In this tutorial, we’ll be running against the OpenMRS insecure web application, but any sites currently loaded onto the VCL image are acceptable. Using your own personal instance of the insecure application virtual machine earlier is also acceptable. Do NOT use ZAP against sites outside of the VCL image unless explicitly instructed to do so by the instructor or TA.
1. Initiate a VCL session for “CSC515_SoftwareSecurity_Spring2022”.
2. Start OpenEMR server in Eclipse (Run > Run configuration as usual, not just opening Eclipse), however you do NOT need to bring OpenEMR up in a browser.
3. Start ZAP from the shortcut on the desktop by double clicking the icon. You should be warned that there’s already an application running on port 8080 (“Can’t listen on port localhost:8080”) because OpenMRS also uses 8080. Ignore the warning (we'll change the port later in Step 5) and click OK.
4. Click Manage Add-ons tab or If Manage Add-ons window can be opened automatically, select FuzzDB files from the list under the "Marketplace" tab (click on Check for Updates).. Click on "Install Selected" (You may need to maximize the pop-up window to see the button at the bottom.) After installing, click "Close".
5. To change the port the proxy server is on, go to Tools > Options in the menu bar and select “Local Proxies.” Change the port to “8008” or a port of your choice. Select “OK”.
6. ZAP now can automatically force our browser to use the proxy server. Open "Manual Explore", enter the URL for local OpenMRS (http://localhost:8080/openmrs). Choose the browser option to Firefox. Click "Launch Browser". Click "Continue to your target" if a weird image with "Welcome to the ZAP HUD" shows up.
7. You should now see this pop up in the “Sites” list in ZAP. If you have other sites listed, you can start a new session by going to File > New Session to clear those out.
7. Login in as any user in OpenEMR. Within ZAP, under the “Sites” on the left hand side, a new site for "POST:login" should automatically show up. Right click on the “POST: login” and select break. Click on “Save” to create a breakpoint.
8. Navigate back to the Login page https://localhost:8080/openmrs/login.htm. A "HTTP Message" should show up and click on "Continue" twice. Then enter an invalid username and password and click on “login”. DO NOT click on anything again in the "HTTP Message" popup window.
9. Within ZAP, in the Break tab, change the password value to: password’ or ‘1’=’1. Click on the play icon to forward through. Note how it behaves differently in OpenMRS than in Wolfpack Cafe. OpenMRS is used "for real" while Wolfpack Cafe is intentionally vulnerable. In OpenMRS, you should be able to see that the HTTP Message window is automatically switched from Request to Response. Click on Continue.
ZAP Troubleshooting:
If the "HTTP Message" pop-up window does not show up when you try to log in, make sure the URL is https://localhost:8080/openmrs/login.htm instead of https://localhost:8080/openmrs/referenceapplication/login.page
If OpenMRS does not seem to open in step 9, the "breakpoint" may have triggered. For this tutorial, you do not need to examine the initial "GET" requests that load the login screen, so we need to go past these initial breaks.
0) Return to ZAP (e.g. by selecting it in the top panel)
1) Go to the "Break" tab.
2a) You will probably see a "GET" request of some sort.
2b) Click on the Triangle/Arrow that says "Submit and continue to next break point" when you hover over it.
Repeat 2a/2b until the OpenMRS login page finishes loading.
When the OpenMRS login page has finished loading, the "Break" screen should be blanks and the "Submit" button greyed out in ZAP
Page updated
Report abuse