Configure a breakpoint filter

Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat. Basically a breakpoint is configured that will intercept requests when the request header contains a POST. Which are the most interesting ones. You can add other rules as long as the polling .mvc messages will be excluded. As this would be annoying.

Set the breakpoint as follows:

You can see your active breakpoints here. And if you click on the checkbox you can also temporarily deactivate them and enable them again when you are just about to intercept the request.

DO NOT use the green/red button anymore

Once you are intercepting requests and a request is made, it should look something like this:

Intercept and modify a request

Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint), modify it as follows.

• Change the Method to GET

• Add a header 'x-request-intercepted:true'

• Remove the request body and instead send 'changeMe' as query string parameter and set the value to 'Requests are tampered easily' (without the single quotes)

Then let the request continue through (by hitting the play button).

Solution

• Open the Development Tools in the browser, and go to the Network tab.

• Click on Submit without editing the parameter.

• Locate the query to intercept-request in the Network tab and click on Edit and Resend.

• Change the POST method to GET.

• Change the URL from http://host:port/WebGoat/HttpProxies/intercept-request to http://host/WebGoat/HttpProxies/intercept-request?changeMe=Requests%20are%20tampered%20easily

• Add in the request header x-request-intercepted: true.

• Clear the body of the query.