Difference between revisions of "Proxy Utilization"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[http://s1.shard.jp/frhorton/2beniqaav.html african soapstone carving
 
] [http://s1.shard.jp/losaul/limousine-hire.html art posters australia
 
] [http://s1.shard.jp/losaul/yamaha-outboard.html air australia fare from only uk
 
] [http://s1.shard.jp/frhorton/fg84cc18u.html tour of south africa
 
] [http://s1.shard.jp/galeach/new72.html the asia tsunami disaster
 
] [http://s1.shard.jp/galeach/new35.html asian institute of managementmanila
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html nod32 antivirus reviews
 
] [http://s1.shard.jp/frhorton/y8fj1syi7.html african rattles
 
] [http://s1.shard.jp/galeach/new121.html east asian girls
 
] [http://s1.shard.jp/galeach/new163.html artemisia douglasiana
 
] [http://s1.shard.jp/frhorton/lth7qsfbq.html african dressing styles
 
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/bireba/mc-afee-antivirus.html norton antivirus keygen 2005
 
] [http://s1.shard.jp/losaul/cruises-from-australia.html australia free ring tone
 
] [http://s1.shard.jp/galeach/new148.html baby mama fantasia video
 
] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/bireba/ravantivirus.html ravantivirus update] [http://s1.shard.jp/galeach/new186.html asian car models
 
] [http://s1.shard.jp/bireba/avg-antivirus-7.html norton antivirus 2005 download warez
 
] [http://s1.shard.jp/galeach/map.html asian noodle house ithaca ny
 
] [http://s1.shard.jp/galeach/new48.html tasia maris cyprus
 
] [http://s1.shard.jp/olharder/invicta-speedway.html royal auto sales inc
 
] [http://s1.shard.jp/olharder/auto-train-discount.html bionic auto part sales inc
 
] [http://s1.shard.jp/frhorton/u91w9mfua.html bono africa
 
] [http://s1.shard.jp/frhorton/sofu2962u.html brazil air travel to africa
 
] [http://s1.shard.jp/frhorton/fhh2j9s8e.html serengeti plains of africa] [http://s1.shard.jp/frhorton/zedmbj3he.html tribes african
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/frhorton/1oj3zcvfn.html african american baptist history
 
] [http://s1.shard.jp/frhorton/l648khtsn.html 1900 african american before brazos county in name school
 
] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/galeach/new15.html adventure asia caribbean spain travel travel travel travel travelwiz.biz
 
] [http://s1.shard.jp/galeach/new5.html anastasia mp3 downloads
 
] [http://s1.shard.jp/galeach/new27.html asian bowls com lawn
 
] [http://s1.shard.jp/frhorton/4klamxahb.html christian missionaries impact in asia and africa 1500's
 
] [http://s1.shard.jp/losaul/australian-capital.html perth news australia
 
] [http://s1.shard.jp/galeach/new36.html asian court earl escort in london
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/bireba/top-antivirus.html symantech antivirus updates
 
] [http://s1.shard.jp/frhorton/8fsjs64q2.html paffendorf welcome to africa
 
] [http://s1.shard.jp/bireba/antivirus-checking.html kasperski antivirus program
 
] [http://s1.shard.jp/losaul/australian-cancer.html gel candles australia
 
] [http://s1.shard.jp/losaul/beds-online-australia.html australia biggest looser chanel ten
 
] [http://s1.shard.jp/bireba/antivirus-stop.html antivirus.com.au
 
] [http://s1.shard.jp/galeach/new85.html dyplasia
 
] [http://s1.shard.jp/losaul/ladies-fashion.html australia facts for children
 
] [http://s1.shard.jp/olharder/discount-import.html autoplay menu builder v4.2 serial
 
 
[http://s1.shard.jp/losaul/little-tykes-toys.html australian batman robin
 
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/galeach/new134.html optic nerve aplasia
 
] [http://s1.shard.jp/olharder/stan-olsen-auto.html auto parts tampa fl
 
] [http://s1.shard.jp/olharder/cheat-sheets.html auto rebuilt transmission
 
] [http://s1.shard.jp/frhorton/3q938n1mz.html business oppertunities south africa
 
] [http://s1.shard.jp/galeach/new113.html double cropping in east asia
 
] [http://s1.shard.jp/galeach/new188.html uncensored asian
 
] [http://s1.shard.jp/galeach/new136.html camtasia studio 2.1.1 crack
 
] [http://s1.shard.jp/olharder/automobile-get.html autoway nissan clearwater florida
 
] [http://s1.shard.jp/losaul/palm-treo-australia.html 2006 calendar australia
 
] [http://s1.shard.jp/galeach/new191.html asian table lamps
 
] [http://s1.shard.jp/losaul/south-african.html cheap air flight australia
 
] [http://s1.shard.jp/galeach/new108.html asians and hispanics
 
] [http://s1.shard.jp/losaul/upstream-petroleum.html australian dollar us dollar exchange rates
 
] [http://s1.shard.jp/galeach/new26.html asian martial arts center
 
] [http://s1.shard.jp/bireba/symantic-antivirus.html antivirus software macintosh
 
] [http://s1.shard.jp/galeach/new148.html asian tsunami death total
 
] [http://s1.shard.jp/frhorton/iyc9ldho5.html south african climate
 
] [http://s1.shard.jp/olharder/ontario-auto-insurance.html lowest auto rates
 
] [http://s1.shard.jp/losaul/the-association.html australias indigenous people
 
] [http://s1.shard.jp/frhorton/eob9cf6xd.html jojoba cultivation south africa
 
] [http://s1.shard.jp/frhorton/jaqhtnv6f.html african language family
 
] [http://s1.shard.jp/olharder/autoritatea-nationala.html autoritatea nationala de reglementare in domeniul energiei] [http://s1.shard.jp/losaul/australian-sheepskin.html australian sheepskin slippers] [http://s1.shard.jp/bireba/panda-antivirus.html installing antivirus software
 
] [http://s1.shard.jp/bireba/noton-antivirus.html antivirus review best
 
] [http://s1.shard.jp/bireba/grisoft-antivirus.html crack for avg antivirus 7.1
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/galeach/new32.html asian dramas
 
] [http://s1.shard.jp/bireba/download-free.html avg antivirus professional crack
 
] [http://s1.shard.jp/bireba/escan-antivirus.html antivirus panda software
 
] [http://s1.shard.jp/galeach/new39.html all asians are smart
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/galeach/new91.html 1570711429 amazon.com asian exec obidos
 
] [http://s1.shard.jp/olharder/autoroll-654.html domain] [http://s1.shard.jp/frhorton/aarrl6erq.html african animal sounds
 
] [http://s1.shard.jp/galeach/new51.html asian tgirl
 
] [http://s1.shard.jp/olharder/long-term-auto.html bca auto leiloes pt
 
] [http://s1.shard.jp/losaul/australian-landscape.html australian surfer boys
 
] [http://s1.shard.jp/bireba/microworld-antivirus.html antivirus software for server 2003
 
] [http://s1.shard.jp/bireba/antivirus-stop.html antivirus stop sign] [http://s1.shard.jp/frhorton/te8ykt7rl.html average annual rainfall map of africa] [http://s1.shard.jp/galeach/new85.html asian hot spread
 
] [http://s1.shard.jp/galeach/new6.html pen pal world asian
 
] [http://s1.shard.jp/olharder/dacoma-automotive.html performance auto and sound models
 
] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/frhorton/4jl7mv47m.html book for african american kid
 
 
http://www.textnodomdr.com
 
 
[[WebGoat User Guide Table of Contents]]__TOC__
 
[[WebGoat User Guide Table of Contents]]__TOC__
  
The features within WebGoat for revealing the workings of the application also need to be supplemented with the assessor’s application assessment proxy of choice.
+
The features within WebGoat for revealing the workings of the application also need to be supplemented with the assessor’s application assessment proxy of choice.
  
 
This enables further analysis and modification of the client-server interaction, and data in transit.
 
This enables further analysis and modification of the client-server interaction, and data in transit.
Line 92: Line 10:
  
 
Typically, the tool will either plug directly into the browser, or listen on another local port. When it plugs in directly, a special URL may need to be entered in the browser. When the tool listens on a port, the browser will probably need to be configured to use the proxy. In Microsoft Internet Explorer this can be done from the tool menu by choosing:  
 
Typically, the tool will either plug directly into the browser, or listen on another local port. When it plugs in directly, a special URL may need to be entered in the browser. When the tool listens on a port, the browser will probably need to be configured to use the proxy. In Microsoft Internet Explorer this can be done from the tool menu by choosing:  
# Choose the “Tools/Internet Options” menu item.
+
# Choose the “Tools/Internet Options” menu item.
# Choose the “Connections” tab
+
# Choose the “Connections” tab
# Hit the “LAN Settings…” button.
+
# Hit the “LAN Settings…” button.
 
# On the Local Area Network Settings dialog check the Proxy server checkbox.
 
# On the Local Area Network Settings dialog check the Proxy server checkbox.
# Uncheck the “bypass proxy server” box
+
# Uncheck the “bypass proxy server” box
 
# Enter the address and port where the proxy tool will be listening. The default listening port for WebScarab is 8008.
 
# Enter the address and port where the proxy tool will be listening. The default listening port for WebScarab is 8008.
  

Latest revision as of 07:50, 3 June 2009

WebGoat User Guide Table of Contents

The features within WebGoat for revealing the workings of the application also need to be supplemented with the assessor’s application assessment proxy of choice.

This enables further analysis and modification of the client-server interaction, and data in transit.

Use and configuration will be unique to each tool, but the basic concepts are as follows:

  • The application assessment proxy must sit between the client browser and the remote server.
  • It should allow the display and modification of all HTTP data in transit.

Typically, the tool will either plug directly into the browser, or listen on another local port. When it plugs in directly, a special URL may need to be entered in the browser. When the tool listens on a port, the browser will probably need to be configured to use the proxy. In Microsoft Internet Explorer this can be done from the tool menu by choosing:

  1. Choose the “Tools/Internet Options” menu item.
  2. Choose the “Connections” tab
  3. Hit the “LAN Settings…” button.
  4. On the Local Area Network Settings dialog check the Proxy server checkbox.
  5. Uncheck the “bypass proxy server” box
  6. Enter the address and port where the proxy tool will be listening. The default listening port for WebScarab is 8008.

Figure 7: LAN Settings

Now, when receiving or sending data from the client browser it is possible to intercept, analyze and modify HTTP requests to test the application for security flaws in the target.

For a tutorial on setting up and running WebScarab see: WebScarab Tutorial


  • In using proxies of this kind, a number of capabilities become available to the assessor, including:
  • All GET/POST parameters are available for modification, regardless of their hidden status
  • Cookies, both persistent and non-persistent may be modified when entering or leaving the browser
  • All client-side data validation can be bypassed, as the parameters can be modified immediately before being sent to the server
  • Information regarding the caching of data (e.g. Pragma: no-cache) is exposed for analysis
  • Server: and other headers are revealed, which may be useful for enumeration of the remote web-server and application-server technologies


WebGoat User Guide Table of Contents