ZAP not accepting requests via FQDN
41 views
Skip to first unread message
Jan Fisher
Feb 11, 2016, 4:32:38 AM2/11/16
to OWASP ZAP User Group
I have recently been trying to integrate ZAP into our CI / build pipeline to perform automated security testing using the API.
One thing I have found which I think must be a bug, is that even if you bind ZAP to all IP's using address 0.0.0.0 it wont accept requests via a potential DNS name.
The way to get around this is to put an entry in the local hosts file that resolves 127.0.0.1 to the DNS name, at which point ZAP starts accepting requests.
Can anyone else verify this is a bug?
Thanks
Simon Bennetts
Feb 11, 2016, 4:36:07 AM2/11/16
to OWASP ZAP User Group
Is the FQDN in your hosts file, and if so what does it resolve to?
A sanitized example of your configs might help :)
If it isnt then the requests wont get to ZAP so theres not much we can do :/
Cheers,
Simon
A sanitized example of your configs might help :)
If it isnt then the requests wont get to ZAP so theres not much we can do :/
Cheers,
Simon
Jan Fisher
Feb 11, 2016, 4:58:52 AM2/11/16
to OWASP ZAP User Group
The requests are getting to ZAP because I get an error in response to the API call as below.
If the FQDN is not in my hosts file it will throw the below error - even though the FQDN is resolvable via DNS, if I put the FQDN in my hosts file pointing to 127.0.0.1, ZAP responds correctly - again this is from external clients.
Which configs would you like if you still need them?
ZAP Error [java.net.SocketTimeoutException]: Read timed out Stack Trace: java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.socketRead(Unknown Source) at java.net.SocketInputStream.read(Unknown Source) at java.net.SocketInputStream.read(Unknown Source) at java.io.BufferedInputStream.fill(Unknown Source) at java.io.BufferedInputStream.read(Unknown Source) at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78) at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106) at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413) at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(Unknown Source) at org.zaproxy.zap.ZapGetMethod.readResponse(Unknown Source) at org.apache.commons.httpclient.HttpMethodBase.execute(Unknown Source) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source) at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source) at org.parosproxy.paros.network.HttpSender.send(Unknown Source) at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source) at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source) at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source) at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source) at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
Reply all
Reply to author
Forward
0 new messages