How to prevent switch to https?

757 views
Skip to first unread message

Tim Brown

unread,
Jun 26, 2019, 7:49:14 PM6/26/19
to OWASP ZAP User Group
Howdy,

I have a web app running locally that's exposed only as http.
When I access the site via ZAP it's switching/redirecting my browser requests from http to https causing some issues for the app functionality.

How do you configure ZAP to not perform this switch & instead accept just http requests?

Thanks in advance.

Tim

kingthorin+owaspzap

unread,
Jun 26, 2019, 8:36:03 PM6/26/19
to OWASP ZAP User Group
The upgrade only happens client side and only when HUD is in use.

Tim Brown

unread,
Jun 26, 2019, 8:52:23 PM6/26/19
to OWASP ZAP User Group
Thanks - disabling HUD resolved it for me.

Simon Bennetts

unread,
Jun 27, 2019, 2:58:09 AM6/27/19
to OWASP ZAP User Group
Hi Tim,

Can you give us some details on how the https upgrade broke your application?
We want to ensure that the HUD works for all applications, so would like to fix this problem even if you dont plan on using the HUD.

cheers,

Simon

Tim Brown

unread,
Jun 27, 2019, 3:05:47 AM6/27/19
to OWASP ZAP User Group
Hey Simon,

Firstly - thanks for the great tool & all the videos, doco etc that you've got out there.
It's made it a lot easier to pick up ZAP & get going.

The web pages themselves were working fine. The problem I had was that the app has a few AJAX / direct Javascript calls that get made & these were not being redirected to use https.
Consequently, I was getting errors advising that http & https traffic was being attempted for the same domain.

Cheers,

Tim

Simon Bennetts

unread,
Jun 27, 2019, 3:43:06 AM6/27/19
to OWASP ZAP User Group
Thanks Tim!


If you have any more details then please add them to that issue (or here;).
Do you know what technology is being used?
Is it all ajax calls or just some of them? If so can you tell how they are different from the others?

We have tested with modern web apps like JuiceShop running on http and that seemed to work fine.
But there are obviously edge ecases that we're not handling right :/

Cheers,

Simon

Leonid Vygovskiy

unread,
Jul 4, 2019, 9:04:18 AM7/4/19
to OWASP ZAP User Group
Hi Simon,

I've two problems with ZAP 2.8.0 before disable HUD:
1. Incorrectly process request from SoapUI. ZAP lost ports and sends request to 80 port, instead of 9000 
2. I've debuged Apache NiFi (server application) using ZAP and NiFi can't switch to https.

Disabling HUD resolve those problems.

I think, it should be warning about this behavior.

BR, Leonid Vygovskiy

Simon Bennetts

unread,
Jul 4, 2019, 9:08:50 AM7/4/19
to OWASP ZAP User Group
Hi Leonid,

Can you raise this as an issue on the HUD repo providing as many details as possible: https://github.com/zaproxy/zap-hud/

Many thanks,

Simon
Reply all
Reply to author
Forward
0 new messages