Can OWASP ZAP understand thrift protocol?
37 views
Skip to first unread message
Ravi Sagar
Jul 25, 2023, 11:56:39 PM7/25/23
to OWASP ZAP User Group
I am trying to proxy a request which is sent using the thrift protocol(Content-Type:
application/x-thrift).
I am getting a timeout error when I route the requests( Content-Type: application/x-thrift ) through proxy. Works fine without the proxy.
I have increased the timeout but still faced the same issue. When I checked the body for these timed-out requests, it is showing up as empty.
Can OWASP deserialize the request body for these type of requests( Content-Type: application/x-thrift ) and can it perform active scans on it and provide the vulnerabilities?
Thanks in advance.
I am getting a timeout error when I route the requests( Content-Type: application/x-thrift ) through proxy. Works fine without the proxy.
I have increased the timeout but still faced the same issue. When I checked the body for these timed-out requests, it is showing up as empty.
Can OWASP deserialize the request body for these type of requests( Content-Type: application/x-thrift ) and can it perform active scans on it and provide the vulnerabilities?
Thanks in advance.
xeno...@gmail.com
Jul 26, 2023, 12:21:27 AM7/26/23
to zaprox...@googlegroups.com
I had to research what thrift is. It's a binary RPC protocol that from all the tutorials I can find require writing custom clients against your application's .thrift file. Even Wireshark requires the user to generate some kind of custom code to be able to accurately serialize/deserialize x-thrift data: https://gitlab.com/wireshark/wireshark/-/wikis/Thrift#write-your-own-thrift-based-dissector
In other words, every app requires its own uniquely compiled client, no way to tackle that in advance.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/6647edfa-660a-4031-957c-85c02b304fd1n%40googlegroups.com <https://groups.google.com/d/msgid/zaproxy-users/6647edfa-660a-4031-957c-85c02b304fd1n%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
In other words, every app requires its own uniquely compiled client, no way to tackle that in advance.
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/6647edfa-660a-4031-957c-85c02b304fd1n%40googlegroups.com <https://groups.google.com/d/msgid/zaproxy-users/6647edfa-660a-4031-957c-85c02b304fd1n%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
thc...@gmail.com
Jul 26, 2023, 3:25:22 AM7/26/23
to zaprox...@googlegroups.com
Hi.
Is it timing out receiving the request or the response?
A sample message that's not properly proxied would be appreciated.
As mentioned in the other response ZAP will not understand the content
by default, you can use an Input Vector script for that though.
Best regards.
Is it timing out receiving the request or the response?
A sample message that's not properly proxied would be appreciated.
As mentioned in the other response ZAP will not understand the content
by default, you can use an Input Vector script for that though.
Best regards.
Reply all
Reply to author
Forward
0 new messages