Exclude from Proxy doesn't work?

[Dave Wichers]

I'm testing the latest WebGoat and I've added these URLs to Exclude from Proxy:

http://localhost:8080/WebGoat/service/lessonmenu.mvc.*

http://localhost:8080/WebGoat/service/lessonoverview.mvc.*

And yet I'm getting these URLs in the history tab constantly, and when I turn on intercepts they keep popping up.

What am I doing wrong? And why is this so hard? This should be trivial to configure.

Once you explain to me how I should be doing it correctly, can we come up with a way to make this massively easier/more obvious to use correctly?  (Here's an idea, when the intercept pop up occurs, can you add an exclude or ignore button (with confirmation), so you could simply click that button, and it would clearly explain something like:

"Exclude all future requests to this URL from intercepts, and being shown in the history tab." Or something like that.  And when you confirm this, it would add the proper URL to the proper Exclude locations and 'just work'.

I'm using ZAP 2.11.0 by the way.

I've had trouble with the Exclude feature before, years ago, so this isn't the first time its baffled me as to how to get it to work properly.

-Dave

[kingthorin+owaspzap]

Exclude from proxy is literal, if you have other "tools" spider, active scan, etc access those URLs then you'll still see them.

Either that or your Regex is wrong.

[Dave Wichers]

I'm using exclude from Proxy to try to stop intercepts from occurring. Isn't that the proxy? WebGoat hits these 2 URLs like every 5 seconds so its impossible to intercept/modify traffic when those 2 URLs are constantly generating intercept dialogs you have to plow through/ignore.

Maybe someone on the ZAP team should grab WebGoat and try it. To see if they are getting different behavior.

-Dave

[thc...@gmail.com]

Works as expected, when those regular expressions are set the requests
are no longer shown in the History tab nor are they intercepted.

Worth noting that the intercepted messages are queued, if you added the
regular expressions after you had the interception enabled some of those
requests might still be in the queue (once they are cleared they should
no longer shown in the Break tab though).

Best regards.

[Dave Wichers]

OK. I'll give that a shot. But I could swear that wasn't my situation as I was seeing new requests show up every 5-10 seconds well after I set up the exclude.  Can you send me the exact regexs you used (offline) so I can make sure we are doing exactly the same thing?

[thc...@gmail.com]

I used the same as the ones you posted (did the exclusions with the GUI
but did a find in this thread and it matched).

Best regards.

[iraq hacker]

Hi guys

Please how can i edit header in zap for spider and active scan

I want ti input

X-forward : bugbounty

[thc...@gmail.com]

You can use the Replacer add-on to inject headers:
https://www.zaproxy.org/docs/desktop/addons/replacer/


It's better to create a new thread if unrelated to the current subject.

Best regards.

[Dave Wichers]

OK. I just tried again and they still DON'T work.  I'm using a Mac w/HUD, and with the built-in FireFox. Can you try the same scenario? Or find someone else who can?

-Dave

[Dave Wichers]

OK. I turned the HUD OFF and now it works. So I don't know if HUD interferes with Exclude, or its. Mac thing, or the Launch Browser feature w/HUD w/FireFox w/Exclude? No idea what combinations cause the failure, but on Mac, w/Launch Firefox within ZAP, and Exclude, it now works if I disable HUD first.

[kingthorin+owaspzap]

HUD upgrades URLs to https client side, I bet if you change your exclusions to include an optional s in the scheme things will behave as expected.

https?....

[Dave Wichers]

So adding the HTTPS versions of the regexs does also work. But that seems like a bug to me. Why does HUD force HTTPS when the original app is HTTP?

There are also WebGoat lessons that simply don't work with HUD at all, but that's a separate issue I'll raise with ZAP.

[Simon Bennetts]

This is by design - ZAP has to upgrade HTTP sites to HTTPS.

The HUD uses modern web technologies like Web Workers and WebSockets. These do not work over HTTP.

This is explained in the tutorial :)

Cheers,

Simon

[Dave Wichers]

OK. But if the site you are testing does NOT support HTTPS? What happens? I'm TRYING to get ZAP w/HUD to work with WebGoat 8.2.2, an NO LUCK, and no errors/warnings from ZAP or the HUD that it can't work. I just opened a ticket in HUD with more details as to what I'm seeing.

[Simon Bennetts]

The HUD actually upgrades the site to HTTPS __within__ ZAP :)

So ...

• You request http://www.http-example.com
• The HUD redirects to https://www.http-example.com
• Your browser requests https://www.http-example.com
• The HUD check to see if https://www.http-example.com can be accessed
• Finds out it cant, forwards the request to http://www.http-example.com
• Gets the response and fakes that its from https://www.http-example.com

As for why WebGoat isnt working .. I'll follow up on that ticket...

Cheers,

Simon