Direct AJAX calls not getting upgraded to https

[psiinon]

As per https://groups.google.com/d/msg/zaproxy-users/byxt8JvbkZU/PNd6ASRBBAAJ

This could cause problems with lots of modern web apps, so we should investigate this asap.

[psiinon]

Note: we have tested with JuiceShop locally and that seems to work well.
But it could be thats using relative paths, we should test with apps that use absolute paths, including the http:// part ...

[psiinon]

Tried a very simple test locally, and when the ajax call specified the http url then the app failed when the HUD was enabled with: Blocked loading mixed active content “http://localhost:8080/bodgeit/tests/ajax_info.txt”

[psiinon]

One option would be to replace all of the http:// strings with https:// ones for the domains that we know we have upgraded.
Would a simple global search and replace on the body work in most cases?

[thc202]

We would have to replace in "all" files (e.g. JavaScript). HSTS would be better as we wouldn't need to manually change the schemes (assuming the target is the same).

[psiinon]

Oooh, I like that idea :)
I'll give it a try...

[thc202]

That has its problems too, like forcing to HTTPS even if you are no longer proxying through ZAP (it would be fine with launched browsers).

[wonboyn]

Hi @psiinon

The specific error I et in the browser console is:
"Blocked loading mixed active content..."

The error is happening on the page used for authentication when a Javascript library loaded on the page attempts to make a call to the server as part of the page load.

[psiinon]

Thanks @wonboyn - is the http:// server url hqardcoded in the HTML? If so then we have a plan that should fix that...

[ejayaraman]

Hello Simon, I am also noticing this issue. I am running a scala-play microservice locally. We have configured Chrome browser in our selenium tests to proxy through ZAP. In ZAP 2.8.0, with HUD (0.4.0) enabled, request to localhost is converted to https and fails to load the page with the below message on the browser:

This site can’t provide a secure connection localhost sent an invalid response. ERR_SSL_PROTOCOL_ERROR.

When I disable HUD, the page is loaded (with http being the protocol).

But if I launch the browser from ZAP UI, with HUD enabled, the page is loaded even with https.

I can see a fix has been merged in 0.5.0. Do you think this issue would get resolved with the above fix?

Thanks.

[psiinon]

@ejayaraman I would recommend disabling the HUD with your selenium tests. The HUD is designed to help manual testing and could well interfere with automated tests, which is why the HUD is disabled by default when ZAP is run in daemon mode.
If it works when using the browsers are launched by ZAP but not when you use another browser then this fix is unlikely to help. Its more likely that theres a configuration with your browser.

[ejayaraman]

Thanks Simon. That helps.