Enable Fields This page has 3 fields on it...

[Martin Gaertner]

Hello everyone,

I've been tormenting myself with ZAP for a few hours!

 Certificates all run in all required browsers now, which cost me a few hours at first, because you probably didn't think about the fact that there are different systems and that you don't just need the browser certificate in the format: *.cer. That's just a side note.

But let's get to the real problem.

Who came up with such tasks?

 I've been stuck on the task for hours: "ENABLE FIELDS" As a reminder of what I'm talking about:

This page has 3 fields on it.

As you will see you can't type in the second or third fields: You can type in this field:

User Controllable HTML Element Attributes (Potential XSS) This field is disabled: Disabled User Controllable HTML Element Attributes (Potential XSS) This field is read only: Read only User Controllable HTML Element Attributes (Potential XSS) However, if you click on the [lightbulb (off)] 'Show / Enable' tool then the icon will change to [lightbulb (on)] and you will now be able to type in all of the fields. You can then try changing fields that the developers might have thought could not be changed.

Clicking on the 'Show / Enable' tool again will return the field to their previous states, but the text you typed will still be in the fields. Fields enabled by this tool will be outlined in blue so that you can easily identify them.

 It is worth noting that some fields may still be disabled if they use JavaScript to prevent them from being modified, you will see how you can still change these values later in this tutorial.

tasks

Submit the above form, changing all of the fields to ZAP And now please explain to me what goes into the field and how to get there, because I think the whole task sucks!

Not feasible for an absolute beginner! And annoying without end! a little more context would have been great so that the tasks could also be internalized and, above all, understood.

you should urgently work on how to convey something! just as constructive criticism from an annoyed user!

 If you were to do the whole thing a little smarter then you could have placed a link to a howto or video that gives more information for all tasks, so that learning is fun.

So once again for a beginner in ZAP this is nothing at all! So now I've given myself enough air ;-)  In this sense, good luck with this type of training, which I think is absolutely ridiculous!

Greetings Martin

[Simon Bennetts]

Hiya :)

On Tuesday, 23 May 2023 at 14:07:34 UTC+1 martin.ga...@gmail.com wrote:

Hello everyone,

I've been tormenting myself with ZAP for a few hours!

 Certificates all run in all required browsers now, which cost me a few hours at first, because you probably didn't think about the fact that there are different systems and that you don't just need the browser certificate in the format: *.cer. That's just a side note.

As a side note, why are you doing this?

If you launch Firefox or Chrome from ZAP then they should be configured to ignore certificate warnings.

You should not need to import any certs.

You will need to import certs for other browsers, but only because they dont give us the control we need to avoid this.

If they were better we could make your life easier.

 

But let's get to the real problem.

Who came up with such tasks?

I did.

So far we've had very good feedback about the tutorial, but I guess we cant win them all ;)

 

 I've been stuck on the task for hours: "ENABLE FIELDS" As a reminder of what I'm talking about:

This page has 3 fields on it.

As you will see you can't type in the second or third fields: You can type in this field:

User Controllable HTML Element Attributes (Potential XSS) This field is disabled: Disabled User Controllable HTML Element Attributes (Potential XSS) This field is read only: Read only User Controllable HTML Element Attributes (Potential XSS) However, if you click on the [lightbulb (off)] 'Show / Enable' tool then the icon will change to [lightbulb (on)] and you will now be able to type in all of the fields. You can then try changing fields that the developers might have thought could not be changed.

Clicking on the 'Show / Enable' tool again will return the field to their previous states, but the text you typed will still be in the fields. Fields enabled by this tool will be outlined in blue so that you can easily identify them.

 It is worth noting that some fields may still be disabled if they use JavaScript to prevent them from being modified, you will see how you can still change these values later in this tutorial.

tasks

Submit the above form, changing all of the fields to ZAP And now please explain to me what goes into the field and how to get there, because I think the whole task sucks!

Not feasible for an absolute beginner! And annoying without end! a little more context would have been great so that the tasks could also be internalized and, above all, understood.

you should urgently work on how to convey something! just as constructive criticism from an annoyed user!

This should be an easy task. But its quite possible something has gone wrong.

The HUD was launched in 2019 and while some people love it, it has not had as much uptake as we would have liked.

Due to the lack of encouragement from users, and the limited number of people volunteering to work on ZAP, we do not currently have anyone focussing on the HUD.

Which browser are you using?

Can you share a screenshot of the page?

 

 If you were to do the whole thing a little smarter then you could have placed a link to a howto or video that gives more information for all tasks, so that learning is fun.

If its working properly then its actually very easy.

So I suspect something has broken.

Unfortunately browsers change frequently and the HUD does nasty things. Every so often a browser change breaks it :(

 

So once again for a beginner in ZAP this is nothing at all! So now I've given myself enough air ;-)  In this sense, good luck with this type of training, which I think is absolutely ridiculous!

If more people contributed to ZAP rather than just complaining then we would be able to maintain ZAP and all of its components much better :)

However they dont, and right now the HUD is not a component we are able to focus on.

If you'd like to help us out then just say :D

Cheers,

Simon

 

Greetings Martin

[Martin Gaertner]

Hi,

1.)

As a side note, why are you doing this?

If you launch Firefox or Chrome from ZAP then they should be configured to ignore certificate warnings.

You should not need to import any certs.

You will need to import certs for other browsers, but only because they dont give us the control we need to avoid this.

If they were better we could make your life easier.

1.) Answer:

Well, that's because I'm doing a training course at Udemy, where the procedure was described exactly how to integrate a certificate. The whole only based on Firefox. But I also use Brave, Chrome and many more. It should be known that the differences between the individual dev tools differ. With ZAP itself I can only start Firefox, said browser is in the taskbar. Furthermore, you should also learn how to integrate tertiary certificates if you are already using tools as socleh! That goes without saying. It's nice that there is an automatic function, but that wasn't my question!

2.)

So far we've had very good feedback about the tutorial, but I guess we cant win them all ;)

2.) Answer:

Correct. As you can see, the s isn't the same for everyone, and that's for the following reasons. Or have you ever seen an application that runs without any problems for everyone? Not me!

3.)

This should be an easy task. But its quite possible something has gone wrong.

The HUD was launched in 2019 and while some people love it, it has not had as much uptake as we would have liked.

Due to the lack of encouragement from users, and the limited number of people volunteering to work on ZAP, we do not currently have anyone focussing on the HUD.

Which browser are you using?

Can you share a screenshot of the page?

3.) Answer:

Well, if the task is so easy, why wasn't it answered? Right in that sentence? I use Brave and also Chromium! Furthermore, if the whole thing hasn't been developed further since 2019, why is it still in there if, as you say, there can be problems? That's not ideal!

4.)

If its working properly then its actually very easy.

So I suspect something has broken.

Unfortunately browsers change frequently and the HUD does nasty things. Every so often a browser change breaks it :(

4.) Answer:

I also assumed that there was a bug in the whole thing. Now that I've heard how old the whole thing is, it's no wonder! ;-) when I open the whole thing in the Cromium, I don't even have a HUd at all, the same applies to Firefox, even if I start it myself via ZAP. Funnily enough, I only have the hud in the Brave Browser!

5.)

If more people contributed to ZAP rather than just complaining then we would be able to maintain ZAP and all of its components much better :)

However they dont, and right now the HUD is not a component we are able to focus on.

If you'd like to help us out then just say :D

5.) Answer:

Sorry but that's the dumbest excuse I've heard in a long time! I'm one of those people who have a problem, according to you, I'm just complaining and not contributing to maintaining ZAP? What kind of logic is that? In your opinion, how should a pupil or student get involved, for example in the maintenance of ZAP??? That's the dumbest statement I've ever heard! If the whole thing is no longer maintained, then you take it out! because as you have already recognized, problems can arise with newer browsers. Then you contradict yourself and say the ZAP HUD was well received, as was the little test. And why is it no longer maintained?

As I said, a funny way of thinking! And unfortunately not understandable for me. But thanks for the great help I should be just as smart as before. Was it too difficult to simply describe the whole thing or to link a video in which everything is explained? Apparently already... In this sense, continued success.

Greetings Martin

[Simon Bennetts]

See this announcement: https://groups.google.com/g/zaproxy-hud/c/AlRAqtLjjwo/m/rKdP7sLDAAAJ

If we get any volunteers who can get it working reliably then it will resurected.

If not it will initially just be turned off by default, and then potentially removed altogether.

[Martin Gaertner]

I understand thank you .

I have another question, I did a scan in "standard mode".

My machine is always running htop so I can see how the tools I use work and what resources they need.

 I know that probably doesn't belong here anymore, but ZAP freezes on me after a few seconds during the scan.

So I couldn't make a screenshot either. the ram is shoveled up and the processor is running at full speed...

After a few minutes in which I can do nothing more, ZAP collapses and terminates.

The log file does not show anything specific, here is just a small excerpt:

2023-05-29 18:19:34,101 [ZAP-PassiveScan-4] WARN  PassiveScanTask - Passive Scan rule Vulnerable JS Library (Powered by Retire.js) took 5 seconds to scan https://site/dist/core-common.js?v=58e3a338-0 application/javascript 14249367

2023-05-29 18:19:34,685 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:36,049 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:37,582 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:38,878 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:40,572 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:42,157 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:43,741 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:45,102 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:46,825 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:48,410 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:49,613 [ZAP-PassiveScan-2] WARN  PassiveScanTask - Passive Scan rule Vulnerable JS Library (Powered by Retire.js) took 5 seconds to scan https://site/dist/core-common.js?v=58e3a338-0 application/javascript 14249367
2023-05-29 18:19:50,238 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:51,794 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:19:57,454 [ZAP-PassiveScan-1] WARN  PassiveScanTask - Passive Scan rule Vulnerable JS Library (Powered by Retire.js) took 5 seconds to scan https://site/dist/core-common.js?v=58e3a338-0 application/javascript 14249367
2023-05-29 18:19:57,676 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:20:00,074 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:20:02,688 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C
2023-05-29 18:20:04,655 [ZAP-IO-Server-1-21] WARN  HttpSenderHandler - Failed to read https://site/lostpassword/email within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.
2023-05-29 18:20:06,604 [ZAP-IO-Server-1-19] WARN  HttpSenderHandler - Failed to read https://site/lostpassword/email within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.
2023-05-29 18:20:11,422 [Forwarding newSession on session null to remote] INFO  ProtocolHandshake - Detected dialect: W3C

Has this error ever occurred to anyone? Unfortunately this is happening for the third time now...

Alos whenever I run a scan. Please excuse me for annoying me so much.

All best regards Martin

[Martin Gaertner]

I was able to narrow it down a bit.

The error only occurs when I use the ajax spider with Firefox Headless. If I only use the traditional spider everything works fine!

Please excuse the disruption again.

Best regards and have a nice evening to all of you.

Martin

[Simon Bennetts]

Hiya Martin,

In this case I'd definitely recommending asking this question on the main ZAP USer Group: https://groups.google.com/group/zaproxy-users

This is a very small group just focussed on the HUD.

The main group is something like 30 time bigger :)

Cheers,

Simon