New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to override the target host of an HTTP request #1318

Open
zapbot opened this Issue Jun 4, 2015 · 9 comments

Comments

Projects
None yet
8 participants
@zapbot
Copy link
Contributor

zapbot commented Jun 4, 2015

Zap appears to use the host header to work out which IP to send the request to, so altering
it triggers an error:

For example, trying to send the following request to 192.168.1.73 via org.parosproxy.paros.network.HttpMessage
and paros.network.HttpRequestHeader:

GET /joomla/?foo=bar&cachebust=1405888831.78 HTTP/1.1
Host: ndz27s.192.168.1.73
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: tz_offset=3600; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada;
d5a4bd280a324d2ac98eb2c0fe58b9e0=ahufhedqrq6atgh9lp81ogg3p6
Referer: http://192.168.1.73/
DNT: 1
Connection: keep-alive
Cache-Control: no-cache

triggers the following error:

javax.script.ScriptException: java.net.UnknownHostException:  java.net.UnknownHostException:
ndz27s.192.168.1.73 in <script> at line number 58

The relevant Jython code looks roughly like:
headers = org.parosproxy.paros.network.HttpRequestHeader(headers_shown_above)
attack = org.parosproxy.paros.network.HttpMessage(headers, body)
as_helper.sendAndReceive(attack, True, True)


From my perspective I think a setRemoteAddr() method on org.parosproxy.paros.network.HttpMessage
would be a solid solution.

Original issue reported on code.google.com by albinowax on 2014-08-18 18:08:39

@zapbot

This comment has been minimized.

Copy link
Contributor

zapbot commented Jun 4, 2015

Further discussion/context:
https://groups.google.com/forum/#!topic/zaproxy-develop/PPLWTAiOUB8

Original issue reported on code.google.com by kingthorin on 2014-08-18 19:57:11

@zapbot

This comment has been minimized.

Copy link
Contributor

zapbot commented Jun 4, 2015

(No text was entered with this change)

Original issue reported on code.google.com by THC202 on 2014-08-18 21:56:21

  • Labels added: Type-Enhancement
  • Labels removed: Type-Defect
@zapbot

This comment has been minimized.

Copy link
Contributor

zapbot commented Jun 4, 2015

Issue #977 has been merged into this issue.

Original issue reported on code.google.com by kingthorin on 2014-08-21 12:09:44

@thc202 thc202 assigned thc202 and unassigned zaproxy Apr 20, 2016

jx6f added a commit to jx6f/zaproxy that referenced this issue Oct 18, 2016

@thc202 thc202 added this to the 2.7.0 milestone Aug 11, 2017

@kingthorin

This comment has been minimized.

Copy link
Member

kingthorin commented Aug 14, 2017

Good example of why this might be important:
$10k Host Header

@amitwer

This comment has been minimized.

Copy link

amitwer commented Apr 18, 2018

Not sure how to upvote this one, but it took me way too long to even notice ZAP was auto-correcting the host header \ url relations for me.

@psiinon

This comment has been minimized.

Copy link
Member

psiinon commented Apr 18, 2018

That comment will do - the more people who ping us on the status of an issue the more we appreciate how important those issues are.
You can also vote on issues here: https://www.bountysource.com/teams/zap/issues but not many people do. maybe I should ping the ZAP groups to remind people...

@redfast00

This comment has been minimized.

Copy link

redfast00 commented Jul 22, 2018

I'd love to develop a ZAP plugin that implements the attacks described in https://portswigger.net/blog/cracking-the-lens-targeting-https-hidden-attack-surface, but in the article, this issue is linked as preventing that.

@phosphore

This comment has been minimized.

Copy link

phosphore commented Oct 30, 2018

How come this is still unfixed? :(

@kingthorin

This comment has been minimized.

Copy link
Member

kingthorin commented Oct 30, 2018

Because it's non-trivial to fix and this is an OpenSource project with only part time developers and limited resources.

  • We're open to contributions from the community.
  • You can vote things up or post bounties on particular issues via Bounty Source.
  • You can join OWASP and send funds to the project.
  • You can leverage the donate button on the OWASP ZAP project page (which we can use for student code events: GSoC, Winter of Security, Spring of Code, etc).

@psiinon psiinon modified the milestones: 2.8.0, 2.9.0 Dec 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment