Can't see post requests in the history tab of ZAP for the angular app
1,576 views
Skip to first unread message
Kamal Sahni
Mar 23, 2015, 11:57:51 AM3/23/15
to zaprox...@googlegroups.com
I have just started using ZAP and configured the mozilla proxy, so that requests can be recorded in ZAP. However, I can't see any post requests recorded for the application I am pen testing. Any help would be appreciated. Thanks
Ailton Caetano
Mar 23, 2015, 1:32:37 PM3/23/15
to zaproxy-users
Take a look at the session's context include URLs and check if the button that looks like a target in the "Sites" tab is highlighted or turned off. The include URLs list should have the correct URL or be empty and the mentioned button should be turned off (gray-colored).
Did it work for you?
[]'s Ailton
2015-03-23 12:57 GMT-03:00 Kamal Sahni <kamal...@wingify.com>:
I have just started using ZAP and configured the mozilla proxy, so that requests can be recorded in ZAP. However, I can't see any post requests recorded for the application I am pen testing. Any help would be appreciated. Thanks
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Kamal Sahni
Mar 25, 2015, 4:48:36 AM3/25/15
to zaprox...@googlegroups.com
Yes, I have included it in context and the include URL regex is correct. I can see the get requests for scripts, images, icons and other resources in the history tab, however, I can't see get requests that fetches JSON and post request when I am posting something to the app.
Also, I ran ZAP to attack the webapp but it din't find any vulnerability, when there are vulnerabilities in the app. I am not sure how to make it work for this application (Single page App on angular JS)
Simon Bennetts
Mar 25, 2015, 5:56:58 AM3/25/15
to zaprox...@googlegroups.com
In order to get ZAP to handle single page applications effectively you need to flag the relevant parameters as 'structural' in a context.
So for an app with URLs like:
So for an app with URLs like:
- https://www.example.com/app?page=home
- https://www.example.com/app?page=admin
- https://www.example.com/app?page=user&u=fred
you should create a context and in the 'Structure' screen add "page" as a structural parameter.
The fact that your JSON requests are not appearing in the History tab is more concerning.
Have you got any filters set on the History tab? Have you correctly set up ZAP as your proxy in your browser?
If you dont have any filters set and nothing is appearing in the History tab then it implies that the requests are not going through ZAP.
Simon
Kamal Sahni
Mar 25, 2015, 6:58:20 AM3/25/15
to zaprox...@googlegroups.com
Thanks for your response Simon.
You are probably right about the URL. So the app URLs contains hash and not any query parameter. The URL structure is :
How to configure this ? What entries do I have to make here? https://db.tt/0XoMVzCD
No, there were no filters in history tab.
I think the issue was regarding https request. Because most of the request URLs were https and were not showing in history tab while http requests were showing up. Therefore, I generated a SSL certificate from ZAP and uploaded it in mozilla browser as shown in the ZAP videos. However, now I can't even login to the application from mozilla browser. Are you aware of any such issue ? Please help.
Simon Bennetts
Apr 7, 2015, 8:01:00 AM4/7/15
to zaprox...@googlegroups.com
Ah, this is a different problem.
The '#' element in the URL is the start of the fragment identifier.
That character and all proceeding characters are just handled in the browser - they are _not_ sent to the web application, which means that ZAP will never see them :(
If the browser makes AJAX requests as a result of these identifiers than ZAP _will_ see those requests and show them in the History tab.
Explore the application using the standard spider will probably not be very effective - you need to use either the Ajax spider or proxy manual requests.
You should be able to login to your app when using your browser proxied through ZAP - what probles are you seeing with this?
ZAP does need more work to handle Ajax applications better, but we can show client side events in ZAP using Plug-n-Hack: https://code.google.com/p/zaproxy/wiki/HelpAddonsPlugnhackClientstab
Cheers,
Simon
The '#' element in the URL is the start of the fragment identifier.
That character and all proceeding characters are just handled in the browser - they are _not_ sent to the web application, which means that ZAP will never see them :(
If the browser makes AJAX requests as a result of these identifiers than ZAP _will_ see those requests and show them in the History tab.
Explore the application using the standard spider will probably not be very effective - you need to use either the Ajax spider or proxy manual requests.
You should be able to login to your app when using your browser proxied through ZAP - what probles are you seeing with this?
ZAP does need more work to handle Ajax applications better, but we can show client side events in ZAP using Plug-n-Hack: https://code.google.com/p/zaproxy/wiki/HelpAddonsPlugnhackClientstab
Cheers,
Simon
Kamal Sahni
Apr 9, 2015, 4:44:48 AM4/9/15
to zaprox...@googlegroups.com
I was able to login to the app. I think there was a certificate mismatch issue, I restarted the browser and ZAP, and it worked. Now all the requests do show in the history tab, however, I am yet to find a vulnerability in the app using ZAP. I think I need to watch all the advanced ZAP videos (Great Videos (Y)) and fine tune ZAP to use on single page app (Angular JS). Is there any documentation to do it?
Also, thanks for sharing this plugin, I will try to use it and get back to you in case of any queries.
--
Kamal Sahni
Software Engineer - QA
Reply all
Reply to author
Forward
0 new messages