Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process. [...]
- Intercept the Traffic between server and client
- Windows Server 2012 or 2016 virtual machine (Attacker)
- Windows 10 virtual machine (Target)
-
Log into the Windows 10 and launch any browser, in this lab: Firefox.
-
Go to Settings > Network Settings
-
On Proxy Settings, check the box Manual Proxy Configuration, and type the Attacker machine's IP address on port 8080 as shown below:
-
You also can configure directly on Internet Properties on Control Panel > Connections Tab > LAN Settings
Check the Proxy Server checkbox and type the attacker machine's IP address and port 8080 as shown below:
Switch to Attacker Machine (Windows Server).
Note: Make sure to install Java Run time
-
Download ZAP > https://www.zaproxy.org/download/
-
On installatin process, make sure to select the option: "No, I do not want to persist this session at this moment in time":
-
On the OWASP ZAP main window, click on the "+" icon in the right pane, then add the Break tab, as shown below:
The Break tab allows you to modify a response or request when it has been caught by the ZAP.
It also allows you to modify some elements that you cannot modify through your browser; these include: The Header, Hidden fields, Disabled fields, Fields that use Javascript to filter out illegal characters. -
Once the Break tab is added, you need to configure the ZAP to work as a proxy, go to Options by click on gear icon on the top, as show below:
-
On the Options window, select the Local Proxies from the left pane; The address is the Windows Server IP address and port is 8080 by default:
-
Go back to ZAP main window and click on Green Button (Set break on all requests and responses) as shown below:
This button sets and unsets a global break point that will trap and display the next response or request in Break tab from the Target's machine.
You can modify any part of the request or response that you want and send it to the victim's application by clicking either Step or Continue.
Alternatively, you can click Drop to dispose of the request or response.
-
Switch back to the target machine(Windows 10) and launch the same browser in which you have configured the proxy settings.
-
Type the URL: www.certifiedhacker.com , in case you got any warning messages just accept the risk and continue.
-
Now, switch to the attacker machine(Windows Server), you will notice that the ZAP proxy is started capturing the requests of the target.
-
Now click the button 'submit and step to the next request' until you capture the GET request of the browsed website.
You can modify all GET requests captured on the Break tab and forward the traffic to the target machine, changing the website and so on.