[OWASP-Bangalore] Burp - ZAP proxy chain

Sagar Belure sagar.belure at gmail.com
Thu Nov 20 08:02:06 UTC 2014


Hi,


On Wed, Nov 19, 2014 at 8:12 PM, Akash <akashmahajan at gmail.com> wrote:

> Do you have any logs on ZAP when this fails?
>

Not sure, where I can see logs for ZAP. But 'History' tab does not reflect
anything.


>
> Also do you get any status code in the browser when this happens?
>

When I check with Response headers for "The connection was interrupted" in
firefox, it gives response headers of 'about:neterror' and not from
ZAP/burp/web server.


>
> On 19 November 2014 20:09, Sagar Belure <sagar.belure at gmail.com> wrote:
>
>> Hello all,
>>
>> First to with introduction, my name is Sagar Belure, a security
>> professional, windows/linux admin, open source enthusiast. Mostly work on
>> Web/Network side of information security. A beginner in Digital Forensics
>> world of information security domain.
>>
>> All right, going with query -
>> I have configured proxy chains in following way -
>> Web server -> Burp -> ZAP -> web browser
>>
>> This works perfectly fine for non-SSL traffic, if I configure upstream
>> proxy in ZAP, pointing to burp running on different system.
>> 1. I tried with checking "Enable unsafe SSL/TLS negotiation" under Tools
>> -> Options -> Certificate in ZAP, with no luck.
>> 2. Also, tried importing burp certificate into ZAP, again no luck.
>>
>> Is there any way, ZAP (or IronWASP) could be configured to upstream proxy
>> with SSL connection.
>>
>> The error I get on firefox - "The connection was interrupted".
>>
>> PS: Q. Why do I want to do that? Ans: There are few reasons. Primary and
>> important being, to route my traffic from my home network to target
>> network. Burp and ZAP are running on two separate systems. And then there
>> are some other reasons too.
>>
>> Regards,
>> Sagar Belure
>> sagar.belure.com | blog.belure.com
>> @sagarbelure
>>
>> _______________________________________________
>> OWASP-Bangalore mailing list
>> OWASP-Bangalore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> Twitter : @owaspbangalore
>>
>>
>
>
> --
> Warm regards,
> Akash Mahajan
>
> *That Web Application Security Guy* | +91 99 805 271 82
> akashm.com | *@makash* on twitter | linkd.in/webappsecguy
> *OWASP Bangalore Chapter Lead | null Community Manager*
>
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> Twitter : @owaspbangalore
>
>
Regards,
Sagar Belure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20141120/c3dfdbf2/attachment.html>


More information about the OWASP-Bangalore mailing list