1
00:00:00,390 --> 00:00:06,810
‫So as a Web application penetration tester, you'll always encounter HTTPS sites.

2
00:00:07,650 --> 00:00:11,340
‫So you should know how to intercept HTTPS traffic as well.

3
00:00:12,230 --> 00:00:19,190
‫Fortunately, it's easy to intercept HTTPS traffic using Zap, so here I am with the browser, where

4
00:00:19,190 --> 00:00:23,510
‫the Port 80 80 of the local host is selected as the proxy.

5
00:00:24,690 --> 00:00:28,110
‫And when I visit an HTTPS page like Google.com.

6
00:00:30,730 --> 00:00:33,130
‫Firefox says that our connection is not secure.

7
00:00:33,670 --> 00:00:39,300
‫Well, remember when we saw this before we were talking about intercepting traffic using the BRPs.

8
00:00:40,000 --> 00:00:46,180
‫So to be able to intercept the traffic, zap handshakes with the website and we handshake WhatsApp.

9
00:00:47,260 --> 00:00:49,990
‫Since we have an added, this app certificate is trusted.

10
00:00:49,990 --> 00:00:51,730
‫Yet you get that message.

11
00:00:52,450 --> 00:00:58,930
‫So let's go to the zap window and open the options panel using the button with the wheel icon in the

12
00:00:58,930 --> 00:01:04,000
‫menu bar and on the left pane, select dynamic SSL certificate option.

13
00:01:04,330 --> 00:01:12,070
‫So as you see, there is a route see a certificate for OWASP created before so we can use it or click

14
00:01:12,220 --> 00:01:14,020
‫the Generate button to create a new one.

15
00:01:14,410 --> 00:01:17,950
‫Now click the Save button and say the certificate anywhere you want.

16
00:01:18,640 --> 00:01:19,330
‫Click Save.

17
00:01:19,990 --> 00:01:22,270
‫Click OK to close the options panel.

18
00:01:22,510 --> 00:01:25,090
‫Now let's have the certificate just like we learned before.

19
00:01:25,150 --> 00:01:30,760
‫In Firefox over the menu, using the menu button at the upper right corner and select Preferences,

20
00:01:30,970 --> 00:01:38,230
‫select Advanced from the Left Choose Certificates tab and click View Certificates and the Certificate

21
00:01:38,230 --> 00:01:40,180
‫Manager Panel Open Click Import.

22
00:01:40,870 --> 00:01:43,840
‫Select the certificate you saved a few seconds ago.

23
00:01:44,440 --> 00:01:48,970
‫Now, in the Downloading Certificate Panel, select at least the first option.

24
00:01:49,450 --> 00:01:53,740
‫Trust this CIA to identify web sites and click OK.

25
00:01:57,070 --> 00:01:59,980
‫OWASP, Zapp, is that it is a trusted authority.

26
00:02:00,340 --> 00:02:08,370
‫Now we're ready to capture and intercept HTTPS traffic, so in Firefox, visit an HTTPS page again and

27
00:02:08,410 --> 00:02:15,970
‫as you see, no problem occurs now in the left pane of this app window, you'll see the GDPs web page

28
00:02:15,970 --> 00:02:17,290
‫is captured by Zap.