This commit is contained in:
Jason White
@ -85,43 +85,4 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- stripped down without extra comments -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
|
||||
method="POST"
|
||||
action="/WebGoat/HttpBasics/intercept-request"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
|
||||
<input type="text" value="doesn't matter really" name="changeMe" />
|
||||
<input type="submit" value="Submit" />
|
||||
|
||||
</form>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
</html>
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 279 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 200 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 56 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 205 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 406 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 210 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 79 KiB |
@ -1,25 +0,0 @@
|
||||
=== Use the intercept
|
||||
|
||||
To incercept a request, you start by clicking the green button. This will set a break point for the next request.
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
|
||||
|
||||
NOTE: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
|
||||
That's part of what hackers do ... explore!
|
||||
|
||||
Once you are interecepting requests and a request is made, it should look something like this:
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/proxy-intercept-details.png[ZAP history tab,1269,337,style="lesson-image"]
|
||||
|
||||
=== Intercept and modify a request
|
||||
|
||||
Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
|
||||
modify it as follows.
|
||||
|
||||
* Change the Method to GET
|
||||
* Add a header 'x-request-intercepted:true'
|
||||
* Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes)
|
||||
|
||||
Then let the request continue through (by hitting the play button).
|
||||
|
||||
NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.
|
||||
@ -1,30 +0,0 @@
|
||||
= HTTP Basics : Proxy
|
||||
|
||||
== HTTP Proxy Setup
|
||||
|
||||
HTTP Proxies are tools that allow an attacker, developer or researcher to act as a man-in-the-middle on requests and responses. Since this is an
|
||||
OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
|
||||
this will show you how to set up ZAP to act as a proxy on your localhost.
|
||||
|
||||
=== Setting up ZAP
|
||||
|
||||
Once you have 'installed' ZAP (you don't really install it, just unpack it and run it locally), we will need to:
|
||||
|
||||
* Start ZAP
|
||||
* Configure the local proxy port
|
||||
* Point the browser at the proxy
|
||||
|
||||
=== Start ZAP
|
||||
When ZAP starts, you will be presented with a dialog such as the one below ...
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
|
||||
|
||||
=== Configure Proxy's Port
|
||||
|
||||
. Select Tools > Options from the menu
|
||||
. Select Local Proxy on the left
|
||||
. Choose an available port ... Since WebGoat is using port 8080, use something different like 8090
|
||||
. Click OK
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]
|
||||
|
||||
@ -1,31 +0,0 @@
|
||||
== HTTP Proxy Setup: The Browser
|
||||
|
||||
=== Point Browser at Proxy
|
||||
|
||||
There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
|
||||
This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
|
||||
|
||||
==== Firefox Proxy Config
|
||||
|
||||
. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.
|
||||
. Select _Advanced_ on the left
|
||||
. Select _Network_ in the in Advanced Pane
|
||||
. Click _Settings_
|
||||
. Select _Manual proxy configuration_
|
||||
.. input *127.0.0.1* as the Proxy
|
||||
.. input *8090* as the port
|
||||
.. check the _Use this proxy server for all protocols_ checkbox
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
|
||||
|
||||
==== Chrome Proxy Config
|
||||
|
||||
. Bring up Chrome's settings form the menu
|
||||
. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
|
||||
. Click the _Change proxy settings_ button
|
||||
. Select the _proxies_ tab
|
||||
. Select Web Proxy (HTTP)
|
||||
. Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right)
|
||||
. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
|
||||
@ -1,6 +0,0 @@
|
||||
=== Confirm it's working
|
||||
|
||||
You should now be able to browse somewhere. We suggest starting with a plain http host.
|
||||
If it's working, ZAP's history tab will start to look something like this.
|
||||
|
||||
image::plugin_lessons/plugin/HttpBasics/images/zap-history.png[ZAP history tab,1269,337,style="lesson-image"]
|
||||
Reference in New Issue
Block a user