org.apache.http.NoHttpResponseException

[Hector Luna]

I am running the latest version of ZAP as of today, and I am getting this error when executing a GET on a service endpoint that resides in our server infrastructure. These issues can be result in the zap script stopping execution on a POST and that is the reason for which I have to use the october release of ZAP to run my tests on the server.

Is there a reason this is firing? The endpoint does produce a response so I am not sure what this is all about. This issue came to surface when ZAP made network changes under the hood.

Running the same request under the "Requester" tab in the UI does not generate this exception, or perhaps, it is consuming it and not showing it.

Any help would be much appreciated.
Thanks!

166953598 [ZAP-ScriptExecutor-Execution - Plan.zst] INFO  org.apache.http.impl.execchain.RetryExec - I/O exception (org.apache.http.NoHttpResponseException) caught when processing request to {tls}->http://localhost:8080->https://SERVER_URL:443: The target server failed to respond

166953599 [ZAP-ScriptExecutor-Execution - Plan.zst] INFO  org.apache.http.impl.execchain.RetryExec - Retrying request to {tls}->http://localhost:8080->https://SERVER_URL:443

[thc...@gmail.com]

Could you provide the request/response as sent from the Requester?
(Obfuscate as needed or send directly.)

Thank you!
Best regards.

[Hector Luna]

Sure! Please let me know if you require more information. I have taken out the URL details on purpose for public consumption and the authorization information is your simple basic authentication with a base64 token.

Something else that is worthy of note is that after some of these occur and I execute a POST, the post request does not even show up in the history, but I get a similar exception error in the UI's output panel. No log entry, no entry in the history.

Thanks!!!

Request:
GET https://ENDPOINT_HOST/PATH_PREFIX/PATH_ENDPOINT HTTP/1.1
Authorization: Bearer BASE64_TOKEN_STRING
Host: ENDPOINT_HOST
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
content-length: 0

Response:
HTTP/1.1 200
Date: Mon, 13 Mar 2023 21:12:42 GMT
Content-Type: application/json
Connection: keep-alive
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
content-length: 3447

RESPONSE BODY:
[{ "key":"value"}, {"key":"value"}]

[thc...@gmail.com]

I'm not able to reproduce the issue with just that, could you provide
the whole message exchange prior the exception, both GET and POST?

Best regards.

On 13/03/2023 21:38, Hector Luna wrote:
> Sure! Please let me know if you require more information. I have taken out
> the URL details on purpose for public consumption and the authorization
> information is your simple basic authentication with a base64 token.
>

> *Something else that is worthy of note is that after some of these occur

> and I execute a POST, the post request does not even show up in the
> history, but I get a similar exception error in the UI's output panel. No

> log entry, no entry in the history.*

[Hector Luna]

Sure, I will get that for you shortly. I am reverting back to using the ZAP_D-2022-10-03 in order to complete the test script, but I do want to be able to run the latest version of ZAP of course.
There are other things that came up when I switched back to the older release, such as errors in some of the request headers that resulted in the server complaining, but for some reason I couldn't see those in the latest build, but the older build showed me the errors.

I should have something further for you later today or early tomorrow.

Thank you very much for your help!!!

[André Doherty]

Hello,

Sorry if i am polluting the initial question, but as it looks quite similar, i posted here.

If needed i will create a specific issue, please let me know.

So I am experiencing a similar issue with ZAP 2.12.0 version.

When i try to follow the steps here : https://www.zaproxy.org/blog/2022-04-14-portswigger-lab-username-enumeration-with-zap-scripts/

=> The Zap script execution fails with org.apache.http.NoHttpResponseException (section 8).

(No noticeable error in the console)

I switched to 2.11.0 version, and this time it works.

Could the two be linked ? 

Regards

André

[thc...@gmail.com]

Thank you!

I was able to reproduce the issue, that's:
https://github.com/zaproxy/zaproxy/issues/7699

That's fixed in the weekly releases, you can also workaround it by
disabling ALPN in the Options > Network > Local Servers/Proxies > Proxy
Properties…

If you are running in command line or daemon modes pass the following
command line arguments:
-config network.localServers.mainProxy.alpn.enabled=false
-config network.localServers.mainProxy.address=0.0.0.0

(Change the address to match want you want/need.)

Best regards.

[Hector Luna]

I quickly gave a try to the above solution and it does not work for me :(
I will post more info in a little while once I am done with the test script (that does work with the older version of ZAP).

[thc...@gmail.com]

Are you able to reproduce that with the latest weekly release too?

Best regards.

[Hector Luna]

Yes I am. My issue is not ALPN related. I was hoping that would fix it.
I can try running the script I have now and produce the whole log file and post it so that you can see it.

I does run well when I use ZAP_D-2022-10-03 without so much of a complaint, and also when I run it via the automation framework.
I should be able to spend some time on this now that I completed the script and have it working.

Thank you again, and thanks to Andre as well, that is a cool example.

[thc...@gmail.com]

That would be great, the more information about the issue the better.

Thank you!
Best regards.

[André Doherty]

Hello, 

Quick feedback : disabling ALPN fix my issue, re-enabling it in the weekly fix it too. Thanks a lot

Have a nice day

André

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/BnxSlcI2sA8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/ed64bd30-6e80-deaa-9314-5544730491d7%40gmail.com.

--

Andre Doherty
Tel : +33 (0) 6 14 18 96 46

[thc...@gmail.com]

They work, it's on the todo list to check.

Best regards.

On 21/03/2023 19:31, Hector Luna wrote:
> Not sure if direct messages or not work, but here are some execution logs
> as well as some ZAP logs that show the differences between running the same
> script using the latest weekly release (that fails) and an old release that
> does not (D-2022-10-03).
>
> Please advise if more info is required.

>> Tel : +33 (0) 6 14 18 96 46 <+33%206%2014%2018%2096%2046>
>>
>

[Hector Luna]

Thanks a lot thc202!

You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c6509ec9-5ead-c0a3-dbe8-fea87efc0b2b%40gmail.com.

[Hector Luna]

Just wondering if there has been any news on this front. Thanks!

[thc...@gmail.com]

No news, I was not yet able to reproduce the issue… I will follow up.

Best regards.