Problems setting up ZAP on EC2

[Miguel]

Hello Everyone,

I've been trying to setup ZAP as daemon on a ec2 instance (ubuntu), with the following command:

./zap.sh -daemon -port 8080 -host 0.0.0.0 -config network.localServers.mainProxy.behindNat=true -loglevel debug

And this works if i do an wget directly on localhost:8080, retrieving the normal ZAP website.

However, if i try doing the same from my computer to the ec2 instance public IP (same port), it shows me the following message:

Failed to read http://SOMEIP:8080/ within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.

Any ideas of what im doing wrong here?, i will also attach the debug message from zap:

########LOGS######## 

####SOMEIP = Public IP of ec2

59358 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache - A timeout occurred while sending the request:
org.apache.hc.client5.http.ConnectTimeoutException: Connect to http://SOMEIP:8080 [/SOMEIP] failed: Connect timed out
        at java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:551) ~[?:?]
        at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:602) ~[?:?]
        at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327) ~[?:?]
        at java.base/java.net.Socket.connect(Socket.java:633) ~[?:?]
        at org.apache.hc.client5.http.socket.PlainConnectionSocketFactory.lambda$connectSocket$0(PlainConnectionSocketFactory.java:85) ~[?:?]
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) ~[?:?]
        at org.apache.hc.client5.http.socket.PlainConnectionSocketFactory.connectSocket(PlainConnectionSocketFactory.java:84) ~[?:?]
        at org.apache.hc.client5.http.socket.ConnectionSocketFactory.connectSocket(ConnectionSocketFactory.java:113) ~[?:?]
        at org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:181) ~[?:?]
        at org.apache.hc.client5.http.impl.io.ZapHttpClientConnectionOperator.connect(ZapHttpClientConnectionOperator.java:95) ~[?:?]
        at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:447) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:162) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:172) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:142) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.ZapProtocolExec.execute(ZapProtocolExec.java:179) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.ZapHttpRequestRetryExec.execute(ZapHttpRequestRetryExec.java:81) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.ZapInternalHttpClient.doExecute(ZapInternalHttpClient.java:173) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245) ~[?:?]
        at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188) ~[?:?]
        at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl0(HttpSenderApache.java:486) ~[?:?]
        at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:365) ~[?:?]
        at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:116) ~[?:?]
        at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendRateLimited(BaseHttpSender.java:415) ~[?:?]
        at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:383) ~[?:?]
        at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:351) ~[?:?]
        at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:307) ~[?:?]
        at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:278) ~[?:?]
        at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:234) ~[?:?]
        at org.parosproxy.paros.network.HttpSender.sendImpl(HttpSender.java:536) ~[zap-2.16.0.jar:2.16.0]
        at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:356) ~[zap-2.16.0.jar:2.16.0]
        at org.zaproxy.addon.network.internal.server.http.handlers.HttpSenderHandler.handleMessage(HttpSenderHandler.java:78) ~[?:?]
        at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:151) ~[?:?]
        at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:131) ~[?:?]
        at org.zaproxy.addon.network.internal.server.http.LocalServerHandler.processMessage(LocalServerHandler.java:67) ~[?:?]
        at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94) ~[?:?]
        at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82) ~[?:?]
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [network-beta-0.21.0.zap:?]
        at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
59361 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.addon.network.internal.client.BaseHttpSender - Received response after 20019ms for GET http://SOMEIP:8080/favicon.ico
59361 [ZAP-IO-Server-1-1] WARN  org.zaproxy.addon.network.internal.server.http.handlers.HttpSenderHandler - Failed to read http://SOMEIP:8080/favicon.ico within 20 seconds, check to see if the site is available and if so consider adjusting ZAP's read time out in the Connection options panel.
79358 [ZAP-IO-2-1] DEBUG org.zaproxy.addon.network.internal.handlers.ServerExceptionHandler - Timed out while reading message.

####################

Any helps will be apreciated

[Simon Bennetts]

Sorry, I'm confused.

What happens if you try to access a site like www.example.con from the ec2 instance using curl or wget?

Cheers,

Simon

[Miguel]

Hello,

The instance still has access to internet, the thing is, when i try to reach from my local computer to the ec2 instance, it shows me that message.

Thanks in advance!

[Simon Bennetts]

OK, so you can connect to facebook from the EC2 command line.

Can you also access the site that your redacted from the command line?

[Miguel]

Well, im trying to reach the default ZAP page from my local machine, from the ec2 cli i can reach it as you can see.

[Simon Bennetts]

Ah, right.

See https://www.zaproxy.org/faq/how-can-i-connect-to-zap-remotely/

[Miguel]

Thanks!, 

I've checked the article and i think i'm doing every step as permissive as possible, this is how i launch ZAP, i'm missing something here? 

[Simon Bennetts]

That looks ok.

But you'll also need to configure AWS to allow external connections. Thats not my area of expertise..

[Miguel]

Yes!, that's true, but i think that the networking part of the ec2, it's also "open", regarding that i have access to the instance through the 8080 port, only from the ip of my local network, and as you can see, i can reach the ZAP service from my local machine, checking the logs i've found this, any ideas of what could be happening?

By the way, the spaces in blank are the public ip of the ec2 instance.

[Simon Bennetts]

Can anyone else running ZAP in EC2 chip in here?

Its not something I've played around with for a while.

Cheers,

Simon