Zap 8 update for proxy lesson (#718)

* additional steps in proxy setup added

* lessons checked

* added page on https proxy and burp proxy

webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html

@@ -3,27 +3,31 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
+        <div class="adoc-content" th:replace="doc:0overview.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
+		<div class="adoc-content" th:replace="doc:1proxysetupsteps.adoc"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1-old-way.adoc"></div>
+        <div class="adoc-content" th:replace="doc:2zapsetup.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
+		<div class="adoc-content" th:replace="doc:3browsersetup.adoc"></div>
+	</div>
+
+	<div class="lesson-page-wrapper">
+		<div class="adoc-content" th:replace="doc:4checksetup.adoc"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro4.adoc"></div>
+        <div class="adoc-content" th:replace="doc:5configurefilterandbreakpoints.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro5.adoc"></div>
+        <div class="adoc-content" th:replace="doc:6assignment.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
@@ -41,6 +45,12 @@
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro6.adoc"></div>
+        <div class="adoc-content" th:replace="doc:7resend.adoc"></div>
+    </div>
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:8httpsproxy.adoc"></div>
+    </div>
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:9burp.adoc"></div>
     </div>
 </html>

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/0overview.adoc

@@ -0,0 +1,22 @@
+
+== What's an HTTP Proxy 
+
+A proxy is some forwarder application that connects your http client to backend resources. HTTP clients can be browsers, or applications like curl, SOAP UI, Postman, etc. Usually these proxies are used for routing and getting access to internet when there is no direct connection to internet from the client itself. 
+HTTP proxies are therefore also ideal when you are testing your application. You can always use the proxy log records to see what was actually sent from client to server. So you can check the request and response headers and the XML, JSON or other payload.
+
+HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle. It even works fine with or without HTTPS as long as your client or browser trusts the certificate of the HTTP Proxy.
+
+=== ZAP Proxy Capabilities
+
+With ZAP you can record traffic, inspect traffic, modify requests and response from and to your browser, and get reports on a range of known vulnerabilities that are detected by ZAP through the inspection of the traffic. The passive and active reporting on security issues is usually used in Continuous Delivery pipelines that use a GUI-less ZAP. Here we will use ZAP interactively and mainly to see and modify requests in order to find vulnerabilities and solve assignments.
+ZAP has a graphical user interface, but now also has a HUD Heads-On-Display which uses a websocket connection between the browser and the ZAP proxy.
+
+=== Next pages
+
+You can go through all lesson pages or click on these links to skip some pages.
+
+* link:start.mvc#lesson/HttpProxies.lesson/1[Configuring] OWASP ZAP and browser
+* link:start.mvc#lesson/HttpProxies.lesson/5[Filtering] requests with ZAP
+* link:start.mvc#lesson/HttpProxies.lesson/6[A proxy assignment] with ZAP
+* link:start.mvc#lesson/HttpProxies.lesson/7[Replaying requests] with ZAP
+* link:start.mvc#lesson/HttpProxies.lesson/9[Replaying requests] with Burp

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc

@@ -0,0 +1,38 @@
+
+== HTTP Proxy Setup
+
+Since this is an OWASP project, we'll be using OWASP ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise, this will show you how to set up ZAP to act as a proxy on your localhost.
+
+=== link:start.mvc#lesson/HttpProxies.lesson/2[Setting up ZAP 2.8.0]
+
+* First download and install ZAP 2.8.0 for your operating system
+* Start ZAP 
+* Configure the proxy to use a free port, e.g. 8090
+* Export the ZAP root certificate
+
+=== link:start.mvc#lesson/HttpProxies.lesson/3[Configuring your browser to use the ZAP proxy]
+
+The example is for Firefox. It should work similarly for other browsers. 
+
+* Make sure you can change the certificate store and network proxy settings, use a portable browser version if necessary
+* Import the ZAP root certificate in your trusted certificates
+* Change the network proxy settings
+
+=== Additional config when running locally
+If you run the WebGoat application on localhost, Firefox and ZAP behave differently than when it's on a remote IP address.
+
+* Adjust your hostfile and use a fake hostname, otherwise Firefox will not forward to the proxy
+* For ZAP do not use the exclude from proxy option as it will drop the requests entirely
+
+
+
+If you use the latest ZAP version (>= 2.8.0) you only need to start ZAP and click the browser button to be able to
+proxy, see image below:
+
+image::images/zap-browser-button.png[ZAP Start,style="lesson-image"]
+
+{nbsp}+
+
+
+To setup a different browser continue to the next page and read how to set it up in section: 'Configure the browser'.
+In all other cases you can skip the next page and continue to the page titled 'Confirm it's working' to check whether it is working.

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/2zapsetup.adoc

@@ -0,0 +1,29 @@
+
+== Setting up ZAP 2.8.0
+
+. First download and install ZAP 2.8.0 for your operating system
+. Start ZAP 
+. Configure the proxy to use a free port, e.g. 8090
+. Export the ZAP root certificate
+
+=== Start ZAP
+
+image::images/zap-start.png[ZAP start,style="lesson-image"]
+
+=== Configure Proxy's Port
+
+* Select Tools > Options from the menu
+* Select Local Proxy on the left
+* Choose an available port ... Since WebGoat is (or will be) using port 8080, use something different like 8090
+* Click OK
+
+image::images/zap-local-proxy-8090.png[ZAP local proxy,style="lesson-image"]
+
+In the options menu, you can also change the language. By default it is set with the language setting of your operating system. The examples are shown in English.
+
+=== Export the certificate
+
+Depending on the local installation of tools, ZAP can start a browser directly with some adjusted options like network settings and certificate adjustments. However, this step should be done if you want to start your browser independently of ZAP. To be able to use the browser, the browser needs the certificate, which can be exported here:
+
+image::images/rootca.png[ZAP root CA,style="lesson-image"]
+image::images/savecerts.png[ZAP save CA,style="lesson-image"]

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc

@@ -1,20 +1,25 @@
-== Setting up other HTTP Proxy Tools
+== Setting up browser
 
-=== Configure the proxy tool
+. Make sure you can change the certificate store and network proxy settings, use a portable browser version if necessary
-
+. Import the ZAP root certificate in your trusted certificates
-Configure the proxy tool to listen on a free port on your localhost.
+. Change the network proxy settings
-
+. Use www.webgoat.local in stead of 127.0.0.1
-=== Configure the browser
+.. adjust your host file and use www.webgoat.local
-
-*It is important to note that the latest versions of Firefox and Chrome no longer proxy traffic from localhost by default.*
-The are a couple of options to bypass this restriction:
-
-- Use the host name of your machine instead of `localhost`, you can find or add a host name in `/etc/hosts` on Linux and MacOSX and `C:\Windows\System32\drivers\etc` on Windows
-- To proxy localhost (and related addresses) with newer Firefox versions (>= 67) the preference network.proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true.
-- To proxy localhost (and related addresses) with newer Chrome versions (>= 72) the command line argument --proxy-bypass-list=<-loopback> must be provided.
 
 
-==== Firefox Proxy Config
+
+=== Import the OWASP ZAP root certificate
+
+. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
+. Search for _certificates_
+. Click _View certificates_
+. Import the ZAP root certificate that was saved (see previous page)
+
+image::images/firefoxsettingscerts.png[Firefox Certificates,width="75%",style="lesson-image"]
+
+image::images/importcerts.png[Firefox Cetificate import,width="75%",style="lesson-image"]
+
+=== Firefox Proxy Config
 
 . Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
 . Select _Advanced_ on the left
@@ -27,7 +32,20 @@ The are a couple of options to bypass this restriction:
 
 image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
 
-==== Chrome Proxy Config
+=== Use www.webgoat.local
+
+*It is important to note that the latest versions of Firefox and Chrome no longer proxy traffic from localhost by default.*
+The are a couple of options to bypass this restriction:
+
+- Use the host name of your machine instead of `localhost`, you can find or add a host name in `/etc/hosts` on Linux and MacOSX and `C:\Windows\System32\drivers\etc` on Windows
+
+image::images/newlocalhost.png[Hosts file,style="lesson-image"]
+
+- To proxy localhost (and related addresses) with newer Firefox versions (>= 67) the preference network.proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true.
+- To proxy localhost (and related addresses) with newer Chrome versions (>= 72) the command line argument --proxy-bypass-list=<-loopback> must be provided.
+
+
+=== Chrome Proxy Config
 
 . Bring up Chrome's settings form the menu
 . In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
@@ -42,20 +60,8 @@ image::images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-
 
 (Mac config image above)
 
-
-
 image::images/chrome-manual-proxy-win.png[Chrome Proxy, 394,346,style="lesson-image"]
 
 (Win config image above)
 
-*Remember*: If running WebGoat locally, you can use ZAP's default port of 8080 instead of 8090 (or whatever number you prefer to use)
 
-=== Other Proxy Configuration Options
-
-If you don't want to manage the proxy manually, there are extensions or plugins that can help you to do so without digging through as much config,
-or based on URL patterns. Examples include:
-
-* FoxyProxy for Firefox
-* Proxy Switcher for Firefox
-* Toggle Proxy for Firefox
-* Still looking for suggestions for Chrome ..

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/4checksetup.adoc

@@ -0,0 +1,19 @@
+=== Confirm Proxy, Host and Browser are ok
+
+Now use the browser that has the ZAP certificate and proxy settings with the special local host address and confirm that your requests show up in the proxy.
+
+Browse to: http://www.webgoat.local:8080/WebGoat (or https://www.webgoat.local:8443/WebGoat or similar)
+
+You should see WebGoat and the OWASP ZAP Heads On Display (if you use OWASP ZAP as the proxy):
+
+image::images/loginscreen.png[Browser with HUD,style="lesson-image"]
+
+You might notice that this is the dutch login screen. This is determined from the language settings from your browser. For some of the pages there will be some local translations. You can contribute to WebGoat and add more for your preferred language.
+You can disable the Heads On Display by clicking on the highlighted button. 
+You can learn about the OWASP ZAP HUD on their website. For now it is recommended to disable it as it kind of blocks the menu items.
+
+You should see the following in OWASP ZAP on the history panel:
+
+image::images/zap-history.png[ZAP History,style="lesson-image"]
+
+On the next page we will show how you can filter these requests to see only relevant requests and how to configure the interceptor. 

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/5configurefilterandbreakpoints.adoc

@@ -1,7 +1,4 @@
-=== Exclude WebGoat internal requests (ZAP >= 2.8.0)
+=== Filter requests in history panel
-
-Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat
-framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat.
 
 In the main ZAP window click on Filter, see image below
 
@@ -14,14 +11,14 @@ Then in the `URL Inc Regex` box type:
 
 [source]
 ----
-http://localhost:8080/WebGoat/.*
+.*WebGoat.*
 ----
 
 And in the `URL Exc Regex` box type:
 
 [source]
 ----
-.*/WebGoat/service/.*mvc
+.*lesson.*.mvc
 ----
 
 Click 'Apply to close the window, ZAP will now no longer show internal WebGoat requests.
@@ -30,3 +27,4 @@ Click 'Apply to close the window, ZAP will now no longer show internal WebGoat r
 
 
 
+

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/6assignment.adoc

@@ -0,0 +1,33 @@
+
+=== Configure a breakpoint filter
+Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat
+framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat.
+Basically a breakpoint is configured that will intercept requests when the request header contains a POST. Which are the most interesting ones. You can add other rules as long as the polling .mvc messages will be excluded. As this would be annoying.
+
+*This differs from the previous ZAP versions where you choose "exclude from proxy" and used the green/red intercept button*
+The exclude from proxy blocks the entire request when the IP address is the same as localhost. Using the breakpoint filter solves this issue. 
+
+Set the breakpoint as follows:
+
+image::images/breakpoint.png[Set breakpoint,style="lesson-image"]
+
+You can see your active breakpoints here. And if you click on the checkbox you can also temporarily deactivate them and enable them again when you are just about to intercept the request. *DO NOT use the green/red button anymore*
+
+image::images/breakpoint2.png[Active breakpoints,style="lesson-image"]
+
+Once you are intercepting requests and a request is made, it should look something like this:
+
+image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"]
+
+=== Intercept and modify a request
+
+Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
+modify it as follows.
+
+* Change the Method to GET
+* Add a header 'x-request-intercepted:true'
+* Remove the request body and instead send 'changeMe' as query string parameter and set the value to 'Requests are tampered easily' (without the single quotes)
+
+Then let the request continue through (by hitting the play button).
+
+NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/8httpsproxy.adoc

@@ -0,0 +1,6 @@
+== Proxy from ZAP to https
+
+The OWASP ZAP proxy can also be configured to proxy *https* requests. It will terminate the https connection in OWASP Zap and then proxy it to the target using its own keystore. You can even proxy to sites with mutual TLS. In that case you configure OWASP ZAP with the keystore and key to use for the connection.
+
+Go to Tools/Options/Client Certificate if you want to proxy to a mutual TLS https site.
+Go to Tools/Options/Connection if you want to set timeouts and want to force the use of TLSv1.2 e.g. 

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/9burp.adoc

@@ -0,0 +1,35 @@
+== Burp
+
+Another proxy that is used a lot is Burp. One of the exercises in WebGoat can only be resolved with Burp and not yet with OWAP ZAP.
+Burp community edition can be downloaded as a plain jar file https://portswigger.net/burp/communitydownload[Burp download,window=_blank]
+
+	 java -jar burpsuite_community_v2.1.04.jar
+	 
+Ignore the warning on using JDK11.
+Choose `temporary project`, followed by `use burp defaults`.
+
+Go to the proxy options and change it to use port 8090
+
+image::images/burpproxy.png[Burp proxy options,style="lesson-image"]
+
+On this page you can also export the Burp certificate and import it into your browser. Similar as in the instructions in previous pages.
+
+Go to the proxy intercept page and click on the toggle so that intercept is switched off. (By default nd in the picture below it is switched on)
+
+image::images/burpintercept.png[Burp intercept,style="lesson-image"]
+
+The start a browser connected to the proxy and start using WebGoat.
+Now adjust the intercept request setting by extending the rule on what not to intercept:
+
+image::images/burpfilterclient.png[Burp client request filter,style="lesson-image"]
+
+Use e.g.: (\^mvc$|^txt$|\^woff$|^lesson$|\^gif$|^jpg$|\^png$|^css$|\^js$|^ico$)
+Then enable the intercept by click on the earlier mentioned toggle.
+
+An intercept will look like:
+
+image::images/burpintercepted.png[Burp client request filter,style="lesson-image"]
+
+Finally you can look at the history and add filters for the history and replay requests, from this screen:
+
+image::images/burpfilter.png[Burp history,style="lesson-image"]

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro0.adoc

@@ -1,20 +0,0 @@
-
-== HTTP Proxy Overview
-
-Many times proxies are used as a way of accessing otherwise blocked content.  A user might connect to server A, which relays content from server B
- ... Because Server B is blocked within the user's network. That's not the use case we will be dealing with here, but the concept is the same.
-HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
-use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
-relationship to proxies.
-
-=== Proxy Capabilities
-
-Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses.  You can also use the proxy to
-modify (tamper) the requests and responses.  Proxies also have automated or semi-automated functions that allow  you to gain efficiency in testing and
-analyzing the security of a website.
-
-=== Other Uses for Proxies
-
-ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment.  This lesson does
-not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
-CI/CD with Jenkins, maven or other build processes.

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1-temp-appseceu.adoc

@@ -1,8 +0,0 @@
-=== Configure Proxy's Port
-
-. Select Tools > Options from the menu
-. Select Local Proxy on the left
-. Choose an available port ... Since WebGoat is using port 8080, use something different like 8090
-. Click OK
-
-image::images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc

@@ -1,18 +0,0 @@
-
-== HTTP Proxy Setup
-
-Since this is an OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
-this will show you how to set up ZAP to act as a proxy on your localhost.
-
-=== Setting up ZAP >= 2.8.0
-
-If you use the latest ZAP version (>= 2.8.0) you only need to start ZAP and click the browser button to be able to
-proxy, see image below:
-
-image::images/zap-browser-button.png[ZAP Start,style="lesson-image"]
-
-{nbsp}+
-
-
-To setup a different browser continue to the next page and read how to set it up in section: 'Configure the browser'.
-In all other cases you can skip the next page and continue to the page titled 'Confirm it's working' to check whether it is working.

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro3.adoc

@@ -1,6 +0,0 @@
-=== Confirm it's working
-
-You should now be able to browse somewhere. We suggest starting with a plain http host.
-If it's working, ZAP's history tab will start to look something like this.
-
-image::images/zap-history.png[ZAP history tab,style="lesson-image"]

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro5.adoc

@@ -1,26 +0,0 @@
-=== Use the intercept
-
-To intercept a request, you start by clicking the green button. This will set a break point for the next request.
-
-image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
-
-
-*NOTE*: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
-That's part of what hackers do ... explore!
-
-Once you are intercepting requests and a request is made, it should look something like this:
-
-image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"]
-
-=== Intercept and modify a request
-
-Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
-modify it as follows.
-
-* Change the Method to GET
-* Add a header 'x-request-intercepted:true'
-* Remove the request body and instead send 'changeMe' as query string parameter and set the value to 'Requests are tampered easily' (without the single quotes)
-
-Then let the request continue through (by hitting the play button).
-
-NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.