Avoiding HTTP/1.0 for Form-based Authentication
66 views
Skip to first unread message
Masande
Oct 22, 2022, 12:08:51 PM10/22/22
to OWASP ZAP User Group
Hi.
Is it possible to force ZAP's Form-based or JSON-based Authentication to use an HTTP version more recent than HTTP/1.0? The target server does not accept HTTP/1.0 so automatic login requests performed while using "Forced User" fails as the server returns a "HTTP/1.1 426 Upgrade Required" HTTP response. Sample request and response shown below.
Request:
POST https://<myapp>/api/v2/login HTTP/1.0
Host: <myapp>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 100
<shortened for brevity>
Host: <myapp>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 100
<shortened for brevity>
Response:
HTTP/1.1 426 Upgrade Required
date: Sat, 22 Oct 2022 15:39:14 GMT
server: istio-envoy
connection: close
content-length: 0
HTTP/1.1 426 Upgrade Required
date: Sat, 22 Oct 2022 15:39:14 GMT
server: istio-envoy
connection: close
content-length: 0
I am using ZAP version 2.11.1 on MacOS
Thanks.
thc...@gmail.com
Oct 22, 2022, 12:20:13 PM10/22/22
to zaprox...@googlegroups.com
Hi.
That's addressed in the weekly releases:
https://www.zaproxy.org/download/#weekly
As workaround you could use a HTTP Sender script to change the version.
Best regards.
That's addressed in the weekly releases:
https://www.zaproxy.org/download/#weekly
As workaround you could use a HTTP Sender script to change the version.
Best regards.
Masande
Oct 22, 2022, 12:31:58 PM10/22/22
to OWASP ZAP User Group
Will give that a go. Thanks for the answer and the swift response!
Reply all
Reply to author
Forward
0 new messages