ZAP, IE11 and Tomcat local application not working

[Robert Hames]

I am developing an application using Tomcat 7, and it's default port is 8080. I want to configure ZAP to be used as a proxy for my application, so I went  in Tools->Options->Local proxy, and changed the address to localhost, and the port to 8090.

I then configured IE 11 to use this proxy by clicking on Internet Options->Connections->LAN Settings, and checked use a proxy server for your LAN. I set the address to match ZAP, that is address is localhost, and the port is 8090. I also unchecked the Bypass proxy server for local addresses checkbox.

I then started my IDE (Spring Tool Suite), and started Tomcat. I then started ZAP, and created a new session. Following that, I went to my browser, and pointed to the URL for the application. It came up, and I am able to maneuver around in the application, but nothing is going through ZAP. I started to think that IE 11 was ignoring the proxy server, so I went to an outside site, and it went to the outside site, and everything registered in ZAP.

So, it is using ZAP for every site I go to except for my Tomcat application.

I'm sure it is a silly configuration setting, but I have Googled most of the day, and am still nowhere.

 

Any help would be appreciated!

[kingthorin+owaspzap]

In IEs proxy settings there's a checkbox for "Bypass proxy server for local addresses", make sure that's off. In IEs Advanced proxy settings make sure that "Do not use proxy server for addresses beginning with" does not contain localhost, local, or 127.0.0.1, 127.

[Robert Hames]

In my original post, I mentioned that I had unchecked the "Bypass proxy server for local addresses". And, the listbox associated with the "Do not use proxy server for addresses beginning with" is empty.I'm at a total loss.

[Robert Hames]

An update is that it works as advertised in Chrome 45. Set the proxy settings, and everything worked. The only problem is that I have to test in Internet Explorer 11. It is the only browser my client is allowed to use, and everything has to be tested in it.

On Friday, September 11, 2015 at 3:52:02 PM UTC-4, Robert Hames wrote:

[kingthorin+owaspzap]

Are you accessing your app via 127.0.0.1:8090 or localhost:8090?

[kingthorin+owaspzap]

What version of Windows?

[Robert Hames]

I am accessing it by localhost:8090, and I'm using Windows 7 Ultimate. I also just realized that I should have mentioned I am using the latest version of ZAP, v 2.4.2.

On Friday, September 11, 2015 at 3:52:02 PM UTC-4, Robert Hames wrote:

[Robert Hames]

I just changed the proxy on both ZAP and IE 11 to use 127.0.0.1 and 8080, and the result was the same.

On Friday, September 11, 2015 at 3:52:02 PM UTC-4, Robert Hames wrote:

[kingthorin+owaspzap]

If Tomcat is running on 8080 how did you get zap running there without error?

[kingthorin+owaspzap]

This might explain what you're seeing: https://confidentialfiles.wordpress.com/2013/09/05/internet-explorer-11-cannot-connect-to-local-host/

[Robert Hames]

Sorry about the typo. I should have said that I set ZAP and IE 11 to use 127.0.0.1 and 8090, not 8080. In the article you provided a link for, it says that IE 11 can't connect to a proxy server. But, I got it to talk to ZAP as a proxy server, and explored other sites, and ZAP recognized them, and provided the network traffic for me. It's only when I try to access my local application as http://localhost:8080/applicationName, that ZAP goes blind. BTW, thanks for all the help!

On Friday, September 11, 2015 at 3:52:02 PM UTC-4, Robert Hames wrote:

[kingthorin+owaspzap]

Check to make sure you have no global excludes defined in ZAP's options.

https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsGlobalexcludeurl

[Robert Hames]

I checked the Global Exclude URLs, and there are none checked. This makes me wonder how anyone uses ZAP with IE, even though it is advertised to work with IE 8+?

On Friday, September 11, 2015 at 3:52:02 PM UTC-4, Robert Hames wrote: