![]() ZAP downloads and documentation are available at the OWASP ZAP project page. It provides more advanced features than Firebug and can be used to monitor the network traffic of mobile devices, as well as programs or browsers running on any host on the tester's local network. OWASP Zed Attack Proxy, or ZAP, is a freely available, cross-platform, and open-source proxy program developed and maintained by OWASP (Open Web App Security Project). More information about the Advanced Cookie Manager is available at. The Advanced Cookie Manager plug-in is a tool that lets us manipulate, inspect, and delete individual cookies. More information about Firebug can be found at. Because of its straightforward setup and integration with the browser, it is a good choice for tests that do not require the extra features of an external proxy such as OWASP ZAP. It can monitor both http and https traffic. įirebug is a browser extension that enables observation of the network requests and responses for Firefox browsing sessions. C4.5 Observing WebSockets Traffic Using ZAP ProxyĪll of the tests documented in the primer are run using:įirefox is a free, open-source browser and can be downloaded here.C4.4 Installing Proxy SSL Certificate on Browser and Mobile Devices.C4.3 Setup for Testing Mobile Devices and/or Web Browsers on a Different Computer from the Proxy.C4.2 Basic Setup, Browser and Proxy on Same Computer.C4.1 Installation and Initial Setup of OWASP ZAP. ![]() C4 Installing and Using ZAP Proxy to Observe HTTP and HTTPS Traffic.C3 Installing and Using Advanced Cookie Manager.C2 Installing and Using Firebug to Observe HTTP and HTTPS Traffic.These two tools can often be used to do a quick, more cursory examination to determine which additional tests might be necessary. While the bulk of our tests rely on an intercepting proxy to power more detailed analysis, two other tools - a cookie reader and a browser extension called Firebug - are used as well. However, to make the instructions in this primer as accessible as possible to as many people as possible, our instructions focus on tools that are freely available and - ideally - open source. There are many proxies and tools that can be used, and the testing scenarios we describe are universal. The tests in this document make extensive use of an intercepting proxy to observe, and in some cases modify, the network requests generated by the application under test. This includes preparing our Web browser, any mobile devices we will use to test, and installing some additional software on our local computer. To do basic information security reviews, we first need to get our testing environment set up.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |