HTTP Proxies
HTTP clients can be browsers, or applications like curl, SOAP UI, Postman, etc.
Proxies are used for routing and getting access to internet when there is no direct connection to internet from the client itself.
HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle. It even works fine with or without HTTPS as long as our client or browser trusts the certificate of the HTTP Proxy.
ZAP Proxy Capabilities
ZAP can record/inspect traffic, modify requests and response and get reports on a range of known vulnerabilities through the inspection of the traffic.
In Zap we can click the browser's icon to open browsers,we don't have to configure proxy on our browser.
On left pane ZAP shows site pages and on right side the requests and responses.
Click on green icon (right of firefox) to disable ZAP HUD before configuring proxy.
Filter History for WebGoat
Below we can also apply filter in ZAP to filter traffic. Click on funnel icon below Histroy tab.
Then in the URL Inc Regex box type:
.WebGoat.
And in the URL Exc Regex box type:
.lesson..mvc
Configure a breakpoint filter
Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat.
Click red 'X' icon at icon bar. In
Location box select Request Header and in string type 'POST'.The two play buttons before can be used to send request forward and the red stop button will cancel it (appear only if there is an request).
It will intercept requests when the request header contains a POST.
Temporarily deactivate them and enable them again when you are just about to intercept the request.
Intercept and modify a request
You can edit the request from request tab in right and Breakpoint filter tab.
Use the "Edit and resend" functionality in ZAP
To resend the same request again from within ZAP.
In the "History" window select the URL you want to resend right click on the URL and select Open/Resend with Request Editor (Hand Icon).
Request are also available on right pane of ZAP.
A new window will open and here you can modify the request and click send. In the response tab you can inspect the response of the request.
Proxy from ZAP to https
ZAP can also be configured to proxy https requests. It will terminate the https connection in OWASP Zap and then proxy it to the target using its own keystore.
ZAP even proxy to sites with mutual TLS (need keystore and key for the connection)
- Go to Tools/Options/Client Certificate to proxy to a mutual TLS https site
- Go to Tools/Options/Connection to set timeouts and force the use of TLSv1.2.
Another tool we can use instead of ZAP is BurpSuite.