Introduction

In this section, I will use Firefox as browser and OWASP ZAP, OWASP zed attack proxy, as interception tools to play with the insecure web application, WebGoat. Web application uses HTTP, hypertext text transfer protocol, to communicate with a web server. Hypertext is a structural text that uses logical links (hyperlinks) between nodes, such as devices, personal computers, cell phones, printers, or servers. HTTP functions as a request-response protocol between clients and servers. In the context of WebGoat, the command 
java -jar WebGoat-6.0.1-war.exec.jar
would open a web server, waiting at localhost (127.0.0.1) and port 8080 for requesting web pages.

Configuration for firefox and OWASP ZAP

  1. Open the preference panel on firefox

    firefox preference panel

  2. Choose the advance tab on the left and then the network tab on the top

    firefox advance preference

  3. Open OWASP ZAP and choose tools -> options to configure the address and port where OWASP ZAP would proxy.

  4. Choose the local proxy option and set the address and port to an appropriate settings that will not conflict with the other service, such as WebGoat on port 8080, in the computer.

  5. Configure the proxies to access the internet. Use the manual proxy configuration and set the HTTP proxy to the address and port the OWASP proxies on. (Be sure that the no proxy for localhost is removed if OWASP is working at address localhost).

    firefox proxy setting

Basic HTTP interception in OWASP

  1. Working on interception of internet packets, press on the green circle button.

    green button

    red button

  2. Go back to the browser, enter go in the input box, and press go!. Now the webpage would halt and nothing would happen.

    WebGoat go

  3. Now see the OWASP ZAP, we could see a break point indicting the inteception event of OWASP ZAP. The request is of type get, containing the parameter SUBMIT at the end of the URL.

    OWASP break point

  4. There are two submission type. The one on the right of the red button is to submit and step to the next request and response. Another is to submit and continue to the next break point. A break point is when the user click on a button or input some texts and trigger a series of request and reponse. Since loading a page would require multiple request and response, such as requesting javascript, css, or other inclusion files. In this context, we only concern the request for the input box.

    packet submission

  5. Back to the browser and a success message is shown.

    success message on the browser

Conclusion

With the help of OWASP ZAP, we now could start to explorer the unsecure web application, WebGoat.

History

Reference

  1. OWASP
  2. HTTP