Inspecting HTTP traffic using OWASP Zed Attack Proxy tool



Whether I develop or debug a mobile application for Android or iOS with some networking functionality I might want to inspect HTTP traffic. Even for a web development there might be a need to intercept and modify the HTTP requests.

There are number of tools available to intercept HTTP/HTTPS traffic. One of the most popular and well documented is probably Fiddler. That’s what I used on Windows platform.
If you are on MAC, you have to configure Fiddler to run in a virtual machine or use some alternative tools.

This post is about the second option. Specifically, OWASP Zed Attack Proxy (ZAP) tool -  free, open source, easy to install and use, penetration testing tool for finding vulnerabilities in web applications.

This tool provides a lot of functionality whereas I am going to cover here only how to configure and use it as an intercepting  proxy on Mac. Also I include the steps to configure Android and iPhone devices in order to intercept the HTTP traffic. ZAP documentation already explains how to configure your web browser’s proxy, so I am not going to repeat this.

ZAP

First, download and install ZAP. Once it is installed, open it. We have to generate the SSL certificate which we are going to install on our mobile device (or web browser).
Go to Tools -> Options -> Dynamic SSL Certificates. Press “Generate" button and then press “Save” to save the generated cert file to your hard drive.




Also we need to set the address and port on which ZAP will accept incoming connections. Go to Tools -> Options -> Local Proxy.
Set the address to the IP address of your Mac and the port to, let’s say, 8080. 


ZAP is configured now.

Android

In order to use an Android device with ZAP, we have to install the generated SSL certificate (see the previous step) on our device. I assume we are going to use Android v.4.x+.
  • Copy the cert to your device (there is an Android File Transfer app for Mac available).
  • Go to Settings > Security > Install from device storage, and select the copied cert (installing the cert will require the password/pin screen lock be enable);

Now enable proxy for your WiFi connection and enter the same IP and Port on which ZAP listening (e.g. ZAP’s Local Proxy settings).

iOS

To use iPhone / iPad device, requires installation of SSL certificate as well.
  • Install Apple Configurator on your Mac from the Apple Store and connect your iPhone.
  • In the Apple Configurator app open Prepare/Settings and press on Install Profiles.


  • On the Choose or create a profile screen press New… and enter the Name of profile in the General tab.


  • Then go to Certificates and add the generated cert.


  • Press Save and then select the newly created profile and install it on the device following the wizard. 



Then enable proxy for your WiFi connection similar to what we did for Android. 

Now you should be able to see all of the requests you make to a mobile or web app and all of the responses you receive from it.



You can also set break points which allow you to change the requests and responses on the fly.

That's it!



Comments

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This article is the very much help, thks.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Please check below link to know how to intercept android app using zap

    https://security-testing1.blogspot.in/2017/08/how-to-intercept-android-app-using-zap.html

    ReplyDelete
  5. How to intercept android app using ZAP
    http://techdiscussionforum.blogspot.in/2017/08/how-to-intercept-android-app-using-zap.html

    ReplyDelete