Integrate ZAP 2.8.0 (no HUB) as the setup is different also update the filtering as usual ZAP exclusion is again broken

2019-11-11 16:42:47 +01:00 · 2019-11-11 16:42:47 +01:00 · 7d48427d4f
commit 7d48427d4f
parent d8844216cc
7 changed files with 40 additions and 50 deletions
--- a/webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html
+++ b/webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html
@ -11,7 +11,7 @@
 	</div>
    <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1-old-way.adoc"></div>
    </div>
    <div class="lesson-page-wrapper">
--- a/webgoat-lessons/http-proxies/src/main/resources/images/zap-browser-button.png
+++ b/webgoat-lessons/http-proxies/src/main/resources/images/zap-browser-button.png
--- a/webgoat-lessons/http-proxies/src/main/resources/images/zap-exclude.png
+++ b/webgoat-lessons/http-proxies/src/main/resources/images/zap-exclude.png
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1-old-way.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1-old-way.adoc
@ -1,21 +1,20 @@
-== HTTP Proxy Setup: The Browser
+== Setting up other HTTP Proxy Tools
-*Important: Firefox no longer proxies traffic for localhost (127.0.0.1) due to security reasons*.
+=== Configure the proxy tool
-The are two options to bypass this restriction:
+
 Configure the proxy tool to listen on a free port on your localhost.
 === Configure the browser
 *It is important to note that the latest versions of Firefox and Chrome no longer proxy traffic from localhost by default.*
 The are a couple of options to bypass this restriction:
 - Use the host name of your machine instead of `localhost`, you can find or add a host name in `/etc/hosts` on Linux and MacOSX and `C:\Windows\System32\drivers\etc` on Windows
- Set the preference `network.proxy.allow_hijacking_localhost` (accessible through the `about:config` page) must be set to `true.
+- To proxy localhost (and related addresses) with newer Firefox versions (>= 67) the preference network.proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true.
-
+- To proxy localhost (and related addresses) with newer Chrome versions (>= 72) the command line argument --proxy-bypass-list=<-loopback> must be provided.
 The first option is the preferred one, but it might be that for some reason you are unable to use this option you can fallback to the second one.
 {nbsp} +
-There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
+==== Firefox Proxy Config
 This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
 === Firefox Proxy Config
 . Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
 . Select _Advanced_ on the left
@ -28,7 +27,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust
 image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
-=== Chrome Proxy Config
+==== Chrome Proxy Config
 . Bring up Chrome's settings form the menu
 . In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
@ -59,4 +58,4 @@ or based on URL patterns. Examples include:
 * FoxyProxy for Firefox
 * Proxy Switcher for Firefox
 * Toggle Proxy for Firefox
-* Still looking for suggestions for Chrome ...
+* Still looking for suggestions for Chrome ..
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
@ -4,32 +4,15 @@
 Since this is an OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
 this will show you how to set up ZAP to act as a proxy on your localhost.
-=== Setting up ZAP
+=== Setting up ZAP >= 2.8.0
-Once you have 'installed' ZAP (you don't really install it, just unpack it and run it locally), we will need to:
+If you use the latest ZAP version (>= 2.8.0) you only need to start ZAP and click the browser button to be able to
 proxy, see image below:
-* Start ZAP
+image::images/zap-browser-button.png[ZAP Start,style="lesson-image"]
 * Configure the local proxy port
 * Point the browser at the proxy
-=== Start ZAP
+{nbsp}+
 When ZAP starts, you will be presented with a dialog such as the one below ...
 image::images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
-=== Set ZAP's port (if running WebGoat locally)
+To setup a different browser continue to the next page and read how to set it up in section: 'Configure the browser'.
-
+In all other cases you can skip the next page and continue to the page titled 'Confirm it's working' to check whether it is working.
 *NOTE*: The following proxy set up is only needed if you are running WebGoat locally. If it's on a remote server, or you are running on
 WebGoat (or any application) that is not using port 8080 locally, you can leave ZAP at it's default. and use 8080, instead of
 8090 when setting up your browser to proxy (next page).
 If you are setting up ZAP while running WebGoat locally ...
 * Open ZAP
 * Go to Tools >> Options in the menu
 * Select 'Local Proxy' on the left
 * Input 8090 for the 'Port'
 *Remember*: If you are not running WebGoat locally, leave this setting alone, skip to the next page and use 8080 instead of 8090
 image::images/zap-local-proxy-8090.png[ZAP Proxy Config,750,587,style="lesson-image"]
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro4.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro4.adoc
@ -1,24 +1,32 @@
-=== Exclude WebGoat internal requests
+=== Exclude WebGoat internal requests (ZAP >= 2.8.0)
 Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat
 framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat.
-Right click on one of the links in history tab and select: `Exclude from -> Proxy`, see image below:
+In the main ZAP window click on Filter, see image below
-image::images/zap_exclude.png[Select URL from history,style="lesson-image"]
+image::images/zap-exclude.png[Exclude internal APIs from WebGoat,style="lesson-image"]
 {nbsp}
 {nbsp}
-A new window will open and add the following entries:
+Then in the `URL Inc Regex` box type:
-```
+[source]
-./WebGoat/service/..mvc
+----
-```
+http://localhost:8080/WebGoat/.*
 ----
-Click Ok to close the window, ZAP will now no longer proxy internal WebGoat requests.
+And in the `URL Exc Regex` box type:
 [source]
 ----
 .*/WebGoat/service/.*mvc
 ----
 Click 'Apply to close the window, ZAP will now no longer show internal WebGoat requests.
 image::images/zap_exclude_url.png[Exclude internal APIs from WebGoat,style="lesson-image"]
--- a/webgoat-lessons/sql-injection/src/main/resources/js/assignment12.js
+++ b/webgoat-lessons/sql-injection/src/main/resources/js/assignment12.js
@ -40,7 +40,7 @@ var html = '<tr class="STATUS">' +
    '</tr>';
 function getServers(column) {
-    $.get("SqlInjection/servers?column=" + column, function (result, status) {
+    $.get("SqlInjectionMitigations/servers?column=" + column, function (result, status) {
        $("#servers").empty();
        for (var i = 0; i < result.length; i++) {
            var server = html.replace('ID', result[i].id);