ZAP not honoring hosts file?
227 views
Skip to first unread message
Dave Krieger
Sep 30, 2022, 2:49:51 PM9/30/22
to OWASP ZAP User Group
Exec summary: I'm trying to use ZAP with a client application where the hostname it connects to is hard-coded; I want to direct its traffic to an equivalent penetration-testing backend where it's safe to do active scanning. Despite all configuration looking right, it appears that ZAP is not honoring the hosts file: I'm getting data that indicates the app is still hitting the "real" backend.
Details:
Let's say that the OS hosts file (Windows\System32\drivers\etc\hosts) is aliasing real.example.com to the IP address for pentest.example.com.
- I know the hosts file is properly formatted; output from curl -Iv shows the request is being sent to the IP address for pentest.example.com.
- I know the requests from the application are being correctly proxied through ZAP; they show up in the History tab. (The History tab doesn't have a column for the resolved IP address for each request; there's a request for that to be added, which is what led me here.)
- I ruled out Java's DNS resolution as the cause by writing a simple Java program that calls InetAddress.getByName("real.example.com") and it returns the pentest IP address. (This leaves the possibility that ZAP is resolving hostnames some other way, but what I'm reading online shows that honoring the hosts file is the expected behavior.)
- I know that the proxied requests are being sent to real.example.com; I changed a particular route on pentest.example.com from what's on real, and my requests from within the application are showing the real version.
What might be causing these requests to be going to real rather than pentest? I'm hoping it's something simple (and obvious to an experienced ZAP user, which I am not), like a config setting I missed. (I've cloned the repo and I'm poking around in the code for clues, but I'm not a Java guy.)
Thanks for your time and attention!
thc...@gmail.com
Sep 30, 2022, 3:27:13 PM9/30/22
to zaprox...@googlegroups.com
Hi.
What ZAP version?
> I ruled out Java's DNS resolution as the cause by writing a simple
Java program
Better execute directly in ZAP, through the Script Console.
https://www.zaproxy.org/docs/desktop/addons/script-console/
Best regards.
On 30/09/2022 19:49, Dave Krieger wrote:
> *Exec summary:* I'm trying to use ZAP with a client application where the
> Let's say that the OS hosts file (*Windows\System32\drivers\etc\hosts*) is
> aliasing *real.example.com* to the IP address for *pentest.example.com*.
>
> - I know the hosts file is properly formatted; output from *curl -Iv* shows
> the request is being sent to the IP address for *pentest.example.com*.
> - I know the requests from the application are being correctly proxied
> Java program that calls *InetAddress.getByName("real.example.com")* and
> I changed a particular route on *pentest.example.com* from what's on real,
> and my requests from within the application are showing the *real*
> version.
>
> What might be causing these requests to be going to *real* rather than
> *pentest*? I'm hoping it's something simple (and obvious to an experienced
What ZAP version?
> I ruled out Java's DNS resolution as the cause by writing a simple
Java program
https://www.zaproxy.org/docs/desktop/addons/script-console/
Best regards.
On 30/09/2022 19:49, Dave Krieger wrote:
> *Exec summary:* I'm trying to use ZAP with a client application where the
> hostname it connects to is hard-coded; I want to direct its traffic to an
> equivalent penetration-testing backend where it's safe to do active
> scanning. Despite all configuration looking right, it appears that ZAP is
> not honoring the *hosts* file: I'm getting data that indicates the app is
> equivalent penetration-testing backend where it's safe to do active
> scanning. Despite all configuration looking right, it appears that ZAP is
> still hitting the "real" backend.
>
> *Details:*
>
> Let's say that the OS hosts file (*Windows\System32\drivers\etc\hosts*) is
> aliasing *real.example.com* to the IP address for *pentest.example.com*.
>
> - I know the hosts file is properly formatted; output from *curl -Iv* shows
> the request is being sent to the IP address for *pentest.example.com*.
> - I know the requests from the application are being correctly proxied
> through ZAP; they show up in the History tab. (The History tab doesn't have
> a column for the resolved IP address for each request; there's a request
> <https://github.com/zaproxy/zaproxy/issues/6723> for that to be added,
> a column for the resolved IP address for each request; there's a request
> which is what led me here.)
> - I ruled out Java's DNS resolution as the cause by writing a simple
> Java program that calls *InetAddress.getByName("real.example.com")* and
> it returns the pentest IP address. (This leaves the possibility that ZAP is
> resolving hostnames some other way, but what I'm reading online shows that
> honoring the hosts file is the expected behavior.)
> - I know that the proxied requests are being sent to *real.example.com*;
> resolving hostnames some other way, but what I'm reading online shows that
> honoring the hosts file is the expected behavior.)
> I changed a particular route on *pentest.example.com* from what's on real,
> and my requests from within the application are showing the *real*
> version.
>
> What might be causing these requests to be going to *real* rather than
> *pentest*? I'm hoping it's something simple (and obvious to an experienced
Dave Krieger
Sep 30, 2022, 7:31:56 PM9/30/22
to zaprox...@googlegroups.com
What ZAP version?
2.11.1
Better execute directly in ZAP, through the Script Console.
https://www.zaproxy.org/docs/desktop/addons/script-console/
Thanks!
Reply all
Reply to author
Forward
0 new messages