WEB-48 Updated useful tools

2014-09-11 18:49:53 -04:00
parent 7e50264d4e
commit c9e6d1f7a7
4 changed files with 18 additions and 30 deletions
--- a/src/main/webapp/images/introduction/HowToUse_1.jpg
+++ b/src/main/webapp/images/introduction/HowToUse_1.jpg
--- a/src/main/webapp/images/introduction/UsefulTools-ZAP.png
+++ b/src/main/webapp/images/introduction/UsefulTools-ZAP.png
--- a/src/main/webapp/images/introduction/UsefulTools-ZAP_1.png
+++ b/src/main/webapp/images/introduction/UsefulTools-ZAP_1.png
--- a/src/main/webapp/lesson_plans/English/UsefulTools.html
+++ b/src/main/webapp/lesson_plans/English/UsefulTools.html
@ -2,38 +2,25 @@
 <!-- Start Instructions -->
 <h1>Useful Tools</h1>
 <p>
-Below is a list of tools we've found useful in solving the WebGoat lessons. You will need WebScarab or Paros to solve most of the lessons. </p>
-<h2>WebScarab:</h2>
+Below is a list of tools we've found useful in solving the WebGoat lessons. You will need a proxy like OWASP ZAP or Paros to solve most of the lessons. </p>
+<h2>OWASP ZAP:</h2>
 <p>
-Like WebGoat, WebScarab is a part of OWASP. 
-WebScarab is a proxy for analyzing applications that 
-communicate using the HTTP and HTTPS protocols. Because WebScarab 
-operates as an intercepting proxy, we can review and modify requests 
-and responses.<br><br>
-<img src="images/introduction/webscarab.jpg"><br><br>
-Webpage:<a href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project</a>
-<br>The .jar install file can be found at the <a href="http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823">OWASP Sourceforge Page</a></p>
-<p>After installing WebScarab and configuring your browser to use it as proxy on localhost we can start. If you are using localhost for your Tomcat server, remember to <a href="https://www.owasp.org/index.php/WebScarab_Getting_Started">put a "." after the hostname when browsing to WebGoat</a>.<br><br>
-<img src="images/introduction/HowToUse_1.jpg"><br><br>
-We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.<br><br>
-<img src="images/introduction/HowToUse_2.jpg"><br><br>
-Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server.<br><br>
-WebScarab is also used to intercept the request and change cookies values just like parameter data:<br><br>
-<img src="images/introduction/HowToUse_3.jpg"><br><br>
-We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit their values.
+Like WebGoat, Zed Attack Proxy (ZAP) is a part of OWASP and is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
+It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
+ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually..<br><br>
+<img src="images/introduction/UsefulTools-ZAP.png"><br><br>
+Webpage: <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project</a>
+<br>The .jar install file can be found at the <a href="http://code.google.com/p/zaproxy/wiki/Downloads?tm=2">OWASP ZAP Google Code Project</a></p>
+<p>After installing ZAP and configuring your browser to use it as a proxy on localhost we can start. To intercept a request,  
+click the green arrow icon turning it red. If we browse a WebGoat page, ZAP will intercept the HTTP request.
+Here we can read and edit the intercepted parameters and headers. After editing is complete press the play icon to submit the request to the server.<br>
+<img src="images/introduction/UsefulTools-ZAP_1.png"><br><br>
 </p>
-<h2>Firebug:</h2>
+<h2>Modern Browsers:</h2>
 <p>
-Firebug is an add-on for the Firefox browser. We can use it to inspect, edit and monitor CSS, HTML and JavaScript.<br><br>
-<img src="images/introduction/firebug.jpg"><br><br>
-Webpage:<a href="http://www.getfirebug.com" target="_blank">http://www.getfirebug.com</a>
+Most modern browser have developer tools that will allow you to inspect and modify request data.
 <br><br>
-<h2>IEWatch:</h2>
-<p>
-IEWatch is a tool to analyze HTTP and HTML for users of the Internet Explorer.<br><br>
-<img src="images/introduction/iewatch.jpg"><br><br>
-Webpage:<a href="http://www.iewatch.com" target="_blank">http://www.iewatch.com</a>
-</p>
+
 <h2>Wireshark</h2>
 <p>
 Wireshark is a network protocol analyzer. You can sniff network traffic and gather useful
@ -43,11 +30,12 @@ Webpage:<a href="http://www.wireshark.org" target="_blank">http://www.wireshark.

 </p>

-<h2>Scanner:</h2>
+<h2>Scanners (Attacking Proxies):</h2>
 <p>
-There are many vulnerability scanners for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Below are links to two open source scanner. <br><br>
+There are many vulnerability scanners for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Below are links to three open source scanners. <br><br>
 Nessus:<a href="http://www.nessus.org" target="_blank">http://www.nessus.org</a><br>
 Paros:<a href="http://www.parosproxy.org" target="_blank">http://www.parosproxy.org</a><br>
+OWASP ZAP:<a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project" target="_blank">https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project</a><br>
 </p>
 <!-- Stop Instructions -->
 <br>