Proxy Utilization

Revision as of 07:03, 26 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

[ australian batman robin ] top [ optic nerve aplasia ] [ auto parts tampa fl ] [ auto rebuilt transmission ] [ business oppertunities south africa ] [ double cropping in east asia ] [ uncensored asian ] [ camtasia studio 2.1.1 crack ] [ autoway nissan clearwater florida ] [ 2006 calendar australia ] [ asian table lamps ] [ cheap air flight australia ] [ asians and hispanics ] [ australian dollar us dollar exchange rates ] [ asian martial arts center ] [ antivirus software macintosh ] [ asian tsunami death total ] [ south african climate ] [ lowest auto rates ] [ australias indigenous people ] [ jojoba cultivation south africa ] [ african language family ] autoritatea nationala de reglementare in domeniul energiei australian sheepskin slippers [ installing antivirus software ] [ antivirus review best ] [ crack for avg antivirus 7.1 ] url [ asian dramas ] [ avg antivirus professional crack ] [ antivirus panda software ] [ all asians are smart ] link [ 1570711429 asian exec obidos ] domain [ african animal sounds ] [ asian tgirl ] [ bca auto leiloes pt ] [ australian surfer boys ] [ antivirus software for server 2003 ] antivirus stop sign average annual rainfall map of africa [ asian hot spread ] [ pen pal world asian ] [ performance auto and sound models ] map [ book for african american kid ] WebGoat User Guide Table of Contents

The features within WebGoat for revealing the workings of the application also need to be supplemented with the assessor’s application assessment proxy of choice.

This enables further analysis and modification of the client-server interaction, and data in transit.

Use and configuration will be unique to each tool, but the basic concepts are as follows:

  • The application assessment proxy must sit between the client browser and the remote server.
  • It should allow the display and modification of all HTTP data in transit.

Typically, the tool will either plug directly into the browser, or listen on another local port. When it plugs in directly, a special URL may need to be entered in the browser. When the tool listens on a port, the browser will probably need to be configured to use the proxy. In Microsoft Internet Explorer this can be done from the tool menu by choosing:

  1. Choose the “Tools/Internet Options” menu item.
  2. Choose the “Connections” tab
  3. Hit the “LAN Settings…” button.
  4. On the Local Area Network Settings dialog check the Proxy server checkbox.
  5. Uncheck the “bypass proxy server” box
  6. Enter the address and port where the proxy tool will be listening. The default listening port for WebScarab is 8008.

Figure 7: LAN Settings

Now, when receiving or sending data from the client browser it is possible to intercept, analyze and modify HTTP requests to test the application for security flaws in the target.

For a tutorial on setting up and running WebScarab see: WebScarab Tutorial

  • In using proxies of this kind, a number of capabilities become available to the assessor, including:
  • All GET/POST parameters are available for modification, regardless of their hidden status
  • Cookies, both persistent and non-persistent may be modified when entering or leaving the browser
  • All client-side data validation can be bypassed, as the parameters can be modified immediately before being sent to the server
  • Information regarding the caching of data (e.g. Pragma: no-cache) is exposed for analysis
  • Server: and other headers are revealed, which may be useful for enumeration of the remote web-server and application-server technologies

WebGoat User Guide Table of Contents