HTTP Strict Transport Security (HSTS)

[Ammar Brohi]

Hello Guys,

I cannot just connect with facebook.com

[psiinon]

This is a browser feature, so the solution will probably have to be a browser side one.
I Googled "hsts firefox disable" and it came up with a load of suggestions, but I havnt tried any.
If you do then let us know if any work :)
Or if anyone has any suggestions that we could implement in ZAP...?

Cheers,

Simon

[Ammar Brohi]

Dear Simon,

Thank you for your reply, I have gone through every link and it doesn't answers How to Disable HSTS. While Sites like Twitter are working fine for me.

I dont know what is going behind the scenes, would appreciate If you meanwhile look after it.

Thanks,

Ammar

[psiinon]

Have you tried using a new Firefox profile which hasnt accessed Facebook?
You could also try setting the Firefox about:config security.cert_pinning.enforcement_level to different values (but remember to set it back when you've finished testing).
I'll put it on my list, but dont know when it will get to the top - I dont know whats going on behind the scenes in Firefox either, so I'll just be doing the same thing - tweaking setting  and seeing if anything works ;)

Cheers,

Simon

[Colm O'Flaherty]

Shouldn't importing ZAPs cert into the web browser solve this issue?

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[psiinon]

You're right - I was thinking of certificate pinning.
I've just created a new Firefox profile and connected the https://www.facebook.com
I then configured Firefox to use ZAP using PnH and refreshed the page - the traffic to Facebook was successfully proxied via ZAP :)

Ammar - can you import the ZAP certificate, if you havnt already. PnH is the easiest way to do it, although you can do it manually as well.

We do need to be able to handle Certificate Pinning as well, but thats a different issue...

Cheers,

Simon

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

[Ammar Brohi]

Thank you all for reply,

I have fixed it, After digging around with no success I closed Firefox. After sometime when I fired it up again for Testing on Localhost, I browsed Facebook and it worked.

The problem was that I accessed Facebook without ZAP RA Certificate and After Installing Certificate it was showing same error, Maybe cache problem, IDK.

If anyone faces same, just close browser and start gain It would work.

Thanks,

Ammar Brohi

[ripon Majumder]

Hi Ammar and Simon,

can you please help with the fix steps of the following issue.

Unable to access sites with Strict-Transport-Security.

[psiinon]

Have you imported the ZAP certificate as a trusted root certificate?

https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert

Or you can just use the browser launch feature: https://zaproxy.blogspot.com/2017/08/zap-browser-launch.html

[ripon Majumder]

Hi Simon,

I tried both the ways still it is not working

getting this error message.

ZAP Error [java.net.ConnectException]: Connection timed out: connect

[psiinon]

That might not have anything to do with HSTS.

What exactly are you trying to do?

What is giving you that error message?

Are there any errors in the zap.log file?

https://github.com/zaproxy/zaproxy/wiki/FAQhelp#check-the-log-file

Cheers,

Simon