5

I've just started using Zap, and am successfully running it in Firefox and Chrome.

I'd like to use it to automatically serve it's SSL cert for non https sites as well.

So for example, I'd like it to be able to serve

http://example.com

as

https://example.com

even though example.com normally wouldn't serve an SSL cert.

This would allow me to test local development sites without ever creating a self signed cert for them, or having to configure the cert with a webserver.

I've tried to port forward my dev port (18000) to port 443, but there's no SSL cert being served by my webserver, and the connection fails. I've also tried this with sni terminator zap plugin with no luck, though it feels like it's super close!

Any suggestions?

Brad Parks
  • 66,836
  • 64
  • 257
  • 336
  • 1
    Interesting use case :) You could try using an HttpSender script to change https -> http on the request and viceverso on the response. However I dont _think_ that will result it ZAP actually using https. You could also try injecting a [Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) header in the response and then converting that to http. It will be possible one way or another, but not sure exactly what will be required right now ;) I'll keep thinking about it ... – Simon Bennetts Jan 18 '17 at 11:40
  • @Psiinon - any more ideas on this? If not, then could you post your comment as an answer, so I could award you the points ;-) Thanks! – Brad Parks Jan 27 '17 at 14:07

1 Answers1

0

No application can choose communication protocol on which a client communicates. Web servers communication is strictly client driven except server redirects. For client to choose HTTP(s) out of two options http and http(s) you may install browser plugins like HTTP(s) everywhere which will seek for https first even if http is entered in browser

SACn
  • 1,862
  • 1
  • 14
  • 29
  • Hey! Thanks for the feedback... This can be done using a load balancer at least, which I currently use (Apache Load Balancer that proxies http to https for any site I have generated an SSL cert for)... But I'd like to see if I could use Zap for this, as then I wouldn't have to generate certs for any sites at all, and could use Zap's dynamic SSL cert generation. – Brad Parks Jan 27 '17 at 14:07