2. Using the Vega Proxy
The intercepting proxy is situated between the browser and the web server hosting the application being tested. The proxy can peer inside all requests that come from the browser and all responses that are returned from the server. Vega can also intercept requests and responses, holding those of interest, so that they can be modified before being passed on. HTTPS communications are handled with dynamically generated certificates signed by a Vega generated signing certificate that can be imported into the browser certificate store.
Your browser must be configured to use the proxy. Click here for instructions on configuring various browsers to use the Vega proxy.
Before using the proxy, you may want to configure its preferences. To do that, click on the "Window" menu item and select preferences. Here you can configure the following settings:
- Default User-Agent
This User-Agent string will be appended to received requests that do not contain a User-Agent string before the request is passed on to its destination.
- Override client User-Agent
Enabling this setting will result in any User-Agent string sent by the client to be overridden by the Default User-Agent.
- Prevent browser caching
Enabling this setting will result in the removal of HTTP headers used by the browser to enable caching.
Prevent intermediate (proxy) caching
Enabling this setting will result in the removal of HTTP headers used by intermediate caches, such as proxies and gateways, to enable caching. It will also add headers to instruct any upstream caches not to cache.
The Listener sub-menu allows you to configure proxy listener addresses and ports.
To turn the proxy on, click the green arrow in the top left corner. To stop the proxy at any time, click the red square.
When the proxy is turned on, the indicator "light" at the bottom will be green.
Browsing through the proxy
Once the proxy is turned on and your browser has been configured to use it, you can begin using it to browse the web. As you do so, the request viewer will begin to be populated with requests and responses as they are logged. Responses received through the proxy are also passed through scanner response processing modules. These passive modules can be configured by clicking on the wrench icon beside the start and stop icons in the top left corner.
Active scanning can be enabled when the proxy scanner is enabled and the resource accessed matches the target scope. For more information on active scanning, click here.
The request log and filters
The list of requests can get long, so it's possible to filter the list to narrow it down to only those that may be interesting. To do this, click the sieve icon in the top right corner of the request list. Clicking on an item in the web view will dynamically filter the request log to match the selected item.
Request filter rules can then then be set, for example to list only those requests where the hostname contains "subgraph". Once filter rules have been added to the list, only those requests and responses matching all of the filters will be displayed.
Request logs indicate the presence of filter rules visually by alternating the background color of rows (requests) between light and dark shades of cyan. Clicking the green cycle icon beside the sieve icon clears the request filter.
We will now introduce the message viewer, the framework for visually representing HTTP request and response data. Click on a request to see open it in the message viewer.
Both requests and responses are rendered by Vega in a powerful component known as the message viewer. HTML syntax is highlighted.
The message viewer displays requests and responses. The requests can be arranged in different ways, selected with icons seen on the top left side of the image below: with tabs to select between request and response, side by side, or stacked.
Users can search within a request or response by pressing CTRL-F and opening a search box.
The message viewer supports some limited content analysis capabilities, which will be extended in the future. The message viewer can render images. Binary data, including images, can also be viewed and edited with a built-in hex editor.
Request editor and request replaying
Right clicking on a request will produce a button to replay it. Clicking on this button will open a request editor view.
The request editor is a central part of using the Vega proxy.
The headers can be edited in the free text box, as shown above, or in a structured table view:
As an example, we will replay a request and modify the URI of the request line in order to produce a 404 error. To send a request that has been modified, click the green arrow in the top right corner of the request editor view.
It worked! The modified request line produced a 404. The response is visible in the box below where the request is displayed.
Vega also supports interception of requests and responses for review and manipulation before passing them on to the web server or the requesting web client. The interceptor can be accessed by clicking on the "Intercept" tab. It displays two sections: one to view the request, and one to view the resulting response.
We can configure Vega to stop and hold all requests (or responses) or only those that meet certain criteria known as breakpoints. To configure interception of requests or responses, click the double pause icon in the appropriate section.
Once interception has been enabled, you can continue browsing through the proxy. When a request or response that matches interception criteria is received by the proxy, the browser will wait while the message is pending. The proxy will indicate this in a status bar notification:
To view the pending messages, check the Intercept tab in the proxy interface.
The message (in this case, a request) can then be edited if desired. The pending message can be forwarded to its destination by clicking the green arrow icon in the top right corner. Alternatively, clicking the stop icon beside the green arrow icon will drop the message. After a message has been forwarded or dropped, the next pending message will be displayed.
The "Intercept Queue" tab displays a list of requests or responses that have been intercepted and are pending forwa. Double clicking an item in this list will open the message in the "Intercept" tab. It is also possible to forward or drop one or more messages by right-clicking a selection made in the list.
After the browser has been configured to use the proxy, it may be desirable to use the browser without having Vega perform any processing or interception. Passthrough Mode, which is enabled by clicking on the fourth icon in the top left corner, prevents Vega from logging requests, intercepting messages, and passing responses through scanner response processing modules.
When the browser makes a request to a HTTPS server, Vega intercepts the certificate of the site and replaces it with a dynamically generated replacement. This automatic MITM is necessary to view and edit proxy requests that would otherwise be encrypted point-to-point between the browser and the server.
Because this is a forged certificate, the browser will complain that it was issued by an invalid authority. The certificate details in this instance follow:
Vega automatically creates a CA signing certificate that can be imported into your browser to make the HTTPS interception more seamless. To get it, visit the magic, hardcoded URI http://vega/ca.crt.
Doing so in Firefox will prompt the user to import the certificate. The certificate should be configured to authorize web sites:
If using Chrome, the certificate will be downloaded and must be imported manually. To do this, open the preferences interface and select "Manage Certificates" in the "Under the Hood" section of the preferences. On Linux, Chrome maintains its own certificate store.
On OS X, Chrome opens Keychain, where the downloaded certificate must be imported.
Select "Certificates", and then "File->Import".
Locate the downloaded "ca.crt" file and then import it. The CA certificate will now be in the OS X certificate store.
Continue to the next user guide: Using the Vega Proxy Scanner (pt. 3 of 4)
Have feedback on Vega? Our documentation? Please tell us.