Comments (8)
Hi there,
ZAP has no problems scanning applications running on localhost, however there are a
couple of things you need to be aware of.
By default ZAP listens on port 8080 which is the same port your app is listening on.
You'll need to change one of them to listen on a different port - its probably easier
to change ZAP - see http://code.google.com/p/zaproxy/wiki/HelpStartProxies, remember
to change your browser's proxy settings as well.
You also need to check that you havnt configured your browser to ignore your configured
proxy (ZAP) for localhost.
Let us know if these suggestions solve your problem. I frequently use ZAP to investigate
apps running on my localhost:8080 so it will definitely work.
Many thanks,
Psiinon
Original issue reported on code.google.com by psiinon
on 2010-12-08 07:07:10
from zaproxy.
Hi,
Thanks for sharing your thoughts. I tried changing ZAP Local Proxy to 9090 and even
8085 (refer 2.png), ZAP captures all the requests made outside "localhost" (refer 4.png)
but any requests made to "localhost" are not captured (refer 5.png).
Not sure:
1. If I have configured the proxy server as per your directions -or-
2. Are there any specific security settings set to bypass proxy
3. I need to cross-verify (from my Personal Desktop) if the above mentioned settings
are enough to capture and scan the application running on localhost.
Meanwhile, kindly go through the attachement and let me know if I had missed any of
the configuration settings.
Thanks,
Raghavendra Rao P.V.
Original issue reported on code.google.com by raghavendra.rao.pv
on 2010-12-10 05:33:07
- _Attachment: [ZAP - Proxy.zip](https://storage.googleapis.com/google-code-attachments/zaproxy/issue-23/comment-2/ZAP - Proxy.zip)_
from zaproxy.
Hi,
Thats _very_ strange. Your configuration looks fine.
What version of IE are you using?
I must admit I dont tend to use IE, but I'll try to reproduce the problem here.
You could try to use another browser just to see if that works, but I'm not suggesting
that as the real fix - ZAP should work with all browsers.
Thanks,
Psiinon
Original issue reported on code.google.com by psiinon
on 2010-12-10 12:33:34
from zaproxy.
Hi,
I think, I found the solution to my problem. It may probably be:
1. Some security settings setup by system admin at office -or-
2. I should not have checked the "use an outgoing proxy server" checkbox in "Use
a proxy chain" (refer Issue raised earlier - 1.PNG)
However, I setup the similar environment at home and ZAP's working fine beyond my expectations
(since its much faster than AppScan - Find attached OWASP ZAP.zip for steps followed
to run ZAP on my PC @home).
But, am wondering if I have scanned WebGoat properly, since ZAP has identified only
two issues related to SQL Injection alone, what about the rest of vulnerabilities which
exists in WebGoat. (refer 6.PNG). Steps followed include:
1. Manually browsed through the 1st link (main page of WebGoat).
2. right click on Sites and choose "Spider site", later "Active scan" (4 and 5.png)
3. ZAP displayed just two vulnerabilities.
Kindly suggest if there were any actions which I missed out.
Thanks in advance,
Raghavendra Rao P.V.
Original issue reported on code.google.com by raghavendra.rao.pv
on 2010-12-11 10:39:33
from zaproxy.
Hi Raghavendra,
Glad to hear you can now scan apps on localhost.
Some automated scanners do sell themselves as 'point and shoot' scanners, ie just log
in and then they'll do everything else for you.
I dont think this is the best approach.
To start with in my experience people are better at navigating web apps than tools
are. Thats why I recommend you explore your app manually first.
This is covered a bit in the help file (online here: http://code.google.com/p/zaproxy/wiki/HelpPentestPentest)
and also in my blog: http://pentest4devs.blogspot.com/2010/09/exploring-web-application-with-zap.html
The other point is that no automated tool will find all vulnerabilities. There are
some that you can only realistically find manually.
So the idea is ZAP should find as many issues automatically as possible, but then to
provide features that make it as easy as possible for you to find other issues yourself.
Having said all of that its still possible that ZAP will miss some vulnerabilities
in the active scan that it should have found. I havnt run it againt WebGoat recently
- thats one of the things I've been meaning to do for a while.
Let me know if there are any specific issues you think it should have found, and we'll
do our own testing here against WebGoat and the other example vulnerable apps as soon
as we can.
Thanks,
Psiinon
Original issue reported on code.google.com by psiinon
on 2010-12-13 10:14:49
from zaproxy.
Hi Raghavendra,
I'm going to close this issue as the original issue you reported was a configuration
issue, if thats ok with you.
If you have any other issues, including if you think ZAP should have found specific
issues with the automated scan then please raise them as new issues - otherwise people
might miss them if they just look at the issue titles.
Thanks,
Psiinon
Original issue reported on code.google.com by psiinon
on 2010-12-16 14:39:09
from zaproxy.
I did a simple thing: added this into /etc/hosts
127.0.0.1 samir.com
and ran(in mac terminal): sudo killall -HUP mDNSResponder
from zaproxy.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from zaproxy.
Related Issues (20)
- can't get Replacer to work at all HOT 4
- "Cloud Metadata Potentially Exposed" Correct Response Inquiry HOT 7
- ZAP does not pause autoscan when internet connection become lost HOT 1
- `/xml/automation/view/planProgress` returns content with default toString() of java objects
- False positive in Single Page Application (SPA) HOT 6
- Disable cache - deleting cache headers HOT 11
- False-positive CSP: Wildcard Directive HOT 1
- Latest owasp/zap2docker-weekly Image Missing `linux/amd64` Build HOT 4
- Command output: exec /zap/zap-baseline.py: exec format error HOT 1
- AMD64 docker images not longer available in Docker Hub HOT 1
- owasp/zap2docker-stable:latest Getting error while building docker image on Jenkins exec /zap/zap.sh: exec format error HOT 1
- 2.14版本的报告问题 HOT 6
- Dockerhub: amd64 images HOT 1
- Web App does not redirect in ZAP browser HOT 3
- Platform Mismatch Error When Running zap2docker-stable:latest HOT 2
- As of 4 days ago there are only arm64 versions of the docker image available for zap2docker-stable HOT 2
- publishing only linux/arm64 images to dockerhub? HOT 2
- Release 2.15 HOT 8
- Can't find Browser View extension HOT 1
- Incomplete report for template Risk and Confidence HTML HOT 14
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zaproxy.