Possible Bug in ZAP or ZAP-HUD?

235 views
Skip to first unread message

Matt Seil

unread,
Mar 5, 2022, 12:55:14 PM3/5/22
to zaprox...@googlegroups.com

I'm in the process of writing a web hacking 101 class for some green team members, and I encountered a rather maddening error that seems to be located with the ZAP-HUD. 

Which makes no sense. 

But let me share the test setup. 

Firefox 97.0.2
Fresh install of ZAP 2.11.1
Foxy Proxy 7.5.1

The website I'm trying to hit (this is a proxy setup lab to also discuss history beginning from the first ever web site) is

http://info.cern.ch/hypertext/WWW/TheProject.html

With ZAP requesting for me to create and install a new cert on setup, I did so.  I installed that promptly into firefox.  This was able to take me from a "CERT loop" from firefox (unuending "Accept the Risk boxes") to the main site page as expected. 

Only... I start getting a 404 response from cern.

It took me a little while to figure this out, but as a natural order of doing business I always turn the HUD OFF, because I'm old school I guess.  But... imagine my surprise when simply by turning the HUD back on...



Tally-Ho!

So it appears, that if you're attempting to actually FORCE an http site into ZAP, it will automatically redirect the request to https. 


Green == HUD ON

Red == HUD OFF

Is there a setting that I'm missing somewhere or did I stumble into a bug?




kingthorin+owaspzap

unread,
Mar 5, 2022, 2:53:29 PM3/5/22
to OWASP ZAP User Group
It's cern's website. Just trying accessing it normally via https and it'll 404.

HUD needs to update things client side to inject properly. It "shouldn't" be breaking your use, but since https access fails in normal use I guess it's just a confluence of issues.

I don't want to blame the user or the site, but really it's 2022 everything should be hosted via https anyway ;)

Matt Seil

unread,
Mar 5, 2022, 5:04:16 PM3/5/22
to zaprox...@googlegroups.com, kingthorin+owaspzap

I bow to King Thorin!  =-) 

While that may be true, (everything ought to be https), it's still a very common design practice to serve static images and even js content over http.  Your wording makes me stress that this behavior manifests ONLY with the HUD TURNED OFF.  When it's on, everything works.  (which was my shock.) 

with HUD turned OFF:

1.  http://info.cern.ch/hypertext/WWW/TheProject.html gets redirected to

2.  https://info.cern.ch/hypertext/WWW/TheProject.html which doesn't have site data so it sends a 404. 

I'm guessing that ZAP is attempting to mimic browser behavior if HSTS prefetch is running? 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a0a47f79-85ad-4fbb-8563-2cef2fad14bdn%40googlegroups.com.

kingthorin+owaspzap

unread,
Mar 5, 2022, 6:05:30 PM3/5/22
to OWASP ZAP User Group
Nope that's the normal behavior of the site. Like I said just try accessing it via https and it'll 404, zap or not.

When HUD is enabled then things are forced https client side (which is why I said it shouldn't matter in your case). Along with the fact that the site doesn't properly serve https content, you ended up with some weirdness.

If you're really "old school" then "turn it off and on again" shouldn't be a surprising solution :) Hahahahaha

Matt Seil

unread,
Mar 7, 2022, 3:48:47 PM3/7/22
to zaprox...@googlegroups.com, kingthorin+owaspzap

I had missed your response ROFL...

I was coming back to amend that I had flipped my logic.  "normal" behavior is restored when I turn the HUD off.  I got confused that the button is depressed


That means "You have disabled the HUD." 

I'm still saying it just to save face ROFL.

At any rate, thanks for your patience and quick response!

Reply all
Reply to author
Forward
0 new messages