owasp.webgoat.lesson + webgoat-lessons-parent + 8.0-SNAPSHOT + + + diff --git a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java b/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java new file mode 100644 index 000000000..36c764821 --- /dev/null +++ b/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java @@ -0,0 +1,59 @@ +package org.owasp.webgoat.plugin; + +import org.owasp.webgoat.endpoints.AssignmentEndpoint; +import org.owasp.webgoat.endpoints.AssignmentHints; +import org.owasp.webgoat.endpoints.AssignmentPath; +import org.owasp.webgoat.lessons.AttackResult; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; + +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; + +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository + * for free software projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew WebGoat + * @created October 28, 2003 + */ +@AssignmentPath("/HttpProxies/intercept-request") +public class HttpBasicsInterceptRequest extends AssignmentEndpoint { + + @RequestMapping(method = RequestMethod.GET) + public @ResponseBody AttackResult completed(HttpServletRequest request) throws IOException { + if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) { + return trackProgress(AttackResult.success("Well done, you tampered the request as expected")); + } else { + return trackProgress(AttackResult.failed("Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!")); + } + } +} \ No newline at end of file diff --git a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java b/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java new file mode 100644 index 000000000..ad87c7c20 --- /dev/null +++ b/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java @@ -0,0 +1,63 @@ +package org.owasp.webgoat.plugin; + +import com.beust.jcommander.internal.Lists; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; + +import java.util.List; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author WebGoat + * @version $Id: $Id + * @since October 12, 2016 + */ +public class HttpProxies extends NewLesson { + @Override + public Category getDefaultCategory() { + return Category.GENERAL; + } + + @Override + public List getHints() { + return Lists.newArrayList(); + } + + @Override + public Integer getDefaultRanking() { + return 2; + } + + @Override + public String getTitle() { + return "http-proxies.title"; + } + + @Override + public String getId() { + return "HttpProxies"; + } +} diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html new file mode 100644 index 000000000..7af1444ae --- /dev/null +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html @@ -0,0 +1,44 @@ + + + + +

+ + +
+
+ +
+ + +
+
+ +
+ + +
+
+ +
+ +
+
+
+
+ + + + +
+
+
+
+
+ \ No newline at end of file diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/chrome-manual-proxy.png b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/chrome-manual-proxy.png similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/chrome-manual-proxy.png rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/chrome-manual-proxy.png diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/firefox-proxy-config.png b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/firefox-proxy-config.png similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/firefox-proxy-config.png rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/firefox-proxy-config.png diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/proxy-intercept-button.png b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/proxy-intercept-button.png similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/proxy-intercept-button.png rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/proxy-intercept-button.png diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/proxy-intercept-details.png b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/proxy-intercept-details.png similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/proxy-intercept-details.png rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/proxy-intercept-details.png diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/zap-history.png b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-history.png similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/zap-history.png rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-history.png diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/zap-local-proxy.png b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-local-proxy.png similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/zap-local-proxy.png rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-local-proxy.png diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/zap-start.png b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-start.png similarity index 100% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/zap-start.png rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/images/zap-start.png diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html new file mode 100644 index 000000000..a41ca8309 --- /dev/null +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html @@ -0,0 +1,29 @@ +
+

Lehrplan: Http Basics

+
+ +

Lehrinhalt:

+ Diese Lektion stellt die Verständnis-Grundlagen für den Datentransport zwischen Browser und Webapplikation dar.
+
+

+So funktioniert HTTP: +

+Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem Kφrper. +Der Client initiiert eine Transaktion wie folgt:
+
+ Der Client kontaktiert den Server und sendet eine Dokumentenanfrage
+
+
+ + Als nächstes sendet der Client optionale Kopfzeilen (Header) um den Server über die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.
+
+ +Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet. +
+

Grundsätzliche(s) Ziel(e):

+ +Geben Sie Ihren Namen in das Eingabefeld ein und drόcken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zurόckschicken. Dies stellt eine vollständige HTTP Transaktion dar! +

+Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Knφpfe für Hinweise (Hints), für das Anzeigen von Parametern(Parameters) oder Cookies und für das Anzeigen von Java-Quellcode ausprobiert werden. +Auίerdem, können Sie hier WebScarab gut ausprobieren. + \ No newline at end of file diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntercept.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntercept.adoc similarity index 80% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntercept.adoc rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntercept.adoc index 37f362c77..8f66cc0fb 100644 --- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntercept.adoc +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntercept.adoc @@ -2,14 +2,14 @@ To incercept a request, you start by clicking the green button. This will set a break point for the next request. -image::plugin_lessons/plugin/HttpBasics/images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"] +image::plugin_lessons/plugin/HttpProxies/images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"] NOTE: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore. That's part of what hackers do ... explore! Once you are interecepting requests and a request is made, it should look something like this: -image::plugin_lessons/plugin/HttpBasics/images/proxy-intercept-details.png[ZAP history tab,1269,337,style="lesson-image"] +image::plugin_lessons/plugin/HttpProxies/images/proxy-intercept-details.png[ZAP history tab,1269,337,style="lesson-image"] === Intercept and modify a request diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro1.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc similarity index 80% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro1.adoc rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc index bf67238b4..f61485bd3 100644 --- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro1.adoc +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc @@ -17,7 +17,7 @@ Once you have 'installed' ZAP (you don't really install it, just unpack it and r === Start ZAP When ZAP starts, you will be presented with a dialog such as the one below ... -image::plugin_lessons/plugin/HttpBasics/images/zap-start.png[ZAP Start,548,256,style="lesson-image"] +image::plugin_lessons/plugin/HttpProxies/images/zap-start.png[ZAP Start,548,256,style="lesson-image"] === Configure Proxy's Port @@ -26,5 +26,5 @@ image::plugin_lessons/plugin/HttpBasics/images/zap-start.png[ZAP Start,548,256,s . Choose an available port ... Since WebGoat is using port 8080, use something different like 8090 . Click OK -image::plugin_lessons/plugin/HttpBasics/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"] +image::plugin_lessons/plugin/HttpProxies/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"] diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro2.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc similarity index 84% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro2.adoc rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc index 4104b0280..cf200141d 100644 --- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro2.adoc +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc @@ -16,7 +16,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust .. input *8090* as the port .. check the _Use this proxy server for all protocols_ checkbox -image::plugin_lessons/plugin/HttpBasics/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"] +image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"] ==== Chrome Proxy Config @@ -28,4 +28,4 @@ image::plugin_lessons/plugin/HttpBasics/images/firefox-proxy-config.png[Firefox . Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right) . You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to -image::plugin_lessons/plugin/HttpBasics/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"] \ No newline at end of file +image::plugin_lessons/plugin/HttpProxies/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"] \ No newline at end of file diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro3.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro3.adoc similarity index 63% rename from webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro3.adoc rename to webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro3.adoc index 036411d10..06667d532 100644 --- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntro3.adoc +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro3.adoc @@ -3,4 +3,4 @@ You should now be able to browse somewhere. We suggest starting with a plain http host. If it's working, ZAP's history tab will start to look something like this. -image::plugin_lessons/plugin/HttpBasics/images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"] \ No newline at end of file +image::plugin_lessons/plugin/HttpProxies/images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"] \ No newline at end of file diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html new file mode 100644 index 000000000..ec21ec7ed --- /dev/null +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html @@ -0,0 +1,33 @@ +
+

НазваниС ΡƒΡ€ΠΎΠΊΠ°: ΠžΡΠ½ΠΎΠ²Ρ‹ Http

+
+ +

Π’Π΅ΠΌΠ° изучСния:

+Π’ Π΄Π°Π½Π½ΠΎΠΌ ΡƒΡ€ΠΎΠΊΠ΅ прСдставлСны основы Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΡ‹Π΅ для понимания процСсса ΠΏΠ΅Ρ€Π΅Π΄Π°Ρ‡ΠΈ Π΄Π°Π½Π½Ρ‹Ρ… ΠΌΠ΅ΠΆΠ΄Ρƒ Π±Ρ€Π°ΡƒΠ·Π΅Ρ€ΠΎΠΌ ΠΈ Π²Π΅Π±-ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅ΠΌ.
+
+

+Как Ρ€Π°Π±ΠΎΡ‚Π°Π΅Ρ‚ HTTP: +

+ВсС обращСния ΠΏΠΎ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Ρƒ HTTP ΠΈΠΌΠ΅ΡŽΡ‚ ΠΎΠ΄ΠΈΠ½ основной Ρ„ΠΎΡ€ΠΌΠ°Ρ‚. ΠšΠ°ΠΆΠ½Ρ‹ΠΉ запрос ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π° ΠΈΠ»ΠΈ ΠΎΡ‚Π²Π΅Ρ‚ сСрвСра состоит ΠΈΠ· Ρ‚Ρ€Ρ‘Ρ… частСй: +строка запроса ΠΈΠ»ΠΈ ΠΎΡ‚Π²Π΅Ρ‚Π°, Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΎΠΊ ΠΈ Ρ‚Π΅Π»ΠΎ. ΠšΠ»ΠΈΠ΅Π½Ρ‚ Π½Π°Ρ‡ΠΈΠ½Π°Π΅Ρ‚ ΠΏΡ€Π΅Π΄Π°Ρ‡Ρƒ Π΄Π°Π½Π½Ρ‹Ρ… ΡΠ»Π΅Π΄ΡƒΡŽΡ‰ΠΈΠΌ ΠΎΠ±Ρ€Π°Π·ΠΎΠΌ:
+
+ Он соСдиняСтся с сСрвСром ΠΈ отправляСт запрос для получСния Π΄ΠΎΠΊΡƒΠΌΠ΅Π½Ρ‚Π°
+
+
+ +Π”Π°Π»Π΅Π΅ ΠΎΠ½ ΡˆΠ»Ρ‘Ρ‚ Ρ€Π°Π·Π»ΠΈΡ‡Π½ΡƒΡŽ ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΡŽ Π² Ρ€Π°Π·Π΄Π΅Π»Π΅ Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠ° Ρ‡Ρ‚ΠΎΠ± ΡƒΠ²Π΅Π΄ΠΎΠΌΠΈΡ‚ΡŒ сСрвСр ΠΎ своСй ΠΊΠΎΠ½Ρ„ΠΈΠ³ΡƒΡ€Π°Ρ†ΠΈΠΈ ΠΈ возмоТностях +(Π½Π°ΠΏΡ€ΠΈΠΌΠ΅Ρ€ ΠΊΠ°ΠΊΠΈΠ΅ ΠΊΠΎΠ΄ΠΈΡ€ΠΎΠ²ΠΊΠΈ ΠΈ Ρ‚ΠΈΠΏΡ‹ Π΄ΠΎΠΊΡƒΠΌΠ΅Π½Ρ‚ΠΎΠ² ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΈΠ²Π°ΡŽΡ‚ΡΡ ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠΌ).
+
+ +ПослС ΠΎΡ‚ΠΏΡ€Π°Π²ΠΊΠΈ запроса ΠΈ Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠΎΠ² ΠΊΠ»ΠΈΠ΅Π½Ρ‚ ΠΌΠΎΠΆΠ΅Ρ‚ ΠΎΡ‚ΠΏΡ€Π°Π²ΠΈΡ‚ΡŒ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡ‚Π΅Π»ΡŒΠ½Ρ‹Π΅ Π΄Π°Π½Π½Ρ‹Π΅. Они Π² Π±ΠΎΠ»ΡŒΡˆΠΈΠ½ΡΡ‚Π²Π΅ случаСв +ΠΏΡ€Π΅Π΄Π½Π°Π·Π½Π°Ρ‡Π°ΡŽΡ‚ΡΡ для CGI-ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΡŽΡ‰ΠΈΡ… ΠΌΠ΅Ρ‚ΠΎΠ΄ POST для принятия ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΠΈ.
+

ΠžΡΠ½ΠΎΠ²Π½Ρ‹Π΅ Ρ†Π΅Π»ΠΈ ΠΈ Π·Π°Π΄Π°Ρ‡ΠΈ:

+ +Π’Π²Π΅Π΄ΠΈΡ‚Π΅ вашС имя Π² ΠΏΠΎΠ»Π΅ располоТСнноС Π½ΠΈΠΆΠ΅ ΠΈ Π½Π°ΠΆΠΌΠΈΡ‚Π΅ "Π’ΠΏΠ΅Ρ€Ρ‘Π΄!" для ΠΎΡ‚ΠΏΡ€Π°Π²ΠΊΠΈ Ρ„ΠΎΡ€ΠΌΡ‹. Π‘Π΅Ρ€Π²Π΅Ρ€ ΠΏΡ€ΠΈΠΌΠ΅Ρ‚ ваш запрос, выстроит +ΠΏΠΎΠ»ΡƒΡ‡Π΅Π½Π½ΡƒΡŽ строку Π² ΠΎΠ±Ρ€Π°Ρ‚Π½ΠΎΠΌ порядкС ΠΈ Π²Ρ‹Π²Π΅Π΄Π΅Ρ‚ Ρ€Π΅Π·ΡƒΠ»ΡŒΡ‚Π°Ρ‚ Π½Π° экран. Π”Π°Π½Π½Ρ‹ΠΉ ΠΏΡ€ΠΈΠΌΠ΅Ρ€ ΠΈΠ»Π»ΡŽΡΡ‚Ρ€ΠΈΡ€ΡƒΠ΅Ρ‚ основы ΠΎΠ±Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ Π΄Π°Π½Π½Ρ‹Ρ… +ΠΏΠΎΠ»ΡƒΡ‡Π΅Π½Π½Ρ‹Ρ… ΠΈΠ· HTTP-запроса. +

+ΠŸΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΡŽ Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΠΎ ознакомится с использованиСм Ρ„ΡƒΠ½ΠΊΡ†ΠΈΠΉ WebGoat, Ρ‚Π°ΠΊΠΈΡ… ΠΊΠ°ΠΊ просмотр подсказок, ΠΎΡ‚ΠΎΠ±Ρ€Π°ΠΆΠ΅Π½ΠΈΠ΅ ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€ΠΎΠ² HTTP-запроса, +ΠΎΡ‚ΠΎΠ±Ρ€Π°ΠΆΠ΅Π½ΠΈΠ΅ Cookies ΠΈ исходных ΠΊΠΎΠ΄ΠΎΠ² Java. ΠŸΠ΅Ρ€Π²ΠΎΠ΅ врСмя, Π² качСствС ΠΏΡ€Π°ΠΊΡ‚ΠΈΠΊΠΈ, для просмотра ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€ΠΎΠ² ΠΈ Cookies +запросов Π²Ρ‹ ΠΌΠΎΠΆΠ΅Ρ‚Π΅ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ WebScarab. + \ No newline at end of file diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc new file mode 100644 index 000000000..a6293919c --- /dev/null +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc @@ -0,0 +1,5 @@ += HTTP Basics + +== Solution + +Solution goes here \ No newline at end of file diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html new file mode 100644 index 000000000..42219764e --- /dev/null +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html @@ -0,0 +1,14 @@ + + + + + + +
+ + +
+
+ + + \ No newline at end of file diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties new file mode 100644 index 000000000..c640e4e79 --- /dev/null +++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties @@ -0,0 +1,15 @@ +http-basics.EnterYourName=Enter your Name +http-basics.Go!=Go! +http-proxies.title=HTTP Proxies + + +http-basics.hints.http_basics_lesson.1=Type in your name and press 'go' +http-basics.hints.http_basic_quiz.1=Turn on Show Parameters or other features +http-basics.hints.http_basic_quiz.2=Try to intercept the request with OWASP ZAP + + +http-basics.reversed=The server has reversed your name: {0} + +http-basics.close=You are close, try again: {0} +http-basics.incorrect=the HTTP Command is incorrect. +http-basics.magic=the magic number is incorrect. \ No newline at end of file diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index 4a53dfd52..190ae2f84 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -17,6 +17,7 @@ client-side-filtering cross-site-scripting http-basics + http-proxies sql-injection xxe idor