How do I configure ZAP so that it sends its requests to an outgoing (upstream) NTLM proxy?

[ne...@halloleo.hailmail.net]

I want to use ZAP in a way that it forwards all requests to another outgoing proxy server. This outgoing proxies authenticates via NTLM.

I've put the upstream proxy's IP address and port in the Connection Screen under Use Proxy chain plus the user credentials for the upstream proxy under Outgoing Proxy requires Authentication.

Still, when I point my browser at 127.0.0.1 I get in the browser "ZAP Error: Permission denied: connect" and the history in ZAP lists for that url a "504 Gateway Time Out". However when I point the briwser straight at the upstream proxy evrything works fine.

What am I missing? How can I troubleshoot this?

Many thanks, Leo

[Simon Bennetts]

Try putting the user NTLM credentials in the "Authentication" options.
NTLM support is limited in ZAP right now, so I cant promise it will work.

Cheers,

Simon

[ne...@halloleo.hailmail.net]

Thanks Simon.

I tried putting the NTLM credentials in the Auth options - to no avail.

Strangely, when I write a separate java program, which calls the standard java.net.URL.openstream I can retrieve stuff from the Internet without any problem, when I set the system properties http.proxyHost and http.proxyPort. E.g.

     static void getUrl(String urlText) throws IOException {
            System.setProperty("http.proxyHost" , "192.168.80.81");
            System.setProperty("http.proxyPort" , "3129");

            URL url = new URL(urlText);
            BufferedReader in = new BufferedReader(new InputStreamReader(url.openStream()));

            String line;
            while ((line = in.readLine()) != null) {
                System.out.println(line);   
             }   
     }       
     
works perfectly - the system hands the NTLM credentails to the upstream/outgoing proxy. Anything like this possible with ZAP?

Many thanks, Leo

[Simon Bennetts]

You could try just configuring ZAP with the proxy and not the credentials.
You can also set those system properties on the command line when you run ZAP, but that should just have the same effect.

[thc...@gmail.com]

Hi.

Which ZAP version are you using?

Are you leaving the "Realm" field empty? (the "Realm" is used as domain in NTLM auth)

How can I troubleshoot this?

The best way is to provide the log file with an authentication attempt (you might need to obfuscate sensitive information, although it would be better to leave, at least, the NTLM challenge message).
First you have to change the log4j.properties file (located in ZAP's default directory [1]).
You need to add the following line to the end of the file:

log4j.logger.httpclient.wire.header=DEBUG

and change the line:

log4j.logger.org.apache.commons.httpclient=ERROR

to:

log4j.logger.org.apache.commons.httpclient=DEBUG

NTLM support is limited in ZAP right now, so I cant promise it will work.

In theory the NTLM authentication should be working fine (or a lot better) since version 2.2.0.


[1] https://code.google.com/p/zaproxy/wiki/FAQconfig

Best regards.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ne...@halloleo.hailmail.net]

Thanks thc202

I downloaded the latest stable  version.

I think I did set the Realm to the Realm the upstream proxy return on challenge. But I Do set the credentails as well.

I will try without setting the credentials and switch on logging. - I'll keep you posted.

Thanks again, Leo

[thc...@gmail.com]

Hi.

Just want to confirm that this problem is already resolved and if possible to know what was the solution.

Thanks!
Best regards.

[ne...@halloleo.hailmail.net]

Hi thc202

Yes, I managed to point ZAP at an upstream NTLM proxy. I did this by adding the connection details and authentication credentials in the Options.

However the remaining problem is HTTPS: As described in another thread ZAP does NOT seem to allow passing through HTTPS traffic and keeping the original SSL certificates.

HTH, Leo

[thc...@gmail.com]

Hi.

OK, thanks for letting us know.

Regarding the HTTPS problem, the only alternative that I'm seeing right now is to allow to pass through all the traffic, for a given host/port, when a new CONNECT is received. Although that wouldn't give you any control on what is being passed through (it could contain non HTTPS traffic too).

Best regards.

[ne...@halloleo.hailmail.net]

Hi Simon

Regarding the HTTPS problem, the only alternative that I'm seeing right now is to allow to pass through all the traffic, for a given host/port, when a new CONNECT is received. Although that wouldn't give you any control on what is being passed through (it could contain non HTTPS traffic too).

That's exactly what I need! I use ZAP just as a Java-based, NTLM-authenticating proxy. No need to inspect the traffic. 

Cheers, Leo

[ne...@halloleo.hailmail.net]

Hi there

Anything possible here? I looked for other Java-based proxies, but ZAP seems to be the only one under current development which does NTLM. Just a shame about the HTTPS side of things...

Regards, Leo

[Simon Bennetts]

Have you tried the latest ZAP weekly release?
If so do you get the same errors?

Cheers,

Simon

[ne...@halloleo.hailmail.net]

Mmmmh, I've checked it: Version ZAP D-2014-04-07 still doesn't seem to pass certificates trough...

[kingthorin+owaspzap]

What version of Java are you using?

[ne...@halloleo.hailmail.net]

java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)