ZAP Unauthorized in Angular+C# server

0
votes

I am trying to learn how to use ZAP and am experiencing an Authentication issue.

I am running an angular website locally (port 4200) that calls a local C# API (port 8080). The API is a windows application running through IIS. In Chrome I am directing requests using SwitchySharp proxy to port 8082, ZAP's port with "No proxy for: <-loopback>" to allow localhost proxying.

I serve my angular application and can navigate to it and run it in Chrome without issue. However, in ZAP's history tab I am getting "401 Unauthorized" messages next to any GET requests to my local API server (OPTIONS requests give 200 response, but have 0 byte response size?).

In ZAP I have included localhost.* in the context, switched context's authentication to NTLM (hostname=localhost:80?), added my user/pass to context's Users, and enabled "Forced User" icon in the top right toolbar. Spider/Scanning does not return any results, and while browsing works fine, it shows up as 401 in ZAP history messages.

Any idea how I can scan?

1
securityiisproxyzap

1 Answers

0
votes

Ok so I ended up having an issue in my proxy. Here's my setup:

ZAP Default Context

  • Authentication = HTML/NTLM with hostname=localhost, port=80
  • Users = Add my user/pass
  • Include in context: client and API local app (http://localhost.*)

ZAP

  • Forced User is turned on (padlock clicked on top right toolbar)

Proxy Switchy

  • Profile=ZAP, Manual Config = "localhost" as HTTP Proxy, port= 8082 (this is where ZAP is listening, needs setup somewhere in ZAP, as well as trusting ZAP's certificate), No Proxy for "<-loopback>" (allows localhost proxying)
  • Switch Rules: "http://localhost*", Wildcard pattern, routes to ZAP profile. This is where I messed up as I only routed my client app ("http://localhost:4200*") which caused authentication issues for my API