ZAProxy: How to access web applications, which use digital certificate for client authentication?

[Nanda Gopal M]

We have a web application, which uses client digital certificates to authenticate users. This get loaded to the browser certificates (Tools > Options > Advanced > Network > Settings > certificates). The certificate is in PKCS#12 format (.p12). 

I need to capture the browser traffic for the application, using ZAProxy tool. To achieve the goal, I tried below approach, along with the regular ZAProxy settings, an un-successful. Would you help me what was wrong?

Approach:

Load the PKCS#12 certificate under certificates (Tools > Options > Certificate)

   a. Check 'Enable unsafe SSL/TLS renegotitation' checkbox

   b. Check 'Use client certificate' checkbox

   c. Load PKCS#12 under PKCS#12 tab

   d. Select and click 'Set Active' under Keystore tab

I also configured other regular ZAProxy settings (Tools > Options):

a. Connection:

  i. Specified ocrrect Default User Agent

  ii. Configured our company's proxy chain (Domain & Port)

b. Dynamic SSL Certificate - Did nothing. Used default certifacte came with ZAProxy

c. Local Proxy: Configured Address-> localhost & Port->8080

d. Configured browser proxy settings to localhost & 8080

Note: I am able to capture other web sites requests. However, I am unable to capture application which uses digital certificate.

I also looked at ZAProxy's smartcard (https://github.com/zaproxy/zaproxy/wiki/SmartCards) but, couldn't get anything.

[kingthorin+owaspzap]

Do you get any errors? If you haven't configured the client cert are you able to connect? Did you install ZAP CA cert in your browser?

Have you got client cert access working outside ZAP?

[Nanda Gopal M]

Hi,

Thanks for checking on this issue.

I encounter below errors in ZAP logs and please find answers to the other questions.

If you haven't configured the client cert are you able to connect? 

NG: NO, I can't connect to the application without client cert

Did you install ZAP CA cert in your browser?

NG: Yes (I did cross check under Authorities, and its in place)

Have you got client cert access working outside ZAP?

NG: Yes. I am able to access application without routing through ZAProxy (Don't set connection to localhosr)

319715 [ZAP-ProxyThread-2] WARN org.parosproxy.paros.core.proxy.ProxyThread  - Failed to write/forward the HTTP response to the client: java.net.SocketException: Software caused connection abort: sock

et write error

384633 [Thread-25] INFO hsqldb.db..ENGINE  - dataFileCache CACHE SIZE limit reached

384637 [Thread-25] FATAL hsqldb.db..ENGINE  - C:/Users/XXXXX/OWASP ZAP/session/untitled2.data getFromFile failed 95

org.hsqldb.HsqlException: Data cache size limit is reached: 10000

        at org.hsqldb.error.Error.error(Unknown Source)

        at org.hsqldb.error.Error.error(Unknown Source)

        at org.hsqldb.persist.Cache.put(Unknown Source)

        at org.hsqldb.persist.DataFileCache.getFromFile(Unknown Source)

        at org.hsqldb.persist.DataFileCache.get(Unknown Source)

        at org.hsqldb.persist.RowStoreAVLDisk.get(Unknown Source)

        at org.hsqldb.index.NodeAVLDisk.findNode(Unknown Source)

        at org.hsqldb.index.NodeAVLDisk.getRight(Unknown Source)

        at org.hsqldb.index.NodeAVLDisk.child(Unknown Source)

        at org.hsqldb.index.IndexAVL.insert(Unknown Source)

        at org.hsqldb.persist.RowStoreAVL.indexRow(Unknown Source)

        at org.hsqldb.persist.RowStoreAVLDisk.indexRow(Unknown Source)

        at org.hsqldb.TransactionManager2PL.addInsertAction(Unknown Source)

        at org.hsqldb.Session.addInsertAction(Unknown Source)

        at org.hsqldb.Table.insertSingleRow(Unknown Source)

        at org.hsqldb.StatementDML.insertSingleRow(Unknown Source)

        at org.hsqldb.StatementInsert.getResult(Unknown Source)

        at org.hsqldb.StatementDMQL.execute(Unknown Source)

        at org.hsqldb.Session.executeCompiledStatement(Unknown Source)

        at org.hsqldb.Session.execute(Unknown Source)

        at org.hsqldb.jdbc.JDBCPreparedStatement.fetchResult(Unknown Source)

        at org.hsqldb.jdbc.JDBCPreparedStatement.executeUpdate(Unknown Source)

        at org.parosproxy.paros.db.paros.ParosTableHistory.write(Unknown Source)

        at org.parosproxy.paros.db.paros.ParosTableHistory.write(Unknown Source)

        at org.parosproxy.paros.model.HistoryReference.<init>(Unknown Source)

        at org.parosproxy.paros.extension.history.ProxyListenerLog.createHistoryReference(Unknown Source)

        at org.parosproxy.paros.extension.history.ProxyListenerLog.createAndAddMessage(Unknown Source)

        at org.parosproxy.paros.extension.history.ProxyListenerLog.access$000(Unknown Source)

        at org.parosproxy.paros.extension.history.ProxyListenerLog$1.run(Unknown Source)

        at java.lang.Thread.run(Unknown Source)

384660 [Thread-25] WARN org.parosproxy.paros.extension.history.ProxyListenerLog  - java.sql.SQLException: Data cache size limit is reached: 10000

org.parosproxy.paros.db.DatabaseException: java.sql.SQLException: Data cache size limit is reached: 10000

        at org.parosproxy.paros.db.paros.ParosTableHistory.write(Unknown Source)

        at org.parosproxy.paros.model.HistoryReference.<init>(Unknown Source)

        at org.parosproxy.paros.extension.history.ProxyListenerLog.createHistoryReference(Unknown Source)

        at org.parosproxy.paros.extension.history.ProxyListenerLog.createAndAddMessage(Unknown Source)

        at org.parosproxy.paros.extension.history.ProxyListenerLog.access$000(Unknown Source)

        at org.parosproxy.paros.extension.history.ProxyListenerLog$1.run(Unknown Source)

        at java.lang.Thread.run(Unknown Source)

Caused by: java.sql.SQLException: Data cache size limit is reached: 10000

        at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)

        at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)

        at org.hsqldb.jdbc.JDBCPreparedStatement.fetchResult(Unknown Source)

        at org.hsqldb.jdbc.JDBCPreparedStatement.executeUpdate(Unknown Source)

        at org.parosproxy.paros.db.paros.ParosTableHistory.write(Unknown Source)

        ... 7 more

Caused by: org.hsqldb.HsqlException: Data cache size limit is reached: 10000

        at org.hsqldb.error.Error.error(Unknown Source)

        at org.hsqldb.error.Error.error(Unknown Source)

        at org.hsqldb.persist.Cache.put(Unknown Source)

        at org.hsqldb.persist.DataFileCache.getFromFile(Unknown Source)

        at org.hsqldb.persist.DataFileCache.get(Unknown Source)

        at org.hsqldb.persist.RowStoreAVLDisk.get(Unknown Source)

        at org.hsqldb.index.NodeAVLDisk.findNode(Unknown Source)

        at org.hsqldb.index.NodeAVLDisk.getRight(Unknown Source)

        at org.hsqldb.index.NodeAVLDisk.child(Unknown Source)

        at org.hsqldb.index.IndexAVL.insert(Unknown Source)

        at org.hsqldb.persist.RowStoreAVL.indexRow(Unknown Source)

        at org.hsqldb.persist.RowStoreAVLDisk.indexRow(Unknown Source)

        at org.hsqldb.TransactionManager2PL.addInsertAction(Unknown Source)

        at org.hsqldb.Session.addInsertAction(Unknown Source)

        at org.hsqldb.Table.insertSingleRow(Unknown Source)

        at org.hsqldb.StatementDML.insertSingleRow(Unknown Source)

        at org.hsqldb.StatementInsert.getResult(Unknown Source)

        at org.hsqldb.StatementDMQL.execute(Unknown Source)

        at org.hsqldb.Session.executeCompiledStatement(Unknown Source)

        at org.hsqldb.Session.execute(Unknown Source)

        ... 10 more

384707 [ZAP-ProxyThread-17] WARN org.parosproxy.paros.core.proxy.ProxyThread  - Failed to write/forward the HTTP response to the client: java.net.SocketException: Connection reset by peer: socket writ

e error

452543 [AWT-EventQueue-0] INFO org.parosproxy.paros.network.SSLConnector  - ClientCert enabled using: X:X:X:X:X:X:X:X:X:X:X:X:X:X:X:X EMAILADDRESS=xx...@sample.com, CN=xxxxxxx, OU=Sample, O=XXXXX Corporation, L=ATL, ST=GE, C=US

 

 

 

 

 

 

 

 

637227 [ZAP-ProxyThread-90] ERROR org.apache.commons.httpclient.HttpMethodDirector  - Out of sequence NTLM response message

org.apache.commons.httpclient.auth.MalformedChallengeException: Out of sequence NTLM response message

        at org.zaproxy.zap.network.ZapNTLMScheme.processChallenge(Unknown Source)

        at org.apache.commons.httpclient.auth.AuthChallengeProcessor.processChallenge(AuthChallengeProcessor.java:162)

        at org.apache.commons.httpclient.HttpMethodDirector.processWWWAuthChallenge(Unknown Source)

        at org.apache.commons.httpclient.HttpMethodDirector.processAuthenticationResponse(Unknown Source)

        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source)

        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)

        at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source)

        at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source)

        at org.parosproxy.paros.network.HttpSender.send(Unknown Source)

        at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source)

        at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)

        at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)

        at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)

        at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)

        at java.lang.Thread.run(Unknown Source)