How to scan applications running on localhost ? about zaproxy HOT 8 CLOSED

Hi there,

ZAP has no problems scanning applications running on localhost, however there are a
couple of things you need to be aware of.
By default ZAP listens on port 8080 which is the same port your app is listening on.
You'll need to change one of them to listen on a different port - its probably easier
to change ZAP - see http://code.google.com/p/zaproxy/wiki/HelpStartProxies, remember
to change your browser's proxy settings as well.
You also need to check that you havnt configured your browser to ignore your configured
proxy (ZAP) for localhost.
Let us know if these suggestions solve your problem. I frequently use ZAP to investigate
apps running on my localhost:8080 so it will definitely work.

Many thanks,

Psiinon

Hi,

Thanks for sharing your thoughts. I tried changing ZAP Local Proxy to 9090 and even
8085 (refer 2.png), ZAP captures all the requests made outside "localhost" (refer 4.png)
but any requests made to "localhost" are not captured (refer 5.png).

Not sure:
   1. If I have configured the proxy server as per your directions -or-
   2. Are there any specific security settings set to bypass proxy
   3. I need to cross-verify (from my Personal Desktop) if the above mentioned settings
are enough to capture and scan the application running on localhost.

Meanwhile, kindly go through the attachement and let me know if I had missed any of
the configuration settings.

Thanks,
Raghavendra Rao P.V.

Hi,

Thats _very_ strange. Your configuration looks fine.
What version of IE are you using?
I must admit I dont tend to use IE, but I'll try to reproduce the problem here.
You could try to use another browser just to see if that works, but I'm not suggesting
that as the real fix - ZAP should work with all browsers.

Thanks,

Psiinon

Hi,

I think, I found the solution to my problem. It may probably be:
     1. Some security settings setup by system admin at office -or-
     2. I should not have checked the "use an outgoing proxy server" checkbox in "Use
a proxy chain" (refer Issue raised earlier - 1.PNG)

However, I setup the similar environment at home and ZAP's working fine beyond my expectations
(since its much faster than AppScan - Find attached OWASP ZAP.zip for steps followed
to run ZAP on my PC @home).

But, am wondering if I have scanned WebGoat properly, since ZAP has identified only
two issues related to SQL Injection alone, what about the rest of vulnerabilities which
exists in WebGoat. (refer 6.PNG). Steps followed include:
   1. Manually browsed through the 1st link (main page of WebGoat).
   2. right click on Sites and choose "Spider site", later "Active scan" (4 and 5.png)
   3. ZAP displayed just two vulnerabilities.

Kindly suggest if there were any actions which I missed out.

Thanks in advance,
Raghavendra Rao P.V.

Hi Raghavendra,

Glad to hear you can now scan apps on localhost.
Some automated scanners do sell themselves as 'point and shoot' scanners, ie just log
in and then they'll do everything else for you.
I dont think this is the best approach.

To start with in my experience people are better at navigating web apps than tools
are. Thats why I recommend you explore your app manually first.
This is covered a bit in the help file (online here: http://code.google.com/p/zaproxy/wiki/HelpPentestPentest)
and also in my blog: http://pentest4devs.blogspot.com/2010/09/exploring-web-application-with-zap.html

The other point is that no automated tool will find all vulnerabilities. There are
some that you can only realistically find manually. 
So the idea is ZAP should find as many issues automatically as possible, but then to
provide features that make it as easy as possible for you to find other issues yourself.

Having said all of that its still possible that ZAP will miss some vulnerabilities
in the active scan that it should have found. I havnt run it againt WebGoat recently
- thats one of the things I've been meaning to do for a while. 
Let me know if there are any specific issues you think it should have found, and we'll
do our own testing here against WebGoat and the other example vulnerable apps as soon
as we can.

Thanks,

Psiinon

Hi Raghavendra,

I'm going to close this issue as the original issue you reported was a configuration
issue, if thats ok with you.
If you have any other issues, including if you think ZAP should have found specific
issues with the automated scan then please raise them as new issues - otherwise people
might miss them if they just look at the issue titles.

Thanks,

Psiinon