ZAP changes HTTPS to HTTP

171 views
Skip to first unread message

Velibor Cekic

unread,
Nov 2, 2022, 4:49:44 AM11/2/22
to OWASP ZAP User Group
Hi,
I have stumbled upon quite peculiar behavior when using ZAP. I have the following setup:
- ZAP running in GUI mode and listening on port 8081
- imported OpenAPI definition of API, which is the subject of the test
- QA tests proxied through ZAP
All HTTP requests are sent to the endpoint where HTTPS is enabled. When I start automated tests, everything is okay because the ZAP proxy receives HTTPS request and sends it to their final destination. But after some time, ZAP sees HTTPS requests as HTTP requests and proxies them that way. There are no enabled scripts that may change HTTPS requests to HTTP requests. Even if I try a manual HTTPS request using Postman, ZAP changes it to HTTP. Have anyone experienced this strange behavior, and what may remedy this situation?

Simon Bennetts

unread,
Nov 2, 2022, 4:53:58 AM11/2/22
to OWASP ZAP User Group
Do you have the HUD enabled?
If you do, and you dont want to use it, then turn it off.
The HUD does 'upgrade' HTTP sites to HTTPS in order to work, so there could be something weird going on with that.

Cheers,

Simon

Velibor Cekic

unread,
Nov 2, 2022, 8:26:22 AM11/2/22
to OWASP ZAP User Group
Thank you, Simon. Turning off HUD remedied the problem.
Reply all
Reply to author
Forward
0 new messages