308 Redirect Loop
107 views
Skip to first unread message
Jon Erdman
Jul 17, 2023, 5:03:23 PM7/17/23
to OWASP ZAP User Group
I am attempting a Manual Explore of an application but am running into a problem with a 308 Redirect loop. I put my base website url into Manual Explore (ex. "https://example.io"), then see the same URL in the history but with an added "/" at the end (ex. "https://example.io/"). The response from this initial GET is a 308 redirect back to the url without the "/" (ex. "https://example.io"), but the next entry in the ZAP history pane has the trailing "/" back again so it ends up looping.
Has anyone ever seen this type of behavior before? I am not able to get the 308 redirect any other way. The automated scan seems to work fine and if I curl the url directly with the "/" I just get the expected page, not the redirect. This also works if I put either URL directly into the browser (without the ZAP proxy). I am stumped. Any help would be appreciated.
Thanks,
Jon
thc...@gmail.com
Jul 18, 2023, 4:16:04 AM7/18/23
to zaprox...@googlegroups.com
Hi.
Did you try send it with the Manual Request Editor with/without
following redirections to see what the Location header value is and if
cookies are being set?
Some sites will check for the presence of a cookie and redirect if it's
not there yet causing those loops (when not using cookies that is).
Best regards.
Did you try send it with the Manual Request Editor with/without
following redirections to see what the Location header value is and if
cookies are being set?
Some sites will check for the presence of a cookie and redirect if it's
not there yet causing those loops (when not using cookies that is).
Best regards.
Jon Erdman
Jul 18, 2023, 11:34:16 AM7/18/23
to OWASP ZAP User Group
The request works fine from the Manual Request Editor. Could this be something about the proxy where it is converting "https" to "http"somehow? That would certainly cause the server to respond with the 308 message redirecting it back to the "https" path, which would in turn cause the infinite loop that I am seeing if that is again stripped.
thc...@gmail.com
Jul 18, 2023, 12:19:14 PM7/18/23
to zaprox...@googlegroups.com
That would be the HUD then. We do have an issue with the behaviour
described:
https://github.com/zaproxy/zap-hud/issues/834
You can disable the HUD in the toolbar (radar icon).
https://github.com/zaproxy/zap-hud#using-the-hud
Best regards.
described:
https://github.com/zaproxy/zap-hud/issues/834
You can disable the HUD in the toolbar (radar icon).
https://github.com/zaproxy/zap-hud#using-the-hud
Best regards.
Jon Erdman
Jul 18, 2023, 12:26:35 PM7/18/23
to zaprox...@googlegroups.com
Yup, disabling the HUD worked. Thank you!
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/zaproxy-users/99d6416b-2b7b-7ca0-fd10-d53f1f2b2577%40gmail.com.
Reply all
Reply to author
Forward
0 new messages