Proxy Utilization

From OWASP
Revision as of 21:10, 30 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/losaul/lions-club-australia.html capital of australia 1927 ] [http://s1.shard.jp/frhorton/obe78uzn9.html damelin correspondence college south africa ] [http://s1.shard.jp/losaul/alloys-australian.html i still call australia home download ] [http://s1.shard.jp/galeach/new92.html asia video 42 ] [http://s1.shard.jp/frhorton/2beniqaav.html africa aids effects in ] [http://s1.shard.jp/olharder/auto-california.html auto travel maps ] [http://s1.shard.jp/frhorton/ocdp2flvo.html water pollution africa ] [http://s1.shard.jp/olharder/auto-title-services.html auto industry reports ] [http://s1.shard.jp/frhorton/rykfyeh82.html african american famous speeches ] [http://s1.shard.jp/frhorton/ru9zwzdr5.html provincial map of south africa ] [http://s1.shard.jp/olharder/cheat-sheets.html sports autograph shows ] [http://s1.shard.jp/bireba/error-1920service.html norton antivirus keygen download ] australian vets for pfizer [http://s1.shard.jp/olharder/automobile-get.html autoway nissan clearwater florida ] [http://s1.shard.jp/olharder/napa-auto-parts.html australian auto trader ] [http://s1.shard.jp/bireba/download-symantec.html ca antivirus software ] [http://s1.shard.jp/olharder/amortization-of.html auto finance rate ] cycling races south africa innoculate antivirus [http://s1.shard.jp/galeach/new186.html map of asia for kids ] [http://s1.shard.jp/losaul/digital-broadcasting.html building construction australia ] [http://s1.shard.jp/galeach/new109.html asian healing arts ] [http://s1.shard.jp/galeach/new22.html dove eurasian ] [http://s1.shard.jp/galeach/new62.html congenital adrenal hyperplasia emedicine ] [http://s1.shard.jp/olharder/montana-auto-shipping.html autowrecker toronto ] [http://s1.shard.jp/olharder/automatic-direction.html peter linz automata ] umqombothi african beer [http://s1.shard.jp/bireba/guard-antivirus.html the sheild pro antivirus for macintosh ] [http://s1.shard.jp/olharder/automotive-design.html rl automotive ] links asian noodles chinatown [http://s1.shard.jp/losaul/department-of-agriculture.html motorcycle leathers brisbane australia ] miss south africa 1997 [http://s1.shard.jp/frhorton/a1q69qdt7.html africa edcon ross south steve ] [http://s1.shard.jp/galeach/new64.html south asian model ] [http://s1.shard.jp/galeach/new138.html edge x asians ] [http://s1.shard.jp/losaul/jamsteraustraliaautomarketsolcomau.html sydney australia motels ] [http://s1.shard.jp/losaul/bb-guns-for-sale.html australia camper van ] download norton antivirus 2004 full version [http://s1.shard.jp/frhorton/qogtjly72.html african american native ] [http://s1.shard.jp/frhorton/z7u5veip8.html overseas visitor club south africa ] page [http://s1.shard.jp/frhorton/ african cichlid fish sale ] [http://s1.shard.jp/galeach/new19.html asia bank east usa ] autofill slush machine [http://s1.shard.jp/olharder/automobile-bmw.html automobile injury claim ] WebGoat User Guide Table of Contents

The features within WebGoat for revealing the workings of the application also need to be supplemented with the assessor’s application assessment proxy of choice.

This enables further analysis and modification of the client-server interaction, and data in transit.

Use and configuration will be unique to each tool, but the basic concepts are as follows:

  • The application assessment proxy must sit between the client browser and the remote server.
  • It should allow the display and modification of all HTTP data in transit.

Typically, the tool will either plug directly into the browser, or listen on another local port. When it plugs in directly, a special URL may need to be entered in the browser. When the tool listens on a port, the browser will probably need to be configured to use the proxy. In Microsoft Internet Explorer this can be done from the tool menu by choosing:

  1. Choose the “Tools/Internet Options” menu item.
  2. Choose the “Connections” tab
  3. Hit the “LAN Settings…” button.
  4. On the Local Area Network Settings dialog check the Proxy server checkbox.
  5. Uncheck the “bypass proxy server” box
  6. Enter the address and port where the proxy tool will be listening. The default listening port for WebScarab is 8008.

Figure 7: LAN Settings

Now, when receiving or sending data from the client browser it is possible to intercept, analyze and modify HTTP requests to test the application for security flaws in the target.

For a tutorial on setting up and running WebScarab see: WebScarab Tutorial


  • In using proxies of this kind, a number of capabilities become available to the assessor, including:
  • All GET/POST parameters are available for modification, regardless of their hidden status
  • Cookies, both persistent and non-persistent may be modified when entering or leaving the browser
  • All client-side data validation can be bypassed, as the parameters can be modified immediately before being sent to the server
  • Information regarding the caching of data (e.g. Pragma: no-cache) is exposed for analysis
  • Server: and other headers are revealed, which may be useful for enumeration of the remote web-server and application-server technologies


WebGoat User Guide Table of Contents