Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Setting non-localhost "Local Proxy" breaks HUD security model
See original GitHub issueWith regards to the following during installation of HUD:
- Console shows error messages similar to the following:
WARN org.zaproxy.zap.extension.api.API - Request to API URL https://cdns.us1.gigya.com/zapCallBackUrl/-8111380956573237837?zapfile=inject.js from 192.168.1.1 not permitted
Workaround:
Make sure your API options are set to allow requests from the correct IP addresses. In ZAP, open the “Tools” menu > Options > API, and modify the “Addresses permitted to use the API” appropriately
However as @psiinon pointed out, it breaks the HUD security model.
In order to recreate the above errors, set the “Local Proxy” address to a non local IP under Tools > Options > Local Proxies, for example:
This in turn gave rise to the above errors in console when trying to get HUD on a proxied page
Issue Analytics
- State:
- Created 5 years ago
- Comments:12 (11 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
For info all API requests should go via callback addresses which bypass the permitted addresses. So adding your browsers IP addr wont actually fix this problem. The only reason callbacks fail are if they are no longer valid, ie if they have been already requested. So our (mine and @thc202’s) assumption is that the errors you are seeing are for duplicated calls. That shouldnt really happen either, so if you can find a reliable way of reproducing them then please let us know.
In fact I am now unable to reproduce this, even when I reset the API settings to default. The difference between before and now is that now I put the Dev build ZAP into a virtual container whereas before I had both Dev ZAP and V2.0.7 running at the same time on the same machine. I’ll see if I can dig up anything else, but it very much looks like you’re right and my system must have been in a “bad state”.