An introduction to Attack Proxy
So what is an “attack proxy”? It creates a special proxy server and makes your website traffic pass through that server. They are used to use integrate penetration testing tools for finding vulnerabilities in web applications.
There are two main ones which are freely available.
- Zed Attack Proxy (ZAP) by OWASP
- Burp Suite by PortSwigger (“Community Edition” is free)
I’m going to talk you through the basic setup of each one but I’ll write dedicated articles for these in the future.
Zed Attack Proxy (ZAP) can be downloaded and installed on most operating systems. It also comes bundled with Kali Linux as discussed in my previous article.
I’ve installed OWASP ZAP 2.9.0 on my Mac for this tutorial.
When ZAP loads for the first time it will ask you to update the packages from the Marketplace. Just click “Update All” and wait for it to finish.
You can always get back to this page later by going to “Help”, then “Check for updates…” in the ZAP menu.
Just as an aside note if you click on the “Marketplace” tab at the top you can also install additional plugins. I particularly like the ones related to creating reports.
It will also ask if you if you want to persist the ZAP session. For this tutorial there is no need to persist the session at this moment in time.
If you want to change this dialog on start you can go to the ZAP menu, then “Tools”, then “Options…”, then “Database”, then “Prompt for persistence options for new session”.
The first step may not be obvious but you need to install the CA cert into the browser you want to use.
In the ZAP menu go to “Tools”, then “Options…”, then navigate down the list to “Dynamic SSL Certificates”. You will want to save the “owasp_zap_root_ca.cer” certificate to your desktop or somewhere suitable.
Again in the ZAP menu, go to “Tools”, then “Options…”, then “Local Proxies’. Nothing to do here specifically except to take note that the attack proxy will run on localhost port 8080.
Now with ZAP open in the bottom left you will see this…
What we want to do now is to configure your browser to use this proxy. I usually use Chrome for my normal browsing so I prefer to use another browser for my attack proxy. I will use Firefox.
Which ever browser you use open the Preferences and search for “proxy”. In Firefox it looks like this.
The process is very similar for each browser but in Firefox you need to configure the proxy as follows.
- Manual proxy configuration
- HTTP Proxy 127.0.0.1 Port 8080
- Check “Use this proxy server for all protocols”
Now back in your browser Preferences search for “certificates”.
Click on “View Certificates” and you will want to “Import” the ZAP CA certificate under “Authorities”.
Check the two checkboxes and click “OK”.
Please note it is illegal to scan or attack web sites without permission. I’m using the Damn Vulnerable Web Application (DVWA) which we installed in my previous articles, here and here.
When I open http://192.168.1.2/DVWA you will see a ZAP HUD overlay. Click “Continue to your target”.
If you are testing with DVWA go to “DVWA Security” and set the “Security Level” to “Low” for the best results.
Now back in OWASP ZAP you will see that as I browse the pages are being scanned for vulnerabilities.
Without going into too much detail in this article if I click on one of the links (E.g. http://192.168.1.2/DVWA/vulnerabilities/sqli/) I can see some very useful information covered in upcoming articles. Please note that my “Cookie” is shown there with my “PHPSESSID’”.
If you are using this article to help secure and improve security in your web applications then the most important part you will want to be looking at is the “Alerts” tab.
As you can see there is a “Medium” alert for “Reverse Tabnabbing”. If I expand that and click on one of the vulnerable pages it gives a lot of information about the description, solution and reference links. You would really want to make sure that any web application you deploy and manage does not have any high risk alerts of “Medium” or above.
The way I’ve just shown you now relies on you browsing around the site to discover vulnerabilities. I’ll cover in upcoming articles how you can automate this with a Spider or Attack scan but that can be more complicated to get past authentication so that is why using the attack proxy and manually browsing is the easiest.
OWASP is really amazing at providing a lot of free information and tutorials on how to use their tools so I recommend working through those.
The free Burp Suite Community Edition can be downloaded and installed on most operating systems. It also comes bundled with Kali Linux as discussed in my previous story.
Before continuing please make sure you close OWASP ZAP to shutdown the attack proxy. Burp Suite also uses localhost on port 8080 by default so you will have a conflict if you run them at the same time.
The installation of Burp Suite is straight forward. As it loads you will be asked to create or open a project. Just use a “Temporary project” and on the next page “Use Burp defaults”.
As with OWASP ZAP the proxy automatically starts on localhost port 8080 but it actually won’t work until we configure the proxy.
Please click on the “Proxy” tab at the top in orange.
Then go to “Options”.
Make sure the proxy is running on 127.0.0.1:8080 or change it if you prefer. If you want to reset the configuration to the default you can click on the settings cog under “Proxy Listeners” and “Restore defaults”. You should not need to do this with a fresh install but it is worth knowing it is there.
The important and essential part here is to click on “Import / export CA certificate”. You will want to Export a “Certificate in DER format”, call it “burpsuite_root_ca.cer” and save it on your desktop or somewhere suitable.
You need to import this certificate as an Authority in your browser as we did above for the OWASP ZAP proxy. The instructions of what to do is covered there. It is the same process.
Once that is done in the Burp Suite “Proxy” tab click on “ Intercept” and make sure “Intercept is on”.
I’m assuming your browser is configured with the 127.0.0.1 port 8080 proxy and the Burp Suite CA certificate is installed. Open your target site, in my case the Damn Vulnerable Web Application (DVWA) which we installed in my previous articles, here and here.
One pretty major difference between OWASP ZAP and Burp Suite is that we need to manually approve and “Forward” requests through the proxy.
As you can see it is asking me if I want to “Forward” the “Request to http://192.168.1.2:80” which we do.
For interest sake straight after I clicked “Forward” I got another request to Mozilla which I “Dropped”. Just allow through and “Forward” requests relevant to your testing.
Under the “Target” tab you will now see the details of the requests. As I mentioned before I can see some very useful information covered in upcoming articles. Please note that my “Cookie” is shown there with my “PHPSESSID’”.
Both attack proxies are very popular and feature rich. I just wanted to give you a tutorial into getting them configured with a base setup. I’m planning on writing articles to cover the features in more detail later. As I have mentioned many tools particularly in Kali Linux will aim to get the Cookie and PHP Session ID details and I’ve shown you how to do this with both tools.