ZAP port 8080 : Bad format

[jluc.ba...@free.fr]

Hello,

I started my application in a docker container on a dedicated docker network. Its container IP address is 10.0.3.3 and it is mapped to a dynamic port on the loopback interface, e.g. 127.0.0.2:49213

I then start ZAP (GUI app) and set it to listen to 0.0.0.0:8080 (no other app is currently listening to 8080 => checked with sudo netstat -ntpl | grep 8080).
I then proxify firefox to localhost:8080.

If I access the application using its host address, i.e. http://127.0.0.2:49213/primainsure, then it works properly.
If I access the application using its container address, i.e. http://10.0.3.3:8080/primainsure, I receive a "Bad format" message.

Now, if I change the ZAP port to 9090, both URLs work properly.

But I actually don't want to use the port 9090 because I want to use ZAP in a container. The problem is that when I start ZAP in a container (daemon mode), it remains in unhealthy state, unless started on 8080. I tried to export ZAP_PORT=9090 (as mentionned here https://www.zaproxy.org/docs/docker/about) but it doesn't seem to work. If I start the ZAP container on 8080, it properly turns to healthy state but then I got the same error as when run in the GUI, see docker logs below below where my context path (primainsure) seems to be viewed as a ZAP API endpoint.

10420 [ZAP-daemon] INFO  org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:8080
44319 [ZAP-ProxyThread-10] WARN  org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/primainsure/] from [10.0.3.1]:
org.zaproxy.zap.extension.api.ApiException: bad_format
    at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:430) [zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
    at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
    at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: java.lang.IllegalArgumentException: No enum constant org.zaproxy.zap.extension.api.API.Format.PRIMAINSURE
    at java.lang.Enum.valueOf(Enum.java:240) ~[?:?]
    at org.zaproxy.zap.extension.api.API$Format.valueOf(API.java:63) ~[zap-2.11.1.jar:2.11.1]
    at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:409) [zap-2.11.1.jar:2.11.1]
    ... 3 more

I can't figure out what the problem is. Any help ?
Thanks.

[jluc.ba...@free.fr]

After setting ZAP (GUI) to listen to localhost:8080 rather than 0.0.0.0:8080 I was able to access my app on http://10.0.3.3:8080/primainsure.

Unfortunately, it doesn't solve my problem because I want to run ZAP in a container, so it has to listen to the network interface, not the loopback one. So how could I make ZAP listen to 9090 rather than 8080 within a container. As mentioned before, I was unabled to make ZAP_PORT environment variable working.

Thanks for your help.

[Simon Bennetts]

I often run ZAP in docker using a non standard port, just using the standard ZAP command line option: "-port".

I dont care that the the container is not in a healthy state ;)

If that is important to you, then can you give the exact command you are using to start ZAP?

Cheers,

Simon

[kingthorin+owaspzap]

It's because you've bound to 0.0.0.0 which is all interfaces.

[jluc.ba...@free.fr]

Thanks a lot. I ignored the unhealthy state and it works properly on 9090.