Docker zap proxy not behaving like non docker version

[Ian]

I've been experimenting using the docker version of ZAP (Tried both stable and weekly).

When I attempt to access a site to test through the docker version of ZAP, the page only partially renders correctly -- I still have to trust a number of ssl certs, including zap's hud iframe ssl cert (I had to right click on one of the iframes and view it as a full page before I could get the browser to prompt about trusting the ssl cert).  But even after trusting all the certs I could, my page still won't completely function.  I assume there are additional certs I need to trust, possibly javascript coming from other domains.

I'm using the same browser that was started from within the non-docker version of ZAP (/usr/lib/firefox/firefox -marionette -foreground -no-remote -profile /tmp/...).  I changed the proxy port to 8090 since 8080 was being used by webswing, but all of the other settings should still be intact.

What additional step have I missed?

[Simon Bennetts]

ZAP only has one cert which you need to trust as a root CA cert.

I havnt tried trusting the certs for individual pages but I suspect that will just trust them for the individual domains they are on.

What you'll need to do is to export the cert from ZAP and import that into your browser.

I must admit that I've been assuming that in most cases people are using the docker images for automation rather than manual testing, but I can definitely see why they would be good for manual testing.

You can access the cert via the ZAP API - core component, rootCert view.

However that not that convenient so I'll see if we can come up with a better way to get at the ZAP cert in a docker image so that it can be imported into a browser.

Cheers,

Simon

[Ian]

Hi Simon,

I guess that's what I'm confused about.  When Firefox is spawned from the non-docker version of Zap, I don't have these cert issues.  I had assumed the reason for this was that the inherited Zap provided Firefox profile already trusted the Zap CA.  I only ran into this trouble when I switched that browser instance over to the docker port 8090 proxy.  I thought maybe the docker version of Zap used a different CA.

Yes, the ultimate goal is complete automation however until I'm able to get past the MFA TOTP, I still need the browser to at least create the session.  In the meantime, I'll import the CA using your instructions.  Thanks for the help!

-Ian

[Simon Bennetts]

The ZAP browser launch feature configures Firefox and Chrome to ignore certificate errors and to proxy through ZAP :)

If you dont (or in this case cant) use that then you need to import the ZAP root CA cert and configure your browser to proxy through ZAP.

But we'll see if we can come up with anything that could make this process easier...

[Ian]

Simon,

But that's the weird part -- I'm using that configured browser -- all I did was change the proxy port and everything broke.

So:

Run zap.sh locally.

Once Zap opens, click on the little firefox icon at the top.

Firefox opens.

Attempt to test webapp == everything works fine

From that same aleady opened firefox window, go into network proxy settings, change localhost:8080 to localhost:8090.

close local zap

run docker version

Attempt to test webapp == cert errors.

Is there something about Firefox that cancels settings if one changes the proxy port?  Or are the rules used to ignore cert errors tied only to port 8080?

[Ian]

Sorry, those steps weren't accurate.  Closing the local running instance of Zap would close Firefox.

The last thing I tried was this:

Run zap.sh locally

Once ZAP opens, click on the little Firefox icon at the top.

Firefox opens.

Attempt to test webapp == everything works fine.

look at the command line that Zap uses to open Firefox to discover where that special profile is being created/stored.

Copy that profile folder to a new location.

close firefox and zap.

run firefox myself, using a copy of that specially crafted profile folder:

/usr/lib/firefox/firefox -marionette -foreground -no-remote -profile ~/zap_profile

start the docker version of zap:

sudo docker run -u zap -p 8080:8090 -p 8090:8080 -i owasp/zap2docker-weekly zap-webswing.sh

(I changed the port forwarding so that I wouldn't have to change any settings in firefox, but I had also tried running this using the example given here: https://github.com/zaproxy/zaproxy/wiki/WebSwing)

Web app testing fails due to cert warnings.

I'll just follow your instructions and import the CA cert.  :)

[kingthorin+owaspzap]

The local ZAP cert and docker ZAP cert aren't the same cert.

[seniorqaau...@gmail.com]

When I use Docker + Selenium Grid and Node. These settings of browsers in my Selenium code helps to resolve all issues (even Zap certificate). Beacuse Zap doesn't use localhost, it uses Docker's IP in my case.

String proxy = "http://YourDockerIp:8080";
System.setProperty("webdriver.chrome.driver", "chromedriver-windows.exe");
ChromeOptions proxyOptions = new ChromeOptions();
// Add the WebDriver proxy capability.
Proxy chromeProxy = new Proxy();
chromeProxy.setHttpProxy(proxy);
chromeProxy.setSslProxy(proxy);
chromeProxy.setFtpProxy(proxy);
chromeProxy.setSocksProxy(proxy);
proxyOptions.setCapability("proxy", chromeProxy);
driver = new ChromeDriver(proxyOptions);

среда, 6 февраля 2019 г., 20:55:13 UTC-5 пользователь Ian написал:

[Ian]

Thanks for that confirmation kingthorin.  After importing the CA from the local copy of ZAP and still having trouble, I was about to pull my hair out.

I can't for the life of me get the CA cert from the docker version though.  This is the python script I wrote to pull from local:

#!/usr/bin/env python3

from zapv2 import ZAPv2

apikey = 'stuff'

zap = ZAPv2(apikey=apikey)

print (zap.core.rootcert())


When I fire up the docker version of Zap and get the different API key from Tools, Options, API, that same script will fail with the error: "Remote end closed connection without response"

I'm starting docker by swapping 8090 with 8080 so I won't have to change the python script:
0.0.0.0:8090->8080/tcp, 0.0.0.0:8080->8090/tcp
(8090 is app, 8080 is proxy)

I'm also not able to browse the api using the web interface which I assume is because of webswing? even though http://127.0.0.1:8090/zap is the app, if I go to http://127.0.0.1:8080/zip webswing complains about too many connections.

Is the ca cert sitting in the filesystem anywhere in the docker image?  I could just pull it from there.

[seniorqaau...@gmail.com]

Zap doesn't use localhost IP, it uses Docker IP. You can find this IP inside Docker.

четверг, 7 февраля 2019 г., 17:10:41 UTC-5 пользователь Ian написал:

[Simon Bennetts]

I've raised this issue for making it easier to get the ZAP root cert out of a docker image: https://github.com/zaproxy/zaproxy/issues/5214

Please update that issue with any suggestions you have...

[thc...@gmail.com]

Note that ZAP will not allow "external" connections to the API by
default, you'll have to allow the address of the host machine:
https://github.com/zaproxy/zaproxy/wiki/FAQremote

Best regards.

[Ian]

 
On Friday, February 8, 2019 at 1:34:31 AM UTC-8, thc202 wrote:

Note that ZAP will not allow "external" connections to the API by
default, you'll have to allow the address of the host machine:
https://github.com/zaproxy/zaproxy/wiki/FAQremote

Adding .* as a regex for "Addresses permitted to use the API" solved this, thanks.