HTTP Proxies Part 6 | Web Application Security | Cycubix Docs
Learn how to configure a breakpoint filter or intercept and modify a request with our web security essentials course. Discover how to handle HTTP proxies now
Configure a breakpoint filter
Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat. Basically a breakpoint is configured that will intercept requests when the request header contains a POST. Which are the most interesting ones. You can add other rules as long as the polling .mvc messages will be excluded. As this would be annoying.
Set the breakpoint as follows:
You can see your active breakpoints here. And if you click on the checkbox you can also temporarily deactivate them and enable them again when you are just about to intercept the request.
DO NOT use the green/red button anymore
Once you are intercepting requests and a request is made, it should look something like this:
Intercept and modify a request
Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint), modify it as follows.
Change the Method to GET
Add a header 'x-request-intercepted:true'
Remove the request body and instead send 'changeMe' as query string parameter and set the value to 'Requests are tampered easily' (without the single quotes)
Then let the request continue through (by hitting the play button).
Solution
Open the Development Tools in the browser, and go to the Network tab.
Click on Submit without editing the parameter.
Locate the query to
intercept-request
in the Network tab and click on Edit and Resend.Change the
POST
method toGET
.Add in the request header
x-request-intercepted: true
.Clear the body of the query.
Last updated