unable to install plug n'hack in Firefox 34.0

[Charles Radley]

Greetings,

I went through the procedure to install plug n'hack a couple of times, and the wizard completed with no apparent errors, but the feature simply is not working.

Firefox version:  34.0

Zap version: 2.3.1

The User User Guide states:

"Developer Toolbar (Shift+F2).

Type 'help pnh' or 'help zap' in the Firefox Developer toolbar to get started."

However this is what happens:

>help zap

>No commands starting with 'zap'

>help pnh

>No commands starting with 'pnh'

>help

?GCLI is an experiment to create a highly usable command line for web developers.

Available Commands:

addon - Manipulate add-ons help addon

appcache - Application cache utilities help appcache

break - Manage breakpoints help break

calllog - Commands to manipulate function call logging help calllog

clear - Clear the output area help clear

console - Commands to control the console help console

context - Concentrate on a group of commands help context

cookie - Display and alter cookies help cookie

dbg - Manage debugger help dbg

edit - Tweak a page resource help edit

export - Export resources help export

eyedropper - Grab a color from the page help eyedropper

firebug - Web Development Evolved help firebug

folder - Open folders help folder

global - Change the JS global help global

help - Get help on the available commands help help

highlight - Highlight nodes help highlight

inject - Inject common libraries into the page help inject

inspect - Inspect a node help inspect

jsb - JavaScript beautifier help jsb

lang - Enter commands in different languages help lang

listen - Open a remote debug port help listen

media - CSS media type emulation help media

pagemod - Make page changes help pagemod

paintflashing - Highlight painted area help paintflashing

pref - Commands to control settings help pref

resize - Control Responsive Design Mode help resize

restart - Restart Firefox help restart

screenshot - Save an image of the page help screenshot

tilt - Visualize the webpage in 3D help tilt

unhighlight - Unhighlight all nodes help unhighlight

Does anybody have any thoughts on how I can get plug n'hack to work in my Firefox [or an other browser for that matter] ?

Thanks,

CFR.

[Simon Bennetts]

Hi Charles,

Have you checked that you have the latest version of Plug-n-Hack installed?
Click on the "Manage Add-ons" button on the top toolbar and then click the "Check for updates" button.

Cheers,

Simon

[Charles Radley]

Hi Simon,

It shows PnH  0.4 ... there is no update button [only Disable and Remove]

Thanks,

CFR.

from Charles F Radley
Associate Fellow AIAA
Yahoo = CFRJLR
Skype  = CFRJLR
Google phone = +1-551-579-4686
Mobile cell: +1-360-773-2595 Trac

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/kKw50gHFCdM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Charles Radley]

I have changed "automatic updates" to "on", it was "default".  There seems to be no way to force an update.

[Simon Bennetts]

ZAP Add-on versions are always whole numbers, and the latest pnh add-on is version 7.
Hover over the "Plug-n-Hack Configuration" entry in the Manage Add-ons dialog - what version does it say there?

Cheers,

Simon

[Simon Bennetts]

Its worth noting that Firefox is now at version 36 - is there any reason why you're not able to update to this?
I've just tried Plug-n-Hack with Firefox 36 and it seems to work fine for me.

Cheers,

Simon

[kingthorin+owaspzap]

After updating to v7 from the Marketplace I now have an add-on in Firefox showing as v0.4 of the plugin. I can do a "help pnh" and get results but "help zap" returns nothing ("No commands starting with 'zap'.").

Then once I fire up Firefox again and visit ZAP's PnH URL and click the setup button it asks to Enable the PnH provider (hit "I understand" and "Enable"), then "help zap" works.

[kingthorin+owaspzap]

Just to be clear, that was with v36, but I suspect that you'll be successful in v34 if you have the latest addon from the Marketplace and do all the steps I mentioned....

Let us know.

[Charles Radley]

I have upgraded to FF 36.01

No change to the observed behavior

Version of PnH is 0.4 , no idea why it is not showing the latest version.  No update is available.

 

Unable to access PnH

See screenshot below.

Any ideas ?

[Charles Radley]

There is no  "Plug-n-Hack Configuration" entry in the Manage Add-ons dialog 

The version displayed is 0.4.

See screenshot below.

Thanks,

CFR.

[Charles Radley]

On Monday, March 9, 2015 at 11:50:27 AM UTC-7, kingthorin+owaspzap wrote:

After updating to v7 from the Marketplace I now have an add-on in Firefox showing as v0.4 of the plugin. I can do a "help pnh" and get results but "help zap" returns nothing ("No commands starting with 'zap'.").

Then once I fire up Firefox again and visit ZAP's PnH URL and click the setup button it asks to Enable the PnH provider (hit "I understand" and "Enable"), then "help zap" works.

alas it does not work for me when follow the same steps... 

[Simon Bennetts]

What we need to know is the version of the _ZAP_ add-on.
In ZAP open the "Manage Add-ons" dialog via the toolbar button shown here: https://code.google.com/p/zap-extensions/
Hover over the "Plug-n-Hack Configuration" line in the ZAP "Manage Add-ons" dialog and let us know what version is reported.

Thanks

[Charles Radley]

On Monday, March 9, 2015 at 1:17:36 PM UTC-7, Simon Bennetts wrote:

What we need to know is the version of the _ZAP_ add-on.
In ZAP open the "Manage Add-ons" dialog via the toolbar button shown here: https://code.google.com/p/zap-extensions/
Hover over the "Plug-n-Hack Configuration" line in the ZAP "Manage Add-ons" dialog and let us know what version is reported.

Thanks

OK, in Zap it shows version 7, see screen shot below

there might be a corporate firewall issue here, I am talking to my IT folks about it .... see screen shot below:

 

[Simon Bennetts]

Ah ha.
Is your browser configured to talk connect directly to a corporate proxy, even for connections to localhost?

[Charles Radley]

It will take a while for the help desk to figure this out.  Will respond later, thanks.

[Charles Radley]

I am still totally stuck on this, no further forward.  I have heard nothing from my local help desk, and since they are not familiar with ZAP I am not sure if they would be able to help, I do not even know what questions I should ask them.

I am reading up about Firefox proxy stuff,  I see mention of something called a proxy.pac file ... but when I search my system I cannot find such an animal .... does that matter ?

C:\>dir /s PROXY.PAC

 Volume in drive C is Fixed Drive

 Volume Serial Number is 6832-9021

File Not Found

C:\>dir /s /ah PROXY.PAC

 Volume in drive C is Fixed Drive

 Volume Serial Number is 6832-9021

File Not Found

Any thoughts on how I can move the process forwards ?

Do I need to ask my security people to open up port 7070 ?

I made sure I was running as admin when installing add-on into Firefox.

I note that the proxy setting was not included into the FF settings by the install.   When I put the setting into FF manually, it is not persistent.     that is,   when I restart the FF browser,  the radio button for "automatic proxy configuration URL"  becomes unchecked, and the "Auto-detect proxy settings for this network" becomes checked.

Thoughts on that ?

Here is a screen shot of my proxy setting screen:

Thanks,

CFR.

[kingthorin+owaspzap]

Is ZAP's local proxy configured for port 7070? When you have ZAP running and visit http://localhost:7070/pnh what do you see?

[Charles Radley]

On Wednesday, March 11, 2015 at 10:32:08 AM UTC-7, kingthorin+owaspzap wrote:

Is ZAP's local proxy configured for port 7070? When you have ZAP running and visit http://localhost:7070/pnh what do you see?

Hello,

here is screen shot which I think I posted before:

 

[kingthorin+owaspzap]

Sorry, yup I missed that, shoulda scrolled back.

Can you launch an command prompt (as admin) and do a:
netstat -anb

You should see something like:
 TCP    127.0.0.1:7070         0.0.0.0:0              LISTENING
[javaw.exe]

There's a chance you'll see it listening but that it could still be blocked by your local firewall. But it's a good first check.

[Charles Radley]

please see attached text file netstat-anb.txt for response to netstat -anb

Thanks,

CFR.

[kingthorin+owaspzap]

Ok, so if ZAP was running it wasn't listening on 7070... looks like you've got java running for other stuff with various connection states.

You could add -o (or -anbo) which would give you process IDs which you could then match more specifically to windows task manager (so you'd know exactly which java process is actually ZAP's and therefore what port it's listening on...if it is). Note: in task manager you might need to go 'View:Select Columns' then check CommandLine so that you can see which javaw.exe is ZAP's (since you seem to have other java stuff running).

[Charles Radley]

Hello,

Here is screenshot of the task manager, there is only one java process running

Attached is new netstat file.

Thanks,

CFR

[Simon Bennetts]

I'm now confused :/

At the start you implied that you were able to install the pnh add-on - was that via the "Plug-n-Hack" button on the ZAP Quick Start panel?
If so, does using that button open your browser and display a page related to pnh?

If you open the ZAP Options and select "Local proxy" what values are configured? (the defaults are "localhost" and "8080")

Are there any errors in the zap.log file (https://code.google.com/p/zaproxy/wiki/FAQhelp#Check_the_log_file)

Cheers,

Simon

[Charles Radley]

On Thursday, March 12, 2015 at 2:22:52 AM UTC-7, Simon Bennetts wrote:

I'm now confused :/

At the start you implied that you were able to install the pnh add-on - was that via the "Plug-n-Hack" button on the ZAP Quick Start panel?
If so, does using that button open your browser and display a page related to pnh?

Yes I used both methods, i.e. both the plug-n-hack button, and also pointing the FF browser to the specified URL.

Both took me through an identical FF setup wizard that completed without displaying any errors.

Once the wizard is completed this is what displays [see screen shot]:

 

If you open the ZAP Options and select "Local proxy" what values are configured? (the defaults are "localhost" and "8080")

Yes it is displaying the defaults.

 

Are there any errors in the zap.log file (https://code.google.com/p/zaproxy/wiki/FAQhelp#Check_the_log_file)

I do not see any log file errors related to the pnh install process  

I am working with my local support desk department to see if there are corporate security policies getting in the way.

 

It looks like we will have to initiate a corporate review process to determine if the tool will play with our corporate policies setup, that could take a considerable time and involve a lot of people.

Oh the joys of working for a big corporation.

I remember when I worked at a major Wall Street investment bank I had to get special permission to install perl on my work station, I am not making this up  :-)  

Thanks,

CFR.

[Simon Bennetts]

So if its running on the defaults .. what happens if you point your browser at http://localhost:8080/
Do you see the ZAP 'Welcome' page?

Cheers,

Simon

[Charles Radley]

On Thursday, March 12, 2015 at 11:02:22 AM UTC-7, Simon Bennetts wrote:

So if its running on the defaults .. what happens if you point your browser at http://localhost:8080/
Do you see the ZAP 'Welcome' page?

Cheers,

Simon

Yes, welcome page is apparent, see screen shot bow.

 

[Charles Radley]

From that welcome page, when I click on the link to the PAC file it displays the following in the FF browser:

URL: http://localhost:8080/OTHER/core/other/proxy.pac

function FindProxyForURL(url, host) { return "PROXY localhost:8080"; } // End of function 

[Simon Bennetts]

What happens if you configure Firefox to use ZAP manually: https://code.google.com/p/zaproxy/wiki/HelpStartProxies (hopefully this is fairly up to date)
Can you then proxy via ZAP?
In order to correctly proxy https sites you'll need to import the ZAP root CA as a trusted root cert in Firefox.

Cheers,

Simon