Setting non-localhost "Local Proxy" breaks HUD security model #202
Comments
|
With which ZAP version? |
thc202
changed the title
|
Currently v D-2018-10-01 (using dev build to test HUD)
…On Fri, 5 Oct 2018 at 14:05, thc202 ***@***.***> wrote:
With which ZAP version?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<https://github.com/psiinon/zap-hud/issues/202#issuecomment-427327723>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFlDbda1JZTSk0YCOnR-Do_yRcEvXDmZks5uhzzwgaJpZM4XKA1y>
.
|
|
Thanks. |
|
@dvas0004 these errors are really strange. They are for 'callback' urls (/zapCallBackUrl/) which should bypass the 'permitted addresses'. |
|
For info all API requests should go via callback addresses which bypass the permitted addresses. So adding your browsers IP addr wont actually fix this problem. |
|
In fact I am now unable to reproduce this, even when I reset the API settings to default. The difference between before and now is that now I put the Dev build ZAP into a virtual container whereas before I had both Dev ZAP and V2.0.7 running at the same time on the same machine. I'll see if I can dig up anything else, but it very much looks like you're right and my system must have been in a "bad state". |
|
Interestingly I seem to have just hit this when using ZAP from a remote machine, I'll investigate some more :) |
|
So it looks like the browser is getting the target page from its cache, which has an old callback url in. |
|
Awesome! Good resolution!
…On Mon, 8 Oct 2018, 11:40 Simon Bennetts, ***@***.***> wrote:
So it looks like the browser is getting the target page from its cache,
which has an old callback url in.
This doesnt matter if the browser is on local host but does for remote
browsers.
My plan is to fix the core to reject calls to old callback urls from
localhost too.
For the HUD we'll need to change the headers to prevent the browser from
caching the target urls.
@dvas0004 <https://github.com/dvas0004> good find!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://github.com/psiinon/zap-hud/issues/202#issuecomment-427758920>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFlDbTNEzV1SKhX0wdTp7pQ2sYaXfsIFks5uiw94gaJpZM4XKA1y>
.
|
|
The changes: zaproxy/zaproxy#5039 and https://github.com/psiinon/zap-hud/pull/205 should prevent the errors that caused you to add the remote addr to ZAP. |
|
Yep, sure go ahead!
…On Mon, 8 Oct 2018 at 14:06, Simon Bennetts ***@***.***> wrote:
The changes: zaproxy/zaproxy#5039
<zaproxy/zaproxy#5039> and #205
<https://github.com/psiinon/zap-hud/pull/205> should prevent the errors
that caused you to add the remote addr to ZAP.
They still dont fix all remote access issues but I've raised #204
<https://github.com/psiinon/zap-hud/issues/204> for those.
@dvas0004 <https://github.com/dvas0004> ok to close this now?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://github.com/psiinon/zap-hud/issues/202#issuecomment-427794693>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFlDbep-TEBUwi2vJZuau0R9lLntZKBQks5uizGxgaJpZM4XKA1y>
.
|
With regards to the following during installation of HUD:
WARN org.zaproxy.zap.extension.api.API - Request to API URL https://cdns.us1.gigya.com/zapCallBackUrl/-8111380956573237837?zapfile=inject.js from 192.168.1.1 not permittedWorkaround:
Make sure your API options are set to allow requests from the correct IP addresses. In ZAP, open the "Tools" menu > Options > API, and modify the "Addresses permitted to use the API" appropriately
However as @psiinon pointed out, it breaks the HUD security model.
In order to recreate the above errors, set the "Local Proxy" address to a non local IP under Tools > Options > Local Proxies, for example:
This in turn gave rise to the above errors in console when trying to get HUD on a proxied page
The text was updated successfully, but these errors were encountered: