5

I have Zed Attack Proxy (ZAP) on my machine and my browser is Firefox. When I route the browser traffic through the ZAP proxy (using FoxyProxy), if it's HTTPS traffic, Firefox says "Your connection is not secure" and that's it. I can't do anything. I can't even google when the proxy is on.

Is there a certificate I need to install on ZAP or can I circumvent that?

Anders
  • 64,406
  • 24
  • 178
  • 215
Jason Krs
  • 359
  • 2
  • 3
  • 12

2 Answers2

12

ZAP creates certificates, on the fly, in the name of the site Firefox is going to.

Firefox is saying "I don't trust the CA that signed this cert", which is reasonable, because it's a MITM by an unapproved certificate authority.

You need to import Zap's signing certificate into Firefox's Trusted Roots Certificate Store. If you Google "zap install certificate" you get lots of links to do so:

To quote the first link:

  1. Open up OWASP ZAP, go to Tools -> Options

  2. In the Dynamic SSL Certificates*, click on Generate if you don't see a certificate, else, Save the certificate in some location comfortable to you like your home folder.

...and then import it into your browser, using whatever process is appropriate, and which varies from browser to browser. Should look something like this:

ZAP Certificate

*In version 2.5.0. Earlier versions may be just named Certificates.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
5

There's a core help for that, even has Firefox specific info (along with others): https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert#mozilla-firefox

After you've exported and saved ZAP's CA cert:

Firefox is using it's own certificate store. Thats why you have to import it twice, when you're using both browser on windows. Installation and late on validation is done in the same preferences dialog:

  1. Go to Preferences
  2. Tab Advanced
  3. Tab Cryptography/Certificates
  4. Click View certificates
  5. Click tab Trusted root certificates
  6. Click Import and choose the saved owasp_zap_root_ca.cer file
  7. In the wizard choose to trust this certificate to identify web sites (check on the boxes)
  8. Finalize the wizard

I've also encountered circumstances where I've previously visited a site in Firefox then when I try to visit it while proxying through ZAP it won't allow me to add an exception. In general this can be worked around by hit ctrl-shift-del and clearing cache, cookies, and site preferences for things visited in the past hour (since you just visited it), and then reloading (which should then allow you to set the exception).

kingthorin
  • 574
  • 4
  • 6