Adding request intercept assignment

2017-01-25 14:54:44 -05:00
parent ac16342c17
commit f7ec164601
6 changed files with 103 additions and 0 deletions
--- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/.DS_Store
+++ b/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/.DS_Store
--- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html
+++ b/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/html/HttpBasics.html
@ -105,4 +105,23 @@
        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
 	</div>
+
+    <div class="lesson-page-wrapper">
+        <!-- stripped down without extra comments -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
+                  method="POST"
+                  action="/WebGoat/HttpBasics/intercept-request"
+                  enctype="application/json;charset=UTF-8">
+
+                <input type="text" value="doesn't matter really" name="changeMe" />
+                <input type="submit" value="Submit" />
+
+            </form>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+    </div>
 </html>
--- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/proxy-intercept-button.png
+++ b/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/proxy-intercept-button.png
--- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/proxy-intercept-details.png
+++ b/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/images/proxy-intercept-details.png
--- a/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntercept.adoc
+++ b/webgoat-lessons/http-basics/src/main/resources/plugin/HttpBasics/lessonPlans/en/HttpBasics_ProxyIntercept.adoc
@ -0,0 +1,25 @@
+=== Use the intercept
+
+To incercept a request, you start by clicking the green button. This will set a break point for the next request.
+
+image::plugin_lessons/plugin/HttpBasics/images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
+
+NOTE: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
+That's part of what hackers do ... explore!
+
+Once you are interecepting requests and  a request is made, it should look something like this:
+
+image::plugin_lessons/plugin/HttpBasics/images/proxy-intercept-details.png[ZAP history tab,1269,337,style="lesson-image"]
+
+=== Intercept and modify a request
+
+Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
+modify it as follows.
+
+* Change the Method to GET
+* Add a header 'x-request-intercepted:true'
+* Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes)
+
+Then let the request continue through (by hitting the play button).
+
+NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.