dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Integrate ZAP 2.8.0 (no HUB) as the setup is different also update the filtering as usual ZAP exclusion is again broken

Browse Source
This commit is contained in:
Nanne Baars 2019-11-11 16:42:47 +01:00 committed by Nanne Baars
parent d8844216cc
commit 7d48427d4f
7 changed files with 40 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html
View File

@ -11,7 +11,7 @@
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1-old-way.adoc"></div>
</div>
<div class="lesson-page-wrapper">

BIN
webgoat-lessons/http-proxies/src/main/resources/images/zap-browser-button.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

BIN
webgoat-lessons/http-proxies/src/main/resources/images/zap-exclude.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 302 KiB

29
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro2.adoc → webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1-old-way.adoc
View File

@ -1,21 +1,20 @@
== HTTP Proxy Setup: The Browser
== Setting up other HTTP Proxy Tools
*Important: Firefox no longer proxies traffic for localhost (127.0.0.1) due to security reasons*.
The are two options to bypass this restriction:
=== Configure the proxy tool
Configure the proxy tool to listen on a free port on your localhost.
=== Configure the browser
*It is important to note that the latest versions of Firefox and Chrome no longer proxy traffic from localhost by default.*
The are a couple of options to bypass this restriction:
- Use the host name of your machine instead of `localhost`, you can find or add a host name in `/etc/hosts` on Linux and MacOSX and `C:\Windows\System32\drivers\etc` on Windows
- Set the preference `network.proxy.allow_hijacking_localhost` (accessible through the `about:config` page) must be set to `true.
The first option is the preferred one, but it might be that for some reason you are unable to use this option you can fallback to the second one.
{nbsp} +
- To proxy localhost (and related addresses) with newer Firefox versions (>= 67) the preference network.proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true.
- To proxy localhost (and related addresses) with newer Chrome versions (>= 72) the command line argument --proxy-bypass-list=<-loopback> must be provided.
There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
=== Firefox Proxy Config
==== Firefox Proxy Config
. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
. Select _Advanced_ on the left
@ -28,7 +27,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust
image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
=== Chrome Proxy Config
==== Chrome Proxy Config
. Bring up Chrome's settings form the menu
. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
@ -59,4 +58,4 @@ or based on URL patterns. Examples include:
* FoxyProxy for Firefox
* Proxy Switcher for Firefox
* Toggle Proxy for Firefox
* Still looking for suggestions for Chrome ...
* Still looking for suggestions for Chrome ..

31
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
View File

@ -4,32 +4,15 @@
Since this is an OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
this will show you how to set up ZAP to act as a proxy on your localhost.
=== Setting up ZAP
=== Setting up ZAP >= 2.8.0
Once you have 'installed' ZAP (you don't really install it, just unpack it and run it locally), we will need to:
If you use the latest ZAP version (>= 2.8.0) you only need to start ZAP and click the browser button to be able to
proxy, see image below:
* Start ZAP
* Configure the local proxy port
* Point the browser at the proxy
image::images/zap-browser-button.png[ZAP Start,style="lesson-image"]
=== Start ZAP
When ZAP starts, you will be presented with a dialog such as the one below ...
{nbsp}+
image::images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
=== Set ZAP's port (if running WebGoat locally)
*NOTE*: The following proxy set up is only needed if you are running WebGoat locally. If it's on a remote server, or you are running on
WebGoat (or any application) that is not using port 8080 locally, you can leave ZAP at it's default. and use 8080, instead of
8090 when setting up your browser to proxy (next page).
If you are setting up ZAP while running WebGoat locally ...
* Open ZAP
* Go to Tools >> Options in the menu
* Select 'Local Proxy' on the left
* Input 8090 for the 'Port'
*Remember*: If you are not running WebGoat locally, leave this setting alone, skip to the next page and use 8080 instead of 8090
image::images/zap-local-proxy-8090.png[ZAP Proxy Config,750,587,style="lesson-image"]
To setup a different browser continue to the next page and read how to set it up in section: 'Configure the browser'.
In all other cases you can skip the next page and continue to the page titled 'Confirm it's working' to check whether it is working.

26
webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro4.adoc
View File

@ -1,24 +1,32 @@
=== Exclude WebGoat internal requests
=== Exclude WebGoat internal requests (ZAP >= 2.8.0)
Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat
framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat.
Right click on one of the links in history tab and select: `Exclude from -> Proxy`, see image below:
In the main ZAP window click on Filter, see image below
image::images/zap_exclude.png[Select URL from history,style="lesson-image"]
image::images/zap-exclude.png[Exclude internal APIs from WebGoat,style="lesson-image"]
{nbsp}
{nbsp}
A new window will open and add the following entries:
Then in the `URL Inc Regex` box type:
```
./WebGoat/service/..mvc
```
[source]
----
http://localhost:8080/WebGoat/.*
----
Click Ok to close the window, ZAP will now no longer proxy internal WebGoat requests.
And in the `URL Exc Regex` box type:
[source]
----
.*/WebGoat/service/.*mvc
----
Click 'Apply to close the window, ZAP will now no longer show internal WebGoat requests.
image::images/zap_exclude_url.png[Exclude internal APIs from WebGoat,style="lesson-image"]

2
webgoat-lessons/sql-injection/src/main/resources/js/assignment12.js
View File

@ -40,7 +40,7 @@ var html = '<tr class="STATUS">' +
'</tr>';
function getServers(column) {
$.get("SqlInjection/servers?column=" + column, function (result, status) {
$.get("SqlInjectionMitigations/servers?column=" + column, function (result, status) {
$("#servers").empty();
for (var i = 0; i < result.length; i++) {
var server = html.replace('ID', result[i].id);