I'm trying to use OWASP ZAP to proxy a connection to a website that I maintain. However although the proxying is working for other sites (both https and http) connections to the one I actually want to analyse just return a 502 - Bad gateway message with the following text:
ZAP Error [java.net.ConnectException]: Connection refused: connect
Stack Trace:
java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.<init>(Unknown Source)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source)
at org.parosproxy.paros.network.DecoratedSocketsSslSocketFactory.createSocket(Unknown Source)
at org.parosproxy.paros.network.SSLConnector.createSocket(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.open(Unknown Source)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source)
at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source)
at org.parosproxy.paros.network.HttpSender.send(Unknown Source)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
The URL I'm requesting via the browser works fine when not proxied through OWASP ZAP, and the request headers captured by ZAP also work fine when copied and pasted as Raw into a Fiddler Request, these are as below:
GET https://nottellingyou.net/ HTTP/1.1
Host: nottellingyou.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Just for information,
1.) There is no proxy chain set in ZAP, or elsewhere on my PC / Browser / Fiddler settings.
2.) ZAP Proxy is running at the default address localhost:8080
3.) ZAP Dynamic Certificate has been saved and imported into the test browser (Firefox Developer Edition)
Given that ZAP is working for other sites, I'm at a brick wall as to what might be wrong here, can anyone help?
I've found a workable solution by accident.
As I wasn't sure if the Request I was seeing in ZAP was the request it received from the browser or the request it forwarded on (or both). I, therefore, wasn't sure if my checking the Request was working in Fiddler was a valid test.
So I set ZAP to forward all its requests to Fiddler on the same machine so I could be sure of exactly what was being sent out.
As soon as I did this, I was able to access the website, and record the requests / responses in both Fiddler and ZAP.
Based on this I'm going to go with Psiinon's suggestion that somewhere along the chain requests from ZAP are being blocked by some security / Firewall rules. Being as I have no control over these and struggle to get anything other than vague grunts out of the networking guys I'm going to carry on with my workable solution.