Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

308 Permanent Redirect from http to https not working with HUD enabled #834

Open
hmolsen opened this issue Nov 5, 2020 · 11 comments
Open

308 Permanent Redirect from http to https not working with HUD enabled #834

hmolsen opened this issue Nov 5, 2020 · 11 comments

Comments

@hmolsen
Copy link

hmolsen commented Nov 5, 2020

Describe the bug
When navigating to an HTTPS website via the preconfigured browser with ZAP HUD enabled zaproxy first issues an HTTP request to the page and follows the redirects to https. When a server redirects to HTTPS via 308 Permanent Redirect, then ZAP fails to follow this redirect, leading to an error displayed in the browser. In firefox this would be:

The page isn’t redirecting properly

An error occurred during a connection to example-redirecting-page.de.

This problem can sometimes be caused by disabling or refusing to accept cookies.

To Reproduce
Steps to reproduce the behavior:

  1. Make sure to have the HUD enabled
  2. Open the preconfigured firefox browser
  3. Type a URL into the addressbar which you want to reach via HTTPS, e.g., https://example.com
  4. The above error occurs.

Expected behavior
When you open https://google.de via the addressbar in a preconfigured, HUD-enabled browser launched from zaproxy, then the following happens:

  1. preconfigured firefox requests to zaproxy: GET https://google.de
  2. zaproxy requests: GET http://google.de
  3. google responds: 301 Moved Permanently, Location: http://www.google.de
  4. zaproxy redirects and requests: GET http://www.google.de
  5. google responds: 302 Found, Location: https://www.google.de/?gws_rd=ssl
  6. zaproxy redirects and requests: GET https://www.google.de/?gws_rd=ssl
  7. zaproxy responds to preconfigured firefox: 200 OK

So I assume 301 and 302 redirects work, but I do not really understand, why the first request from zaproxy to google (2.) is GET http, when the preconfigured browser explicitely asks for https. I assume that this is likely somehow coupled with the https upgrade to http hosts when using the HUD.
But if a server responds with a 308 Permanent Redirect, zap fails to follow this redirect, leading to the above described error.

Screenshots

Software versions

  • ZAP: 2.9.0
  • Add-on: I guess none that matters
  • OS: kali 2020.3
  • Java: openjdk version "11.0.7-ea" 2020-04-14
  • Browser: firefox quantum 68.10.0esr (64-bit)

Errors from the zap.log file

Additional context

Would you like to help fix this issue?
@psiinon psiinon transferred this issue from zaproxy/zaproxy Nov 5, 2020
@psiinon
Copy link
Member

psiinon commented Nov 5, 2020

Thats weird - ZAP should not be requesting http://google.de/
Will need to investigate...

@hmolsen
Copy link
Author

hmolsen commented Nov 5, 2020

Thats weird - ZAP should not be requesting http://google.de/
Will need to investigate...

Thanks, Simon, for the quick reply!
I used the Kali 2020.3 VirtualBox 64bit image from Offensive Security, nothing further installed. Booted the freshly imported machine and started ZAP.

@psiinon
Copy link
Member

psiinon commented Nov 5, 2020

If you're having problems alwasy do a ZAP check-for-updates and install an new versions of add-ons.
Although in this case I suspect it wont help...

@hmolsen
Copy link
Author

hmolsen commented Nov 5, 2020

If you're having problems alwasy do a ZAP check-for-updates and install an new versions of add-ons.
Although in this case I suspect it wont help...

Hi, sorry, sure. I did both. ZAP and all plugins are fully up-to-date. Fails in both.

@dvarrazzo
Copy link

I am hitting the problem too, which makes Zap unsuitable for our use :(

@kingthorin
Copy link
Member

@dvarrazzo Can you confirm that it behaves as expected with HUD disabled?

@dvarrazzo
Copy link

I am new of the tool and not aware of what HUD is.

What I have done is:

1: run zap in docker using:

docker run --rm -u zap -p 8080:8080 -p 8090:8090 --name zap -v `pwd`:/zap/wrk/:rw -i owasp/zap2docker-stable zap-webswing.sh

2: configued a Firefox session to use localhost:8090 as HTTP/HTTPS proxy, imported the certificate
3: open an url https://...
4. experience that the requests performed go instead to http with a 308 redirect to https, in a loop

in point 3, both opening an http and https url results in a loop of http request; no https request is performed

opening an http page resulting in a 302 redirect works fine.

@dvarrazzo
Copy link

Heads up: upgrading the plug-ins seems to work.

@psiinon
Copy link
Member

psiinon commented Jun 29, 2022

Well, that is the first recommendation on the first FAQ ;) https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/

@kingthorin
Copy link
Member

Thanks for letting us know.

@dvarrazzo
Copy link

Well, that is the first recommendation on the first FAQ ;) https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/

You are right. I apologise for the noise. However this issue has been open for almost 2 years: it might be advisable that whatever needs update is updated out of the box.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dvarrazzo @psiinon @hmolsen @kingthorin