35 lines
1.7 KiB
Plaintext
35 lines
1.7 KiB
Plaintext
==== Configure a breakpoint filter
|
|
|
|
Before we start diving into intercepting requests with ZAP, we need to exclude the internal requests from the WebGoat
|
|
framework. Otherwise, ZAP will also stop at all the requests which are only necessary for the inner working of WebGoat.
|
|
Basically, a breakpoint is configured that will intercept requests when the request header contains a POST. You can add other rules as long as the polling `.mvc` messages will be excluded. As this would be annoying.
|
|
|
|
Set the breakpoint as follows:
|
|
|
|
image::images/breakpoint.png[Set breakpoint,style="lesson-image"]
|
|
|
|
{nbsp} +
|
|
|
|
You can see your active breakpoints here. And if you click on the checkbox, you can temporarily deactivate them and enable them again when you are just about to intercept the request. *DO NOT use the green/red button anymore*
|
|
|
|
image::images/breakpoint2.png[Active breakpoints,style="lesson-image"]
|
|
|
|
{nbsp} +
|
|
|
|
Once you are intercepting requests and a request is made, it should look something like this:
|
|
|
|
image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"]
|
|
|
|
==== Intercept and modify a request
|
|
|
|
Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When your request is intercepted (hits the breakpoint),
|
|
modify it as follows.
|
|
|
|
* Change the Method to GET
|
|
* Add a header 'x-request-intercepted:true'
|
|
* Remove the request body and instead send 'changeMe' as a query string parameter and set the value to 'Requests are tampered easily' (without the single quotes)
|
|
|
|
Then let the request continue through (by hitting the play button).
|
|
|
|
NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.
|