Difference between revisions of "Proxy Utilization"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/losaul/alloys-australian.html australian embassy net
 
] [http://s1.shard.jp/olharder/auto-escort-ford.html dave smith auto kellogg idaho
 
] [http://s1.shard.jp/olharder/auto-insurance-fort.html autopsy marilyn monroe photo
 
] [http://s1.shard.jp/losaul/australian-accent.html australian photo puppy shepherd
 
] [http://s1.shard.jp/olharder/kragen-auto.html seiko flightmaster automatic
 
] [http://s1.shard.jp/galeach/new123.html asian tsunami effects on tourism
 
] [http://s1.shard.jp/frhorton/j1znr5lny.html malamala game reserve south africa
 
] [http://s1.shard.jp/olharder/sood-automobiles.html tri county auto force
 
] [http://s1.shard.jp/galeach/new41.html milk and cerial asian version
 
] [http://s1.shard.jp/frhorton/5hrrb99yl.html african american hair braiding pictures
 
] [http://s1.shard.jp/losaul/online-computer.html australia goods melbourne public white wholesale
 
] [http://s1.shard.jp/olharder/best-way-auto-care.html automated business professional software
 
] [http://s1.shard.jp/galeach/new87.html asian american stereotypes in film
 
] [http://s1.shard.jp/bireba/g-data-antivirus.html panda antivirus platinum 7.05.03 crack
 
] [http://s1.shard.jp/bireba/avg-60-antivirus.html mcafee antivirus 2005 keygen
 
] [http://s1.shard.jp/frhorton/x5dh8y75v.html what is the most dangerous animal in africa
 
] [http://s1.shard.jp/bireba/alerta-antiviruses.html agv antivirus free update
 
] [http://s1.shard.jp/galeach/new26.html jade lee asian
 
] [http://s1.shard.jp/bireba/install-software.html install software select norton antivirus] [http://s1.shard.jp/olharder/browning-semi.html bvlgari automatic watch
 
] [http://s1.shard.jp/bireba/download-symantec.html download symantec antivirus corporate edition 10.0] [http://s1.shard.jp/olharder/wes-finch-auto-plaza.html michigan autorama
 
] [http://s1.shard.jp/bireba/2005-antivirus.html pc world antivirus reviews
 
] [http://s1.shard.jp/galeach/new148.html 2006 asia award mtv nominees
 
] [http://s1.shard.jp/losaul/property-for.html affordable web hosting australia aussietogocomau
 
] [http://s1.shard.jp/olharder/stevens-creek.html autograph bessie smith
 
] [http://s1.shard.jp/galeach/new184.html asian videos downloads
 
] [http://s1.shard.jp/bireba/avg-antivirus.html symantec antivirus corporate edition 10.0 2.2000
 
] [http://s1.shard.jp/galeach/new25.html asia air fare
 
] [http://s1.shard.jp/bireba/avg-vs-avast.html crack of norton antivirus 2005 version
 
] [http://s1.shard.jp/olharder/autores-romanticos.html autodesk viz 4
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html quickheal antivirus download
 
] [http://s1.shard.jp/olharder/aaa-auto-sales.html reynolds and reynolds automotive software
 
] [http://s1.shard.jp/galeach/new167.html asian videos models
 
] [http://s1.shard.jp/bireba/lu1812-norton.html antivirus software comparision
 
] [http://s1.shard.jp/olharder/auto-calculator.html dental autoclave
 
] [http://s1.shard.jp/bireba/norton-antivirus.html norton antivirus free download software] [http://s1.shard.jp/olharder/dariusz-wolski.html accident after auto injury personal right
 
] [http://s1.shard.jp/losaul/jamberoo-recreation.html real estate for sale in melbourne australia
 
] [http://s1.shard.jp/galeach/new24.html asian delicacy
 
] [http://s1.shard.jp/galeach/new146.html asian eyelid surgery
 
] [http://s1.shard.jp/galeach/new74.html airline asia southeast
 
] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/frhorton/ invisible child africa
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html antivirus w32
 
] [http://s1.shard.jp/bireba/avg-antivirus-73.html avg antivirus 6.0
 
] [http://s1.shard.jp/frhorton/qfadevngy.html african american organ donation
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html panda antivirus platinum 7.04.00 crack
 
] [http://s1.shard.jp/olharder/automobile-bmw.html auto czesci
 
 
 
[[WebGoat User Guide Table of Contents]]__TOC__
 
[[WebGoat User Guide Table of Contents]]__TOC__
  
The features within WebGoat for revealing the workings of the application also need to be supplemented with the assessor’s application assessment proxy of choice.
+
The features within WebGoat for revealing the workings of the application also need to be supplemented with the assessor’s application assessment proxy of choice.
  
 
This enables further analysis and modification of the client-server interaction, and data in transit.
 
This enables further analysis and modification of the client-server interaction, and data in transit.
Line 56: Line 10:
  
 
Typically, the tool will either plug directly into the browser, or listen on another local port. When it plugs in directly, a special URL may need to be entered in the browser. When the tool listens on a port, the browser will probably need to be configured to use the proxy. In Microsoft Internet Explorer this can be done from the tool menu by choosing:  
 
Typically, the tool will either plug directly into the browser, or listen on another local port. When it plugs in directly, a special URL may need to be entered in the browser. When the tool listens on a port, the browser will probably need to be configured to use the proxy. In Microsoft Internet Explorer this can be done from the tool menu by choosing:  
# Choose the “Tools/Internet Options” menu item.
+
# Choose the “Tools/Internet Options” menu item.
# Choose the “Connections” tab
+
# Choose the “Connections” tab
# Hit the “LAN Settings…” button.
+
# Hit the “LAN Settings…” button.
 
# On the Local Area Network Settings dialog check the Proxy server checkbox.
 
# On the Local Area Network Settings dialog check the Proxy server checkbox.
# Uncheck the “bypass proxy server” box
+
# Uncheck the “bypass proxy server” box
 
# Enter the address and port where the proxy tool will be listening. The default listening port for WebScarab is 8008.
 
# Enter the address and port where the proxy tool will be listening. The default listening port for WebScarab is 8008.
  

Revision as of 13:00, 29 May 2009

WebGoat User Guide Table of Contents

The features within WebGoat for revealing the workings of the application also need to be supplemented with the assessor’s application assessment proxy of choice.

This enables further analysis and modification of the client-server interaction, and data in transit.

Use and configuration will be unique to each tool, but the basic concepts are as follows:

  • The application assessment proxy must sit between the client browser and the remote server.
  • It should allow the display and modification of all HTTP data in transit.

Typically, the tool will either plug directly into the browser, or listen on another local port. When it plugs in directly, a special URL may need to be entered in the browser. When the tool listens on a port, the browser will probably need to be configured to use the proxy. In Microsoft Internet Explorer this can be done from the tool menu by choosing:

  1. Choose the “Tools/Internet Options” menu item.
  2. Choose the “Connections” tab
  3. Hit the “LAN Settings…” button.
  4. On the Local Area Network Settings dialog check the Proxy server checkbox.
  5. Uncheck the “bypass proxy server” box
  6. Enter the address and port where the proxy tool will be listening. The default listening port for WebScarab is 8008.

Figure 7: LAN Settings

Now, when receiving or sending data from the client browser it is possible to intercept, analyze and modify HTTP requests to test the application for security flaws in the target.

For a tutorial on setting up and running WebScarab see: WebScarab Tutorial


  • In using proxies of this kind, a number of capabilities become available to the assessor, including:
  • All GET/POST parameters are available for modification, regardless of their hidden status
  • Cookies, both persistent and non-persistent may be modified when entering or leaving the browser
  • All client-side data validation can be bypassed, as the parameters can be modified immediately before being sent to the server
  • Information regarding the caching of data (e.g. Pragma: no-cache) is exposed for analysis
  • Server: and other headers are revealed, which may be useful for enumeration of the remote web-server and application-server technologies


WebGoat User Guide Table of Contents