Integrate ZAP 2.8.0 (no HUB) as the setup is different also update the filtering as usual ZAP exclusion is again broken
This commit is contained in:
		| @ -11,7 +11,7 @@ | ||||
| 	</div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div> | ||||
|         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1-old-way.adoc"></div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|  | ||||
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 88 KiB | 
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 302 KiB | 
| @ -1,21 +1,20 @@ | ||||
| == HTTP Proxy Setup: The Browser | ||||
| == Setting up other HTTP Proxy Tools | ||||
| 
 | ||||
| *Important: Firefox no longer proxies traffic for localhost (127.0.0.1) due to security reasons*. | ||||
| The are two options to bypass this restriction: | ||||
| === Configure the proxy tool | ||||
| 
 | ||||
| Configure the proxy tool to listen on a free port on your localhost. | ||||
| 
 | ||||
| === Configure the browser | ||||
| 
 | ||||
| *It is important to note that the latest versions of Firefox and Chrome no longer proxy traffic from localhost by default.* | ||||
| The are a couple of options to bypass this restriction: | ||||
| 
 | ||||
| - Use the host name of your machine instead of `localhost`, you can find or add a host name in `/etc/hosts` on Linux and MacOSX and `C:\Windows\System32\drivers\etc` on Windows | ||||
| - Set the preference `network.proxy.allow_hijacking_localhost` (accessible through the `about:config` page) must be set to `true. | ||||
| 
 | ||||
| The first option is the preferred one, but it might be that for some reason you are unable to use this option you can fallback to the second one. | ||||
| 
 | ||||
| {nbsp} + | ||||
| - To proxy localhost (and related addresses) with newer Firefox versions (>= 67) the preference network.proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true. | ||||
| - To proxy localhost (and related addresses) with newer Chrome versions (>= 72) the command line argument --proxy-bypass-list=<-loopback> must be provided. | ||||
| 
 | ||||
| 
 | ||||
| There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome. | ||||
| This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now: | ||||
| 
 | ||||
| 
 | ||||
| === Firefox Proxy Config | ||||
| ==== Firefox Proxy Config | ||||
| 
 | ||||
| . Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.` | ||||
| . Select _Advanced_ on the left | ||||
| @ -28,7 +27,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust | ||||
| 
 | ||||
| image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"] | ||||
| 
 | ||||
| === Chrome Proxy Config | ||||
| ==== Chrome Proxy Config | ||||
| 
 | ||||
| . Bring up Chrome's settings form the menu | ||||
| . In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button. | ||||
| @ -59,4 +58,4 @@ or based on URL patterns. Examples include: | ||||
| * FoxyProxy for Firefox | ||||
| * Proxy Switcher for Firefox | ||||
| * Toggle Proxy for Firefox | ||||
| * Still looking for suggestions for Chrome ... | ||||
| * Still looking for suggestions for Chrome .. | ||||
| @ -4,32 +4,15 @@ | ||||
| Since this is an OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise, | ||||
| this will show you how to set up ZAP to act as a proxy on your localhost. | ||||
|  | ||||
| === Setting up ZAP | ||||
| === Setting up ZAP >= 2.8.0 | ||||
|  | ||||
| Once you have 'installed' ZAP (you don't really install it, just unpack it and run it locally), we will need to: | ||||
| If you use the latest ZAP version (>= 2.8.0) you only need to start ZAP and click the browser button to be able to | ||||
| proxy, see image below: | ||||
|  | ||||
| * Start ZAP | ||||
| * Configure the local proxy port | ||||
| * Point the browser at the proxy | ||||
| image::images/zap-browser-button.png[ZAP Start,style="lesson-image"] | ||||
|  | ||||
| === Start ZAP | ||||
| When ZAP starts, you will be presented with a dialog such as the one below ... | ||||
| {nbsp}+ | ||||
|  | ||||
| image::images/zap-start.png[ZAP Start,548,256,style="lesson-image"] | ||||
|  | ||||
| === Set ZAP's port (if running WebGoat locally) | ||||
|  | ||||
| *NOTE*: The following proxy set up is only needed if you are running WebGoat locally. If it's on a remote server, or you are running on | ||||
| WebGoat (or any application) that is not using port 8080 locally, you can leave ZAP at it's default. and use 8080, instead of | ||||
| 8090 when setting up your browser to proxy (next page). | ||||
|  | ||||
| If you are setting up ZAP while running WebGoat locally ... | ||||
|  | ||||
| * Open ZAP | ||||
| * Go to Tools >> Options in the menu | ||||
| * Select 'Local Proxy' on the left | ||||
| * Input 8090 for the 'Port' | ||||
|  | ||||
| *Remember*: If you are not running WebGoat locally, leave this setting alone, skip to the next page and use 8080 instead of 8090 | ||||
|  | ||||
| image::images/zap-local-proxy-8090.png[ZAP Proxy Config,750,587,style="lesson-image"] | ||||
| To setup a different browser continue to the next page and read how to set it up in section: 'Configure the browser'. | ||||
| In all other cases you can skip the next page and continue to the page titled 'Confirm it's working' to check whether it is working. | ||||
|  | ||||
| @ -1,24 +1,32 @@ | ||||
| === Exclude WebGoat internal requests | ||||
| === Exclude WebGoat internal requests (ZAP >= 2.8.0) | ||||
|  | ||||
| Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat | ||||
| framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat. | ||||
|  | ||||
| Right click on one of the links in history tab and select: `Exclude from -> Proxy`, see image below: | ||||
| In the main ZAP window click on Filter, see image below | ||||
|  | ||||
| image::images/zap_exclude.png[Select URL from history,style="lesson-image"] | ||||
| image::images/zap-exclude.png[Exclude internal APIs from WebGoat,style="lesson-image"] | ||||
|  | ||||
| {nbsp} | ||||
| {nbsp} | ||||
|  | ||||
| A new window will open and add the following entries: | ||||
| Then in the `URL Inc Regex` box type: | ||||
|  | ||||
| ``` | ||||
| ./WebGoat/service/..mvc | ||||
| ``` | ||||
| [source] | ||||
| ---- | ||||
| http://localhost:8080/WebGoat/.* | ||||
| ---- | ||||
|  | ||||
| Click Ok to close the window, ZAP will now no longer proxy internal WebGoat requests. | ||||
| And in the `URL Exc Regex` box type: | ||||
|  | ||||
| [source] | ||||
| ---- | ||||
| .*/WebGoat/service/.*mvc | ||||
| ---- | ||||
|  | ||||
| Click 'Apply to close the window, ZAP will now no longer show internal WebGoat requests. | ||||
|  | ||||
|  | ||||
| image::images/zap_exclude_url.png[Exclude internal APIs from WebGoat,style="lesson-image"] | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
| @ -40,7 +40,7 @@ var html = '<tr class="STATUS">' + | ||||
|     '</tr>'; | ||||
|  | ||||
| function getServers(column) { | ||||
|     $.get("SqlInjection/servers?column=" + column, function (result, status) { | ||||
|     $.get("SqlInjectionMitigations/servers?column=" + column, function (result, status) { | ||||
|         $("#servers").empty(); | ||||
|         for (var i = 0; i < result.length; i++) { | ||||
|             var server = html.replace('ID', result[i].id); | ||||
|  | ||||
		Reference in New Issue
	
	Block a user