Use ZAP to listen to https requests on public ip
137 views
Skip to first unread message
yipman
Apr 11, 2021, 8:12:28 AM4/11/21
to OWASP ZAP User Group
Hi,
I want to run ZAP on my ubuntu VPS and listen to the public server ip with changing the proxy settings in Firefox in my PC to the Server public ip and the listener port, as i see it's working fine with http requests but it's not working for https, how i can make it to listen to https requests?
Thanks.
thc...@gmail.com
Apr 11, 2021, 8:44:10 AM4/11/21
to zaprox...@googlegroups.com
Hi.
Could you explain what's not working? The HTTP and HTTPS requests are
handled in the same port, if one is working the other should as well.
Did you import/trust ZAP's Root CA cert?
Best regards.
Could you explain what's not working? The HTTP and HTTPS requests are
handled in the same port, if one is working the other should as well.
Did you import/trust ZAP's Root CA cert?
Best regards.
yipman
Apr 11, 2021, 8:49:06 AM4/11/21
to OWASP ZAP User Group
Hi,
Thanks for your reply,
yes, as in my question i exported the zap certificate that in my VPS and downloaded it in my PC and imported it to Firefox, only HTTP requests working but HTTPS getting "Secure Connection Failed" but google.com or facebook.com or twitter.com there are no problem these website is working fine, but i don't know what is the problem :(
Thanks.
yipman
Apr 11, 2021, 8:54:32 AM4/11/21
to OWASP ZAP User Group
for example if i tried to open https://google.com it's working fine, but if i try to open this Website https://www.gillette.co.uk or
https://www.urbandictionary.com or 90% of https websites it's will not working!
Thanks.
yipman
Apr 11, 2021, 8:56:00 AM4/11/21
to OWASP ZAP User Group
the response will be "Secure Connection Failed"
thc...@gmail.com
Apr 11, 2021, 9:06:29 AM4/11/21
to zaprox...@googlegroups.com
That's most likely because of HSTS if it's just some specific sites that
are not working. You could try with a clean profile to make sure.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
Might also worth checking:
https://www.zaproxy.org/faq/how-can-zap-test-sites-that-use-certificate-pinning/
Best regards.
are not working. You could try with a clean profile to make sure.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
Might also worth checking:
https://www.zaproxy.org/faq/how-can-zap-test-sites-that-use-certificate-pinning/
Best regards.
yipman
Apr 11, 2021, 9:20:25 AM4/11/21
to OWASP ZAP User Group
Thank you for your reply,
Unfortunately, it's not working i tried the way in this URL https://www.zaproxy.org/faq/how-can-zap-test-sites-that-use-certificate-pinning/ and other ways from google but there are no thing working :(
thc...@gmail.com
Apr 11, 2021, 9:45:26 AM4/11/21
to zaprox...@googlegroups.com
Did you try with clean profile?
Best regards.
Best regards.
yipman
Apr 11, 2021, 9:52:50 AM4/11/21
to OWASP ZAP User Group
Yes, i tried it now in private firefox mode, and it's not working too only google.com and youtube.com facebook.com and other but most of https not working!
yipman
Apr 11, 2021, 9:54:36 AM4/11/21
to OWASP ZAP User Group
As i see if i changed the proxy to local like 127.0.0.1 it's working fine but when i changing it to the public or all interface i see this problem!
Reply all
Reply to author
Forward
0 new messages