Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ZAP API requests can be excluded from proxy

See original GitHub issue

Describe the bug

Hello,

On current https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/zaproxy/zap/authentication/HttpAuthenticationMethodType.java#L401 was introduced a bug which blocks things for http requests which aren’t using a realm as the if was removed.

Steps to reproduce the behavior

Take the variant before the PR 7085 and do a generic SCAN with proxy. Doesn’t throw error on http://zap/JSON/script/action/setGlobalVar/?zapapiformat=JSON&formMethod=GET&varValue=https%3A%2F%2Fgoogle.com&varKey=ZapScan.target
Take the variant after the PR 7085 and do the same generic scan and it will throw error on http://zap/JSON/script/action/setGlobalVar/?zapapiformat=JSON&formMethod=GET&varValue=https%3A%2F%2Fgoogle.com&varKey=ZapScan.target The tests where done using powershell script with invoke-web cmdlet.

Expected behavior

To be able to use http api authentication without realm

Software versions

From ZAP_WEEKLY_D-2022-02-14.zip all release are affected.

Screenshots

No response

Errors from the zap.log file

No response

Additional context

ZAP Error [java.net.UnknownHostException]: zap
     | Stack Trace: java.net.UnknownHostException: zap  at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)  at
     | java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)  at java.net.Socket.connect(Socket.java:607)  at org.zaproxy.zap.ZAP$ProtocolSocketFactoryImpl.createSocket(ZAP.java:434)
     | at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:728)  at
     | org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)  at
     | org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:457)  at
     | org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:207)  at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)  at
     | org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:432)  at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:674)  at
     | org.parosproxy.paros.network.HttpSender.send(HttpSender.java:629)  at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:604)  at
     | org.parosproxy.paros.network.HttpSender.sendAndReceiveImpl(HttpSender.java:1036)  at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:996)  at
     | org.zaproxy.addon.network.internal.server.http.handlers.HttpSenderHandler.handleMessage(HttpSenderHandler.java:80)  at
     | org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:118)  at
     | org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:100)  at
     | org.zaproxy.addon.network.internal.server.http.LocalServerHandler.processMessage(LocalServerHandler.java:63)  at
     | org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:83)  at
     | org.zaproxy.addon.network.internal.server.http.MainServerHandler.channelRead0(MainServerHandler.java:72)  at
     | org.zaproxy.addon.network.internal.server.http.MainServerHandler.channelRead0(MainServerHandler.java:37)  at
     | io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)  at
     | io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)  at
     | io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:61)  at
     | io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:370)  at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66)  at
     | io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)  at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)  at
     | io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)  at java.lang.Thread.run(Thread.java:748)

Would you like to help fix this issue?

Issue Analytics

State:
Created a year ago
Comments:20 (9 by maintainers)

Top GitHub Comments

3reactions

thc202commented, May 26, 2022

Thank you for the details provided.

1reaction

mihaiursulegocommented, May 26, 2022

@thc202 you have them in email 😃

Top Results From Across the Web

Globally Excluded URLs - OWASP ZAP

Globally Excluded URLs are a set of Regular Expressions (regex) that ZAP ignores completely throughout the application. These URLs will not show up...

Excluding URL's when proxying - Google Groups

I've tried your regex for both "Exclude from proxy" and "Global exclude URL (Beta)" features, but I still can see requests to OOS...

Provide visibility of exclusions from proxy on History tab and ...

What steps will reproduce the problem? 1. Run ZAP 2.0.0 2. Create exclusions regexps for proxy, for example, for .css and .js files:...

OWASP ZAP disable POST requests (out of scope)

How can I exclude POST requests in OWASP ZAP? It is spamming a lot of forms and contact forms and therefore interrupting the...

How to speed up OWASP ZAP scans - Mozilla Security Blog

So you've used OWASP ZAP to scan your web application, and its taking far too ... How fast requests can be made will...