mozilla :: #websectools

17 Mar 2017
09:33rain0rmornin
09:33rain0rwhat's the problem with mit config when I get: Request to API URL http://localhost:28080/ with host header localhost not permitted
09:33rain0r?
09:35thc202morning rain0r
09:35thc202you need to add that hostname to the list of addresses permitted to access the ZAP API
09:38thc202that's now the default, guess it's using older config options
09:39rain0rThanks!
09:40thc202np
09:43rain0rIs it possible to disable it?
09:45thc202hm, not atm, we could add an option to disable it
09:45thc202if you don't mind accepting everything you can add a regex instead that matches all addresses .*
09:46thc202psiinon, ^
09:46rain0rI would like to do that via -config parameter
09:48thc202I think it's possible, need to check how to do it
09:49thc202could you check which addresses do you have in the config file?
09:50rain0rI have only 127.0.0.1 in the config file but can't access the api
09:52rain0rI'm starting Zap with:
09:52rain0r -config api.disablekey=true -config api.secure=false -config -config api.enabled=true -config view.mode=attack -config connection.proxyChain.port=28080
09:52rain0rbut can't access http://127.0.0.1:28080/
09:54rain0rand this is the config: https://paste.hihn.org/xhfQ
09:54rain0rwhole config: https://paste.hihn.org/QngF
09:55thc202ok, just a sec, verifying the code
09:59thc202which ZAP version are you using?
10:01rain0rupstream ;)
10:08thc202ok, is ZAP using a new config/home dir each time is started?
10:08thc202if so you could use -config api.addrs.addr.name=127.0.0.1
10:09thc202(re the config you shared it&#39;s using old keys, &quot;<ipaddrs>&quot; was replaced with &quot;<addrs>&quot;)
10:10thc202also, there&#39;s a bug, when checking the hostname :/
10:11thc202will open a PR to fix that, which will require setting one more address
10:16thc202if you need to set several addresses you can use -config api.addrs.addr(0).name=127.0.0.1 -config api.addrs.addr(1).name=localhost
10:17thc202(0), (1) selects the different entries, if you need another one it would be (2)
10:21thc202since you are building from source you can change the method API.isPermittedIpAddr to always return true, might be easier for now
18 Mar 2017
No messages
   
Last message: 6 days and 16 hours ago