[OWASP-Bangalore] Burp - ZAP proxy chain

Marudhamaran Gunasekaran gmaran23 at gmail.com
Thu Nov 20 09:20:24 UTC 2014


*Default logging location for ZAP *
%userprofile%\OWASP ZAP\zap.log if you are on windows. ~/.ZAP\zap.log on
Linux.

On Thu, Nov 20, 2014 at 1:32 PM, Sagar Belure <sagar.belure at gmail.com>
wrote:

> Hi,
>
>
> On Wed, Nov 19, 2014 at 8:12 PM, Akash <akashmahajan at gmail.com> wrote:
>
>> Do you have any logs on ZAP when this fails?
>>
>
> Not sure, where I can see logs for ZAP. But 'History' tab does not reflect
> anything.
>
>
>>
>> Also do you get any status code in the browser when this happens?
>>
>
> When I check with Response headers for "The connection was interrupted" in
> firefox, it gives response headers of 'about:neterror' and not from
> ZAP/burp/web server.
>
>
>>
>> On 19 November 2014 20:09, Sagar Belure <sagar.belure at gmail.com> wrote:
>>
>>> Hello all,
>>>
>>> First to with introduction, my name is Sagar Belure, a security
>>> professional, windows/linux admin, open source enthusiast. Mostly work on
>>> Web/Network side of information security. A beginner in Digital Forensics
>>> world of information security domain.
>>>
>>> All right, going with query -
>>> I have configured proxy chains in following way -
>>> Web server -> Burp -> ZAP -> web browser
>>>
>>> This works perfectly fine for non-SSL traffic, if I configure upstream
>>> proxy in ZAP, pointing to burp running on different system.
>>> 1. I tried with checking "Enable unsafe SSL/TLS negotiation" under Tools
>>> -> Options -> Certificate in ZAP, with no luck.
>>> 2. Also, tried importing burp certificate into ZAP, again no luck.
>>>
>>> Is there any way, ZAP (or IronWASP) could be configured to upstream
>>> proxy with SSL connection.
>>>
>>> The error I get on firefox - "The connection was interrupted".
>>>
>>> PS: Q. Why do I want to do that? Ans: There are few reasons. Primary and
>>> important being, to route my traffic from my home network to target
>>> network. Burp and ZAP are running on two separate systems. And then there
>>> are some other reasons too.
>>>
>>> Regards,
>>> Sagar Belure
>>> sagar.belure.com | blog.belure.com
>>> @sagarbelure
>>>
>>> _______________________________________________
>>> OWASP-Bangalore mailing list
>>> OWASP-Bangalore at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>> Twitter : @owaspbangalore
>>>
>>>
>>
>>
>> --
>> Warm regards,
>> Akash Mahajan
>>
>> *That Web Application Security Guy* | +91 99 805 271 82
>> akashm.com | *@makash* on twitter | linkd.in/webappsecguy
>> *OWASP Bangalore Chapter Lead | null Community Manager*
>>
>>
>> _______________________________________________
>> OWASP-Bangalore mailing list
>> OWASP-Bangalore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> Twitter : @owaspbangalore
>>
>>
> Regards,
> Sagar Belure
>
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> Twitter : @owaspbangalore
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20141120/c8be7df3/attachment.html>


More information about the OWASP-Bangalore mailing list