Domains or URLs

[Venkata Subrahmanyam]

Hello guys,

Can domain name be url input for ZAP and can it pick up the http/https scheme automatically? 

Currently, I have my domain name as input which will be appended with http/https after a python 'GET' request to see which is the right scheme before being sent to ZAP as url.

Thank you, 

Venkat

Virus-free. www.avast.com

This mail is governed by the Disclaimer Terms of  SIU which may be viewed at http://siu.edu.in/disclaimer.php

[psiinon]

Hi Venkat,

No, right now you need to be very explicit with ZAP and muct specify http or https.

I think its better that way - you should know what protocol to use for your site better than ZAP will, and if we try to make assumptions then they are bound to be wrong for some people.

Cheers,

Simon

[Venkata Subrahmanyam]

Understood. Having a http port on a domain open after https is implemented is a risk, right? I was trying to see how to address this problem. So, currently I have to add both http and https as individual urls in my container scans to see if they are active or not. Got it. 

And, ZAPCon, got the whole security team to watch, blown away and inspired by your leadership of ZAP project. 

Virus-free. www.avast.com

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/cf0de6a3-3030-4b5b-b295-12c7789bc33cn%40googlegroups.com.

[Kevin W. Wall]

Venkata,

Using a simple portmapper such as nmap is way more efficient and much simpler than relying on something like ZAP to find this. Use the right tool for the right job.

If there is some reason that you are required to keep the http port open, then have it redirect to the https port of your application and also set the HTTP "STRICT-TRANSPORT-SECURITY" response header appropriately on the redirect. And then try to get your management to allow you to close the http port after doing that.

-kevin

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAHJo4vWfnZ4WeOg5%2Bh-u4fBOP0zb7PL%2BU3bfzoeLcwKA_Ls%2BeQ%40mail.gmail.com.

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

[Venkata Subrahmanyam]

Hello, 

Wow. I got a reply from Kevin. I follow your blog. Got it from Reddit. Thank you for your reply. Currently, with the scale of the organisation, I do not have control over the implementation of the said mitigation measures as they have been already initiated. I am asking for a temporary workaround solution so as to not break over 4000+ weekly scans. 

But, I understand the suggestion, I am not relying on ZAP entirely, just checking if the community offers a better solution than the one I have. :)  

Once again, thank you for your reply. :) 

Virus-free. www.avast.com

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAOPE6Pg8ErKoj5Hs-XG-TDzLu2KjeSQOhTSej9ELytpcDZ2F4w%40mail.gmail.com.

[Kevin W. Wall]

Wow. Okay.  Maybe I should start blogging more then. Can't believe someone on Reddit actually suggested following me though.  Been working to crank out another ESAPI release and working on my taxes for Uncle Sam, so recently not much time for blogging. But you've inspired me to blog something again as soon as my taxes & this release are done.

-kevin

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAHJo4vXU29gvtogZegsvJ5FJyDW-7pdAqWeDrSrPsoQbhzXVtw%40mail.gmail.com.