I am using the OWASP ZAP Tool (version 2.4.2). The problem is if I choose to attack urls that has https, it always says "Failed to Attack URL". It works fine if the url I entered is not https.
How can I enable it to work with https?
We have a FAQ for that :)
https://github.com/zaproxy/zaproxy/wiki/FAQquickScanFailed
Simon (ZAP Project Lead)
Related
I am developing a web-app which will manage user page posts etc,
My app in Facebook developer console is in development mode, but when i try to login in http://localhost then it gives error that facebook login does not allow http but i have to use https protocol.
Any solution to test facebook login in localhost with http ? or
Any idea to convert http to https in localhost?
I tried ngrok that converted http to https but facebook developer console said it is suspicious kinda link and refused to accept;
I am using a npm pakage react-facebook-login,
I will shift to pure code of facebook sdk if that will solve problem.
This is a solution I found for create-react-app. https://create-react-app.dev/docs/using-https-in-development/
Make sure you use the right terminal and it works. For instance, I started dev in the cmd line (set HTTPS=true&&npm start).
The downside is you still will get not secure warnings in the browser but the errors with the FB.login or similar from Facebook login packages went away. Hope it helps.
We are doing a redirect from http to https on our AWS application load balancer that works great in most browsers, but doesn't work in safari in an iphone. The redirect is implemented as outlined here https://www.fischco.org/technica/2018/aws-alb-redirects/
In safari, our site works perfectly in an iphone when you load it via https, but when you don't include a protocol or use http, it says "Safari could not open the page because the server stopped responding."
Any ideas on how to fix this without doing client-side redirection?
This seems to be an Apache bug (https://bz.apache.org/bugzilla/show_bug.cgi?id=59311), for which a solution can be found here: https://serverfault.com/questions/937253/https-doesnt-work-with-safari (check out Steffen Ullrich's answer and the comments)
TL;DR;
Add this to your host config
Header unset Upgrade
OR alternatively, add this to your .htaccess file (see Disable Apache http2 announce via htaccess)
Header edit Upgrade (.*)h2,h2c(.*) "$1$2"
I have a Facebook canvas app that calls various external files over https. When loading FB over http and then navigating to the app, I get the message "Internet Explorer blocked this website from displaying content with security certificate errors."
I realize there could be any number of culprits in a mixed environment, but how to best troubleshoot the specific request(s) that trigger the error? The IE dev tools don't provide a clue, as the error is not reported in the network or console tab. When I view the same page in Chrome, I get no SSL error, so I can't find a clue there.
Essentially what I've done so far is to proceed by clicking "show content", logging all the https requests in Charles, then trying them all individually in IE to see if any trigger the error out of context.
thanks
The F12 Tools Console typically will show the exact source of a HTTPS error, as will the Fiddler Web Debugger. Is there a repro URL we could look at?
Do you have fiddler or httpwatch to figure out whether the request is being forwarded to another secured (https) URL?
You must provide an SSL certificate in the Dev App settings to avoid having your app disabled.
https://developers.facebook.com/roadmap/
Do I have to upload my certificates anywhere? Where?
You need to add your certificate to your web server.
For more information about installing certificates, visit this link: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO16226
Find out what kind of web server you're using and follow the instructions. You may need to contact your web hosting administrator for help.
Once the certificate is installed on your web server, you need to enter the https url in the dev app settings, I believe it's called "Secure Canvas URL". That's all that facebook requires of you.
Recently I've set up the ClearCase Remote Client (an eclipse plugin) to work through SSL, so instead of an http URL, it follows an https URL.
However, this breaks the access to the Update Site, returning an error that the site has a "Premature End of File" error.
My question(s) are this...
Is there a problem with Eclipse accessing Update Sites that have been reached through a redirect rule?
or
Is there a problem accessing Eclipse Update Sites through a SSL connection?
Any tips or anecdotes would be awesome!
EDIT : The link works via the browser, in terms of a redirect, but not in Eclipse when I attempt to access the same directory via the Update Site tool.
It seems to be a known issue for other plugins as well
What is the "description site" looks like in your eclipse p2 configuration ? Does it include https as in:
<description url="https://<host_name>/<update_site>/">
Project Update Site
</description>
Just do be sure, you did Enable HTTP proxy connection ?
(General->Network Connections)
Although VonC made a really valiant effort, my answer or workaround has been to configure RWP to use SSL for the CCRC Server, and simple Port 80 for the Update Site with a redirect for any users who are still pointing at the old URL.
I am still unsure why it doesn't work in Eclipse with SSL though.