Do we have to change browser settings to use ZAP as a proxy?

[Jing Fu]

Per ZAP docs,  browser needs to be configured to use ZAP as a proxy. It works fine, however one concern is that all browser traffic is going through ZAP, not just the web application being tested.

Is there a way to do this:
1. tell ZAP the port number of your web application,
2. and have your browser connect to a different port number which was opened by ZAP not web application?

This way browser setting does not have to be changed. Instead it works in a more "self-contained" fashion?

Thanks,
Jing

[Cosmin Stefan-Dobrin]

Hi,

Depending on the browser you are using, there are surely addons that will help you in your scenario. For example, if you are using Firefox, the FoxyProxy [1] addon will allow you to set for which applications the traffic should be proxied through ZAP and for which normal behaviour should be followed. I think it's exactly what you are interested in, right?

[1] - https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

Cosmin

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Jing Fu]

Thanks Cosmin.

What you posted is more or less like a workaround for I am looking for.  I am looking for "Explicit intermediary" for security reasons, and the only project I could find so far is tcpmon[1]:  Client(i.e. browser in my case) has to point to the intermediary rather than the original endpoint.

For example, the usage pattern  I am looking for is:
1. Let's say a proxy tool runs at port 8080
2. The web application runs at a different port, say 8000
3. Proxy tool can be told about the web application port, and be configured to listen on it
4. Browser does not need to be edited for proxy server setting. Instead browser address bar is pointing to proxy tool's port (8080), not server port (8000)

I do not know if there is a terminology to coin what I am looking for. Maybe this can be called "explicit proxy" vs. "Transparent interception". In "explicit proxy", client is very aware of the proxy server (browser address bar is pointing to proxy tool port). In "Transparent interception", browser address bar is still pointing to server (the web application running port), and not aware that a proxy server is intercepting.

The main advantage for "explicit proxy" is security. However it seems that it is hardly adopted in any proxy tools in the industry? Anything I missed?

Thanks,
Jing




[1]http://ws.apache.org/tcpmon/tcpmontutorial.html#HTTP_Proxy_support

[Jing Fu]

In case anyone may be searching for similar project, I just played a little bit with Charles Proxy[2]. Seems Charles can support the usage pattern that I am looking for.

Meanwhile I am still very interested to hear comments on my question -- The usage patter I am looking for seems not that widely adopted in proxy tools. Is there a reason for it?

One note to ZAP team, ZAP is a FANTASTIC tool for what it is meant to do!

[2]http://www.charlesproxy.com/documentation/proxying/reverse-proxy/

[Simon Bennetts]

Interesting usecase.
I had a quick play around with scripting and can change any request going through ZAP, eg from localhost:18000 to localhost:8000 but you still need to be proxying via ZAP to start with :(
The problem is that currently ZAP assumes all requests directly to the port its listening on to be for its API, which doesnt go near the scripting code.
Shouldnt be too difficult to change that, if anyone fancies having a go...

Cheers,

Simon

[Simon Bennetts]

I've raised an enhancement request for this: http://code.google.com/p/zaproxy/issues/detail?id=826
Jing - if you star this then you will be alerted of any changes, and feel free to add any comments you like.
Anyone interested in working on this please get in touch.

Simon

[Jing Fu]

Thanks so much, Simon.