XSS Lesson Modifications (#367)

* initial cut on XSS, need to add some tests still * initial unit tests for assignment endpoints * updating header comment license thingy * comment, clean up * Stubs for security unit test * Additional Unit Testing * isEncoded and isNotEncoded Unit Tests added * http-proxies updates * update for XXE solutions * Work-around to handle special chars in action ... currently to be able to match {userId} in hint creation/assignment for IDOR * IDOR hints updated * mitigation content update * mitigation content update ... 2 * Lesson Overview updates * including restart lesson fix for lesson overview
2017-07-10 08:33:10 -04:00
parent 3ec5b8708e
commit 82ef171a50
59 changed files with 1349 additions and 628 deletions
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
@ -17,3 +17,19 @@ When ZAP starts, you will be presented with a dialog such as the one below ...

 image::images/zap-start.png[ZAP Start,548,256,style="lesson-image"]

+=== Set ZAP's port (if running WebGoat locally)
+
+*NOTE*: The following proxy set up is only needed if you are running WebGoat locally. If it's on a remote server, or you are running on
+WebGoat (or any application) that is not using port 8080 locally, you can leave ZAP at it's default. and use 8080, instead of
+8090 when setting up your browser to proxy (next page).
+
+If you are setting up ZAP while running WebGoat locally ...
+
+* Open ZAP
+* Go to Tools >> Options in the menu
+* Select 'Local Proxy' on the left
+* Input 8090 for the 'Port'
+
+*Remember*: If you are not running WebGoat locally, leave this setting along, skip to the next page and use 8080 instead of 8090
+
+image::images/zap-local-proxy-8090.png[ZAP Proxy Config,750,587,style="lesson-image"]
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
@ -11,7 +11,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust
 . Click _Settings_
 . Select _Manual proxy configuration_
 .. input *127.0.0.1* as the Proxy
-.. input *8080* as the port
+.. input *8090* as the port if running WebGoat locally and you updated ZAP to 8090 (otherwise, use *8080*)
 .. check the _Use this proxy server for all protocols_ checkbox

 image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
@ -23,7 +23,7 @@ image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesso
 . Click the _Change proxy settings_ button
 . Select the _proxies_ tab
 . Select Web Proxy (HTTP)
-. Input 127.0.0.1 in the first box under _Web Proxy Server_ and your port # (8080 is what used earlier) in the second box (to the right)
+. Input 127.0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 if running WebGoat locally, otherwise 8080) in the second box (to the right)
 . You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to


@ -37,6 +37,8 @@ image::images/chrome-manual-proxy-win.png[Chrome Proxy, 394,346,style="lesson-im

 (Win config image above)

+*Remember*: If running WebGoat locally, you can use ZAP's default port of 8080 instead of 8090 (or whatever number you prefer to use)
+
 === Other Proxy Configuration Options

 If you don't want to manage the proxy manually, there are extensions or plugins that can help you to do so without digging through as much config,