Extended proxy lesson with Edit and Resend and explained how to exclu…

…de WebGoat internal calls from proxying

webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html

@@ -3,36 +3,27 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
     </div>
 
-	<div class="lesson-page-wrapper">
-		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="lesson-page-wrapper">
 		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-        <!-- stripped down without extra comments -->
         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro4.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro5.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
@@ -48,4 +39,8 @@
             <div class="attack-output"></div>
         </div>
     </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro6.adoc"></div>
+    </div>
 </html>

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro4.adoc

@@ -1,26 +1,25 @@
-=== Use the intercept
+=== Exclude WebGoat internal requests
 
-To intercept a request, you start by clicking the green button. This will set a break point for the next request.
+Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat
+framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat.
 
-image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
+Right click on one of the links in history tab and select: `Exclude from -> Proxy`, see image below:
 
+image::images/zap_exclude.png[Select URL from history,style="lesson-image"]
 
-*NOTE*: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
-That's part of what hackers do ... explore!
+{nbsp}
 
-Once you are intercepting requests and a request is made, it should look something like this:
+A new window will open and add the following entries:
 
-image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"]
+```
+http://localhost:8080/WebGoat/service/.*
+http://localhost:8080/WebGoat/.*.lesson.lesson
+```
 
-=== Intercept and modify a request
+Click Ok to close the window, ZAP will now no longer proxy internal WebGoat requests.
 
-Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
-modify it as follows.
 
-* Change the Method to GET
-* Add a header 'x-request-intercepted:true'
-* Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes)
+image::images/zap_exclude_url.png[Exclude internal APIs from WebGoat,style="lesson-image"]
+
 
-Then let the request continue through (by hitting the play button).
 
-NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro5.adoc

@@ -0,0 +1,26 @@
+=== Use the intercept
+
+To intercept a request, you start by clicking the green button. This will set a break point for the next request.
+
+image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
+
+
+*NOTE*: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
+That's part of what hackers do ... explore!
+
+Once you are intercepting requests and a request is made, it should look something like this:
+
+image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"]
+
+=== Intercept and modify a request
+
+Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
+modify it as follows.
+
+* Change the Method to GET
+* Add a header 'x-request-intercepted:true'
+* Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes)
+
+Then let the request continue through (by hitting the play button).
+
+NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro6.adoc

@@ -0,0 +1,29 @@
+=== Use the "Edit and resend" functionality in ZAP
+
+Another way to send a request again instead of clicking in WebGoat on a button and intercept the request there is also
+an option to resend the same request again from within ZAP.
+This may significantly help you to solve an assignment because you do not have to switch to ZAP enable the intercept button
+and go back to WebGoat and perform the request again from within the browser.
+
+Let's look at an example, we are going to use the e-mail example from the WebWolf introduction lesson. This lesson
+will generate a request for `/WebGoat/WebWolf/mail`, in the "History" window select the URL you want to resend right click
+on the URL and select `Open/Resend with Request Editor`. You can also find the request in the left pane of ZAP as indicated
+with the red arrow in the image below:
+
+image::images/zap_edit_and_resend.png[Open/Resend with Request Editor,style="lesson-image"]
+
+{nbsp}
+
+A new window will open and here you can modify the request for example change the e-mail address to someone else and send it again.
+In the response tab you can inspect the response of the request. In some assignments the response will show a solved message
+but sometimes you get a code/flag which you need to submit in WebGoat in order to complete the assignment. Always be on the
+lookout for the response. If you solved the assignment by make a request in this way WebGoat will automatically mark
+the lesson as solved.
+
+image::images/zap_edit_and_send.png[Open/Resend with Request Editor,style="lesson-image"]
+
+{nbsp}
+
+image::images/zap_edit_and_response.png[Open/Resend response,style="lesson-image"]
+
+