Use ZAP tool to intercept HTTP Traffic

ZAP Tool

Zed Attack Proxy is one of the most popular security tool that used to find security vulnerabilities in applications.

This blog discuss how we can use the ZAP tool to intercept and modify the HTTP and HTTPS traffic.

Intercepting the traffic using the ZAP tool


Before we start, lets download and install the ZAP Tool.

1) Start the ZAP tool using / zap.sh

2) Configure local proxy settings
 To configure the Local Proxy settings in the ZAP tool go to Tools -> Options -> Local Proxy and provide the port to listen.


3) Configure the browser
 Now open your preferred browser and set up the proxy to listen to above configured port.

For example: If you are using FireFox browser browser proxy can be configured by navigating to "Edit -> Preferences -> Advanced -> Setting -> Manual Proxy Configuration" and providing the same port configured in the ZAP proxy


4) Recording the scenario

Open the website that you want to intercept using the browser and verify the site is listed in the site list. Now record the scenario that you want to intercept by executing the steps in your browser.


5) Intercepting the requests

Now you have the request response flow recorded in the ZAP tool. To view the request response information you have to select a request from the left side panel and get the information via the right side "Request" and "Response" tabs.

Next step is to add a break point to the request to stop it to modify the content.

Adding a Break Point

Right click on the request  that you want to add a break point, and then select "Break" to add a break point



After adding the breakpoint. Record the same scenario that you recorded above. You will notice that, when the browser reached to the intercepted request it will open up a new tab called 'Break'.

Use the "Break" tab to modify the request  headers and body. Then click the "Submit and step to next request or response" icon to submit the request.




Then ZAP will return the request to the server with the changes applied to it.

Comments

Post a Comment

Popular posts from this blog

Working with WSO2 carbon Admin Services

Image
WSO2 products managed internally using defined SOAP web services named as admin services. This blog will describe how to call the admin services and perform operation with out using the Management Console. Note - I will be using WSO2 Enterprise Integrator to demonstrate this. Lets look at how to access the admin services in wso2 products. By default the admin services are hidden from the user. To enable the admin services, 1. Go to <EI_HOME>/conf/carbon.xml and enable admin services as follows <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs> 2. Now start the EI server using ./integrator.sh -DosgiConsole When the server is started click 'Enter' and you will be directed to the osgi console mode. 3. To search the available admin services, Add 'listAdminServices' in the osgi console.This will list down the available admin services with the URL to access the admin services. Access Admin Service via SOAP UI 4. You can ac
Read more

The 100% Open Source ESB

Image
Open Source ESB Market Today, open source solutions giving a significant competition to the proprietary software solutions. Same applies for the ESB software. There are number of open source ESB solutions available in the market, but the WSO2 ESB is the only ESB solution to be claimed as a 100% Open Source ESB solution in this competitive market. It was licensed under Apache License versions 2.0 . When we say 100% Open Source ESB, there can be several questions coming in to your mind. Below will answer your questions. Is the entire source code available freely? How about the Enterprise edition of WSO2 ESB? There is no such concept called Enterprise WSO2 ESB and Open Source WSO2 ESB as you have come across with other open source ESB solutions. In WSO2 ESB, we provide the entire source code available for the users without restricting the use of any available feature. Managing the success with Open Source Model When it comes to Open Source ESB, you may have some doubts
Read more