zap-hud
zap-hud copied to clipboard
zaproxy
HUD is not displayed on the HUD tutorial page
I have installed ZAP the first time and was surprised by the HUD tutorial :)
Sadly the HUD is not displayed on the tutorial page: http://127.0.0.1:60144/Frames When something should be displayed in the HUD only some red text is displayed, but the HUD itself is not visible. Due to this bug the tutorial task can not be completed and I have to disable the tutorial tasks to read all pages.
On regular pages like google.de the HUD is displayed and everthing looks ok.
I use Firefox Portable 67.0.2 64 bit on Windows with ZAP 2.8.0 and OpenJDK 12.0.1 Firefox does not have any addons installed. So ad or script blocker could not cause this problem.
By the way the concept of the HUD is brilliant and I do not need to have ZAP visible all the time. So more space for other tools ^^
@Borim7 Are there any errors in the Firefox console? I must admit that I've not tried the HUD with Firefox portable. Can you try it with the full versions of either Firefox or Chrome?
1 warning and 1 error are reported in the firefox console
Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol.
I have testes with the normal firefox and the behaviour is the same. The weird thing is, that it does not matter if I configure firefox to use the ZAP proxy or not. Although I did not configure any exceptions for using the proxy.
Weird :/ Do the HUD controls get shown when the HUD splash screen is shown? Have you changed any of the HUD options? Are there any errors in the zap.log file? https://github.com/zaproxy/zaproxy/wiki/FAQhelp#check-the-log-file
I do not know. The splash screen was displayed once and after it I enter the tutorial over the HUD settings. In the HUD options I only disabled the tutorial tasks. All other option are unchanged. I also tried reset HUD options to default and nothing changed.
In the log file a lot of
2019-06-16 22:06:13,419 [ZAP-ProxyThread-47421] WARN API - Request to callback URL https://zap//zapCallBackUrl/1962442282638869228?name=tools/scope.js from 127.0.0.1 not found - this could be a callback url from a previous session or possibly an attempt to attack ZAP
are visible and multiple java exceptions: zap.log
If you are starting Firefox yourself (instead of starting from ZAP) you might need to set the preference network.proxy.allow_hijacking_localhost to true, with newer Firefox versions localhost is not proxied without that set.
@psiinon we could use zap domain to avoid this, e.g. http://zap/hudtutorial/ ?
@thc202 we could do, but are we sure this is the problem in this case? If Firefox wasnt proxying through ZAP then we shouldnt even get the HUD splashscreen :/
I think it is based on the report, the HUD was shown for other addresses/domains just not the tutorial (which is using localhost/127.0.0.1).
Ah, I missed that. Yeah, we should look at changing it to use something other than localhost / 127.0.0.1
After enabling network.proxy.allow_hijacking_localhost the HUD is working on the HUD tutorial page.
Great debugging team, we should record a note of this somewhere and then close this out. @psiinon where would be a good place to capture this? @Borim7 would you be good with us closing this after we record the issue?
Yes, it is sufficient in my eyes. It is your decision, if you want to do more e.g.
we could use zap domain to avoid this, e.g. http://zap/hudtutorial/ ?
I ran into this problem the other day and it was killing me. The way I was able to get around it is to open the browser you have configured to use ZAP through the ZAP console. Opening this way will enable the HUD. I'm pasting the screenshot. I hope it comes through here:
@caesium55ds It worked for me the first time, but after that, didn't work.
