Setting up ZAP in daemon mode on remote machine

[Usman Waheed]

Hi,

I can setup ZAP on my local workstation, have it running in daemon mode and then proxy URLs via the browser through it.

Was wondering if it is possible to set ZAP up on a remote machine and have it run there in daemon mode and then

proxy URLS via a browser on my local workstation through the remote ZAP. The reason i want to do something like this 

is so that if possible have ZAP running by itself on a separate host/node and proxying url tests through it from different 

test machines.

Thanks,

Usman 

[Simon Bennetts]

Yes it is :)

By default ZAP will listen on localhost:8080 - you will have to change at least the host address to the address of the machine ZAP is running on.
You can do this via the Options / Local Proxy screen.

Let me know if you have any problems with this.

Cheers,

Simon

[Usman Waheed]

Hi Simon,

The remote machine i intend to have ZAP running on does not have gdm/gdm3 or kde installed on it yet. I have access to it via ssh only.

I see your pointer on how to change the host address via the GUI under Options / Local Proxy but can i do it via command line as well?

For example i start ZAP on this remote linux node via the command:

zap.sh -daemon -port 8090 and it listens on port 8090 as i specified but the host address is still localhost.

I tried to change the settings in config.xml under the /xml directory where 10.20.41.13 is the ip of my remote machine where i would like to have ZAP running in daemon mode.

<proxy>
<ip>10.20.41.13</ip>
<port>8090</port>
<reverseProxy>
<use>0</use>
<ip>localhost</ip>
<httpPort>80</httpPort>
<httpsPort>443</httpsPort>
</reverseProxy>
</proxy>

Started ZAP with the above changes in place but it still started with localhost:8080.

Maybe there is an alternate way to pass the host address with a switch?

Thanks,

Usman

[Simon Bennetts]

Can you check to see if there are other instances of the <proxy> sections in your configs?
They might be overriding the one you changed.
Right now we dont have a cmdline switch for the host, although I'm happy to add one if its needed.

Cheers,

Simon

[Usman Waheed]

Hi,

I thoroughly checked to see if there are any other declarations of <proxy> more than once in any of the files under /xml.

The only instance is the one i specified noted below:

<proxy>
<ip>10.20.41.13</ip>
<port>8090</port>
<reverseProxy>
<use>0</use>
<ip>localhost</ip>
<httpPort>80</httpPort>
<httpsPort>443</httpsPort>
</reverseProxy>
</proxy>

With the -daemon & -port 8090 switch zap starts in daemon mode on the port specified but host address is still localhost.

I only grepped for <proxy> in the files in the /xml directory only.

Thanks,

Usman   

[Usman Waheed]

Hi there,

So i did some more digging only to find out that there is a second config.xml file that resides in the ~/.ZAP/ directory :)

I made my changes there and started ZAP in -daemon mode and now it works with host set to the ip + port i specify in the config.xml

Thanks for your help Simon, you were right there was a second config.xml file that was over riding my changes in the config.xml file in the /xml directory.

Regards,

Usman 

Please note: I still think it would be good to have a switch for the host address/ip , -host maybe.

[Simon Bennetts]

Ah, yes - that the one ZAP uses :)

And I agree about the -host switch - I'll try and slip it in ;)

Cheers,

Simon

[Simon Bennetts]

Slipped in :) http://code.google.com/p/zaproxy/issues/detail?id=775

That will be in the next weekly build.

Cheers,

Simon

[ashkan....@gmail.com]

Hi there,

I am trying the same scenario but I get the following error when I run in the daemon mode. I only get this error when I try to access HTTPS connections (HTTP is fine).
Do you have any idea what causes this error?

------------------------------------------------------------
AWT blocker activation interrupted:
java.lang.InterruptedException
        at java.lang.Object.wait(Native Method)
        at java.lang.Object.wait(Object.java:503)
        at sun.awt.AWTAutoShutdown.activateBlockerThread(AWTAutoShutdown.java:337)
        at sun.awt.AWTAutoShutdown.notifyThreadBusy(AWTAutoShutdown.java:171)
        at java.awt.EventQueue.initDispatchThread(EventQueue.java:1050)
        at java.awt.EventQueue.postEventPrivate(EventQueue.java:270)
        at java.awt.EventQueue.postEvent(EventQueue.java:245)
        at java.awt.EventQueue.invokeLater(EventQueue.java:1217)
        at org.zaproxy.zap.extension.alert.ExtensionAlert.addAlertToTree(Unknown Source)
        at org.zaproxy.zap.extension.alert.ExtensionAlert.alertFound(Unknown Source)
        at org.zaproxy.zap.extension.pscan.PassiveScanThread.raiseAlert(Unknown Source)
        at org.zaproxy.zap.extension.pscanrules.XContentTypeOptionsScanner.raiseAlert(XContentTypeOptionsScanner.java:56)
        at org.zaproxy.zap.extension.pscanrules.XContentTypeOptionsScanner.scanHttpResponseReceive(XContentTypeOptionsScanner.java:28)
        at org.zaproxy.zap.extension.pscan.PassiveScanThread.run(Unknown Source)
----------------------------------------------------------------

Best,
Ashkan

[thc...@gmail.com]

Hi.

Would you mind raising an issue [1]?


[1] https://code.google.com/p/zaproxy/issues/entry

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[Ashkan Taslimi]

The problem solved. I had to run generateRootCA() function from web API in order to get https sites working!

an email to zaproxy-users+unsubscribe@googlegroups.com
<mailto:zaproxy-users+unsub...@googlegroups.com>.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/B_c19zbFlTc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.

[thc...@gmail.com]

Great! Thanks for letting us know.

Still, the previous issue needs to be fixed.

Best regards.

On 13/01/15 19:26, Ashkan Taslimi wrote:
>
> The problem solved. I had to run generateRootCA() function from web API
> in order to get https sites working!
>
> On Tue, Jan 13, 2015 at 11:58 AM, <thc...@gmail.com
> <mailto:thc...@gmail.com>> wrote:
>
> Hi.
>
> Would you mind raising an issue [1]?
>
>

> [1] https://code.google.com/p/__zaproxy/issues/entry

> <https://code.google.com/p/zaproxy/issues/entry>
>
> Best regards.
>
>
> On 12/01/15 21:11, ashkan....@gmail.com

> <mailto:ashkan....@gmail.com> wrote:
>
> Hi there,
>
> I am trying the same scenario but I get the following error when
> I run
> in the daemon mode. I only get this error when I try to access HTTPS
> connections (HTTP is fine).
> Do you have any idea what causes this error?
>

> ------------------------------__------------------------------

> AWT blocker activation interrupted:
> java.lang.InterruptedException
> at java.lang.Object.wait(Native Method)

> at java.lang.Object.wait(Object.__java:503)
> at
> sun.awt.AWTAutoShutdown.__activateBlockerThread(__AWTAutoShutdown.java:337)
> at
> sun.awt.AWTAutoShutdown.__notifyThreadBusy(__AWTAutoShutdown.java:171)
> at
> java.awt.EventQueue.__initDispatchThread(EventQueue.__java:1050)
> at
> java.awt.EventQueue.__postEventPrivate(EventQueue.__java:270)
> at java.awt.EventQueue.postEvent(__EventQueue.java:245)
> at
> java.awt.EventQueue.__invokeLater(EventQueue.java:__1217)
> at
> org.zaproxy.zap.extension.__alert.ExtensionAlert.__addAlertToTree(Unknown
> Source)
> at
> org.zaproxy.zap.extension.__alert.ExtensionAlert.__alertFound(Unknown
> Source)
> at
> org.zaproxy.zap.extension.__pscan.PassiveScanThread.__raiseAlert(Unknown
> Source)
> at
> org.zaproxy.zap.extension.__pscanrules.__XContentTypeOptionsScanner.__raiseAlert(__XContentTypeOptionsScanner.__java:56)
> at
> org.zaproxy.zap.extension.__pscanrules.__XContentTypeOptionsScanner.__scanHttpResponseReceive(__XContentTypeOptionsScanner.__java:28)
> at
> org.zaproxy.zap.extension.__pscan.PassiveScanThread.run(__Unknown Source)
> ------------------------------__------------------------------__----

>
> Best,
> Ashkan
>
> On Friday, August 30, 2013 at 2:55:54 PM UTC+2, Simon Bennetts
> wrote:
>
> Slipped in :)

> http://code.google.com/p/__zaproxy/issues/detail?id=775
> <http://code.google.com/p/zaproxy/issues/detail?id=775>
> <http://code.google.com/p/__zaproxy/issues/detail?id=775

> an email to zaproxy-users+unsubscribe@__googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>
> <mailto:zaproxy-users...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>>.
> For more options, visit https://groups.google.com/d/__optout
> <https://groups.google.com/d/optout>.

>
>
> --
> You received this message because you are subscribed to a topic in
> the Google Groups "OWASP ZAP User Group" group.
> To unsubscribe from this topic, visit

> https://groups.google.com/d/__topic/zaproxy-users/B___c19zbFlTc/unsubscribe
> <https://groups.google.com/d/topic/zaproxy-users/B_c19zbFlTc/unsubscribe>.

> To unsubscribe from this group and all its topics, send an email to

> zaproxy-users+unsubscribe@__googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/__optout
> <https://groups.google.com/d/optout>.

>
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send

> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.

[thc...@gmail.com]

Issue raised [1].


[1] https://code.google.com/p/zaproxy/issues/detail?id=1508

Best regards.