Zap proxy not working for a specific site - zap

I set up Zap proxy. I see it received traffic from other sites except for: http://quiz.aisolutions.com.vn/. It just hung at the login. Tried several ways like changing port number to 8082 but not work

If you're launching the browser from ZAP then there's a small chance it's because of something that the ZAP HUD is doing (in order to function it injects JS and upgrades some links to https, etc.).
Try disabling HUD, launching a browser, and hitting the site again.
You'll see the HUD Radar Icon in the toolbar. When the icon is selected the HUD will be added to your browser.

Related

Browser blocked a frame with origin <remote site> from accessing a frame in my site

My predecessor at my workplace built a website (mahlerclean.com) for a client that allows job applicants to log onto another site (joblinkapply.com) via an iframe. The client has recently gotten complaints from applicants who are not able to log into the site via the iframe.
I am able to reproduce the issue in Safari. When I go to https://www.mahlerclean.com/career-center/job-openings it does not let me log into https://www.joblinkapply.com/company/6435 from there, and I see this message in the Safari web console:
Blocked a frame with origin "https://www.joblinkapply.com" from accessing a frame with origin "https://www.mahlerclean.com". Protocols, domains, and ports must match.
I have not been able to reproduce the issue in Firefox or Chrome though, and of course, if you navigate directly to https://www.joblinkapply.com/company/6435 (rather than through the iframe), it works fine in all browsers.
I control mahlerclean.com, but do not have any control over joblinkapply.com
My questions are:
Is there anything I can do to the site at mahlerclean.com that would
allow the iframe to joblinkapply.com to work on all browsers?
Why am I only seeing the issue in Safari? Are the other browsers likely to get more strict (i.e. behave like Safari) in the future?
Is it even reasonable to try to support logins to a remote site through an iframe, or should I tell the client to ditch the iframe, and just link out to https://www.joblinkapply.com/company/6435?

Sahi sign in to mailtrap.io issue

I'm having an issue with Sahi Open Source logging into Mailtrap.io
the script is quite simple:
_navigateTo("https://mailtrap.io/");
_setValue(_textbox("email"), "emailHere");
_setValue(_password("user_password"), "passHere");
_click(_submit("Log in"));
however only first line of code executes.. as soon as I reach mailtrap.io then controller looses grip on html... In case I launch new browser from Sahi Dashboard and navigate to mailtrap.io, then Controller window is not coming up on Alt+doubleClick..
I added SSL cert. Anyone had this issue before? Anyone successfully using sahi with mailtrap?
Cheers.
I got it to work i think.
First I installed Sahi OS 5.0 and opened the firefox browser. With the SSL Manager I added security exceptions for sahi.example.com and mailtrap.io
On navigation to mailtrap I got an error:
Content Security Policy: The page's settings blocked the loading of a resource
This is a browserfeature and can be turned off in the about:config https://stackoverflow.com/a/27324485/1359903
Now the script runs and the controller can access the sites elements. I hope this works for you too.
Regards
globalworming

How to run Dart Editor without firewall privileges?

Okay, I'm developing a web app using Dart, I'm making encrypter - which works fine at home. But, I'm in college and I need to run my Dart app from a USB stick. When I run my Dart app, the version of Chrome that comes with Dart opens but nothing loads. I have the "stop loading this page" button showing, which tells me that it is trying to load something, but I've left it for half an hour and nothing happens. I think it's because I cannot give Dart any Firewall privileges, because I'm not an admin, the VM that Dart uses won't launch. Has anybody got any tips of how to get around this?
I disconnected my notebook from the network and Darteditor runs just fine. I can start web pages without any problem.
Probably Darteditor tries to download pub dependencies which won't work without a network connection.
If you can open a public website like google.com in your browser then it's probably not a firewall limitation. AFAIK Dart uses only HTTP port 80 which is usually open.
If your HTTP connection goes over a proxy that might not work - that is a common problem with Dart.

Dev tools not showing insecure content loaded in via javascript

I work with a lot of SSL/https pages that must be 100% secure so the lock is green and not yellow.
It's easy to pinpoint any 'dom level' scripts or images, because console puts out the error 'this page is loading insecure content from __'
The problem is when a secure https script loads NON-https image/script... it doesnt seem to be logged in chrome dev tools console as an error for loading insecure content. The only way to see it is if i manually move the mouse over like 80 different asset links, tracking pixels, etc and making sure it starts with https
Does anyone know a better way of handling this? Thanks!
In Firebug you can enable the display of a Protocol column. To do so you have to right-click onto the column headers inside the Net panel and click on Protocol. Then you can sort by that column by clicking on it's column header.
Doing so it should be pretty easy to spot the insecure request.
Sebastian

How do I detect that SSL is broken on a page, using Selenium

We have pages where we occasionally see compromised SSL certificate because of third party scripts that load non HTTPS resources (Initially they're fine but they occasionally change). We would like to test those pages for broken SSL every day.
We have tried one approach, attempting to catch a pop-up message that would indicate that we have insecure content on the page. However, we have been unsuccessful in simulating the pop-up message through selenium. It appears that selenium has automatically disabled any popups. While we have identified a Selenium method to disable the suppression of the pop-ups(disable-popup-handler) but we have not been able to successfully see the popup even using this method.
Has anyone found a way to detect broken SSL pages using Selenium?
You need to load a browser profile (with WebDriver) that doesn't have the setting for popup blocker enabled (using the Profile class and giving it the right properties). Then, you will get the Windows popup message concerning the SSL cert. If , for some reason, you cannot control the popup using WebDriver (because its limited to Action control only within the browser content window) then you can use Sikuli API to handle the dialog and export the cert to the "Downloads" dir and then copy the file to expected location for inspection. Unfortunately, if you use Sikuli, that will make your automation script sequential and not work via a RemoteWebDriver grid server and so you wont be able to run parallel tests. Hopfully, WebDriver gives you access to the dialog and so you will be able to run with RemoteWebDriver because that is the best way to go when running scripts, even if you run a browser locally.