Hey there, welcome back. In the last module and in this module, we've spent a lot of time on injection attacks. We're continuing to address injection attacks in this module, starting with this lesson. Here we'll be using a proxy to intercept the traffic from the client to the server. Also introduce you to using a proxy tool called Burp, and it simply provides a mean for us to man-in-the-middle our application. If you don't know what that means or what a man-in-the-middle is, don't worry about it, we'll get into it. After this lesson, you'll be able to describe what a man-in-the-middle attack is, using the Burp Suite proxy to man-in-the-middle your traffic, and finally modify that traffic as it's on its way back to the server. Now we're doing everything on one machine, but there's no reason that WebGoat can't be on its own machine, the user's browser on a separate machine, and our proxy tool that's intercepting the traffic on an independent machine. Keep that in mind as we go through this course, let's get started. Hey everyone. In this video we're going talk about using a proxy to intercept the traffic going from our clients to our servers. If you're coming from a development background, you've probably used a tool like Fiddler to intercept traffic between your server and your client. If you're coming from a security background, you've probably heard of OWASP open source tool called ZAP or Burp Suite scanners by PortSwigger. Both are great tools, you're more than welcome to use any of them. There's actually other tools too, there is a terminal based app if you like to do things at the terminal called mitmproxy. But for this tutorial and for the remainder of this course, I'm going to be using Burp, simply because I'm used to it not because it has any distinct advantages among the other ones, especially because I'm using the community version which is free. But again, feel free to use whatever tool you're going to use. In this video, I'm going to talk to you about how to set up this proxy. So if you already are familiar with how to set up these proxies and some of the gotchas around them, feel free to skip through this video. Otherwise, let's get started with that. So I'm going to launch Burp, and one thing I want to note is that I have already stopped WebGoat and I'll talk about why I've already stopped it. But make sure WebGoat stopped before you start Burp. I'm going to not load any projects and I'm going to use a defaults Burp configuration just to show you. So if you go to proxy and then options, you'll notice Burp automatically starts listening on port 8080. Now, that's the same port as WebGoat. So the conflict causes issues and that's primarily why I disable WebGoat when I start. Half the times when I have WebGoat running and if I start Burp on top of it, it creates some inconsistencies between the connection states on my machine. So I've just learned to always turn off WebGoat first. So I'm going to uncheck this box to disable it. Hit Edit and change the ports, we're going to use 8011, just a random high number ports, and we can see if that's a open port. So I'm going to hit Okay on this. I'm going to re-enable it. Now, if you go to the alerts tab, you'll notice that, let me stress this open a little bit, you'll notice that you automatically got started on port 8080. We obviously stopped it by unchecking the box, and then we restarted on port 8080. Since I don't see any other messages here, I'm going to assume that means it was successful starting listening. If the port was taken for some reason, you would have seen errors here that the port has been taken. I'm going to go back to the proxy and I'm going to go onto the intercepts page, and I'm going to turn interception off. So the idea behind this is, it allows you to look at the traffic and modify it before it allows it to go from the client to the server or from the server to the client. Now, that'll get a little noisy and difficult, so we're going to turn that off and just let it go through. There might be some instances where we use that feature, but we can get around having to use it because it does really slow things down without proper configuration. All right. Then I'm just going to click on the HTTP history tab so that we can look at that history. For my browser, I'm going to use Firefox. Both Chrome, Chromium, and Safari on a Mac use this system proxy settings. I don't really want to change my system proxy settings because I have a lot of other apps that are running on my machine that call back to their servers, and making it go through this proxy will both slow it down, it'll add a bunch of noise here, and it actually throws a lot of errors for the ones that have certificate error, simply because doing a man-in-the-middle attack which is what our proxy is essentially doing, it's a man-in-the-middle, will break some of those HTTPS certificates that were used to and it just creates a whole lot of issues. So I'm using Firefox because Firefox allows us to have a browser specific setting. So in Firefox, if you go to preferences and simply search proxy, the settings button that comes up under network settings allows you to not have a proxy at all, auto-detected for the network uses system proxy which is the Mac one, obviously I don't want to change that. So we'll manually configure one. So I'm going to manually configure one on port 8011 for my local host, you can use any port that's open. I'm going to keep it as a SOCKS v4, I'm not going to put any exceptions here just because I'm using my Firefox browser only for this purpose, and I'm going to go ahead and hit Okay. Next, I'll launch WebGoat. Just like normal, there's nothing different about my WebGoat instance currently, and give it a quick second to load up. All right. So after refreshing, you'll notice that this is our normal WebGoat and you can also see all of the traffic that's going back and forth. In fact, you can also look at and look at the actual traffic that's going back and forth, and the very first call that I made against WebGoat contains my session ID. So I can modify this session ID if I knew another user's session ID, and essentially impersonate them. I can change some of these settings, some of the configuration, what's being posted. In fact one of the most fun thing to do is to login. Since there is no HTTPS in scope for this, where is my post method? There is a post method for login and you can see my username, and you can see my very secure password. All right. I hope you enjoyed that. Again, if you want to use a different tool feel free, I only use Burp just because I'm comfortable with it.