Configure a breakpoint filter

Before we start diving into intercepting requests with ZAP, we need to exclude the internal requests from the WebGoat framework. Otherwise, ZAP will also stop at all the requests which are only necessary for the inner working of WebGoat.

Basically, a breakpoint is configured that will intercept requests when the request header contains a POST. You can add other rules as long as the polling .mvc messages will be excluded. As this would be annoying.

Set the breakpoint as follows:

1. Set Up the breakpoint.

2. Check your active breakpoints. If you click on the checkbox, you can temporarily deactivate them and enable them again before intercepting the request. **Do not use the green/red button.

3. Once you are intercepting requests and a request is made, it should look something like this:

4. Set up the intercept as noted above and then submit the form/request below by clicking the submit button.

5. Once you submit the request, your request should look like this:

6. As your request is intercepted, make the following changes:

• Change the Method to GET

• Add a header 'x-request-intercepted:true'

• Remove the request body and instead send 'changeMe' as a query string parameter and set the value to 'Requests are tampered easily' (without the single quotes)