zap-hud
zap-hud copied to clipboard
zaproxy
308 Permanent Redirect from http to https not working with HUD enabled
Describe the bug When navigating to an HTTPS website via the preconfigured browser with ZAP HUD enabled zaproxy first issues an HTTP request to the page and follows the redirects to https. When a server redirects to HTTPS via 308 Permanent Redirect, then ZAP fails to follow this redirect, leading to an error displayed in the browser. In firefox this would be:
The page isn’t redirecting properly
An error occurred during a connection to example-redirecting-page.de.
This problem can sometimes be caused by disabling or refusing to accept cookies.
To Reproduce Steps to reproduce the behavior:
- Make sure to have the HUD enabled
- Open the preconfigured firefox browser
- Type a URL into the addressbar which you want to reach via HTTPS, e.g., https://example.com
- The above error occurs.
Expected behavior When you open https://google.de via the addressbar in a preconfigured, HUD-enabled browser launched from zaproxy, then the following happens:
- preconfigured firefox requests to zaproxy: GET https://google.de
- zaproxy requests: GET http://google.de
- google responds: 301 Moved Permanently, Location: http://www.google.de
- zaproxy redirects and requests: GET http://www.google.de
- google responds: 302 Found, Location: https://www.google.de/?gws_rd=ssl
- zaproxy redirects and requests: GET https://www.google.de/?gws_rd=ssl
- zaproxy responds to preconfigured firefox: 200 OK
So I assume 301 and 302 redirects work, but I do not really understand, why the first request from zaproxy to google (2.) is GET http, when the preconfigured browser explicitely asks for https. I assume that this is likely somehow coupled with the https upgrade to http hosts when using the HUD. But if a server responds with a 308 Permanent Redirect, zap fails to follow this redirect, leading to the above described error.
Screenshots
Software versions
- ZAP: 2.9.0
- Add-on: I guess none that matters
- OS: kali 2020.3
- Java: openjdk version "11.0.7-ea" 2020-04-14
- Browser: firefox quantum 68.10.0esr (64-bit)
Errors from the zap.log file
Additional context
Would you like to help fix this issue?
Thats weird - ZAP should not be requesting http://google.de/ Will need to investigate...
Thats weird - ZAP should not be requesting http://google.de/ Will need to investigate...
Thanks, Simon, for the quick reply! I used the Kali 2020.3 VirtualBox 64bit image from Offensive Security, nothing further installed. Booted the freshly imported machine and started ZAP.
If you're having problems alwasy do a ZAP check-for-updates and install an new versions of add-ons. Although in this case I suspect it wont help...
If you're having problems alwasy do a ZAP check-for-updates and install an new versions of add-ons. Although in this case I suspect it wont help...
Hi, sorry, sure. I did both. ZAP and all plugins are fully up-to-date. Fails in both.
@dvarrazzo Can you confirm that it behaves as expected with HUD disabled?
I am new of the tool and not aware of what HUD is.
What I have done is:
1: run zap in docker using:
docker run --rm -u zap -p 8080:8080 -p 8090:8090 --name zap -v `pwd`:/zap/wrk/:rw -i owasp/zap2docker-stable zap-webswing.sh
2: configued a Firefox session to use localhost:8090 as HTTP/HTTPS proxy, imported the certificate
3: open an url https://...
4. experience that the requests performed go instead to http with a 308 redirect to https, in a loop
in point 3, both opening an http and https url results in a loop of http request; no https request is performed
opening an http page resulting in a 302 redirect works fine.
Well, that is the first recommendation on the first FAQ ;) https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/
Well, that is the first recommendation on the first FAQ ;) https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/
You are right. I apologise for the noise. However this issue has been open for almost 2 years: it might be advisable that whatever needs update is updated out of the box.