SSL packets monitoring - ssl

I am testing SSL on the localhost server.
It looks like HTTPS is displayed in the address bar and it seems to be successful HTTPS communication.
However, when I use ZAP to break the request and response, and see them the contents are just plain text.
Is this the right thing?

As the https part of the URL has a red line across it I'm guessing you launched the browser from ZAP. When you do that ZAP configures the browser to proxy via ZAP and ignore certificate warnings. ZAP can then use its CA certificate to intercept and re-sign the request.

Related

How to create a SSL key log from Insomnia REST Client?

I'm trying to capture traffic from Insomnia for debugging an API, since the traffic is HTTPS I need the keylog generated by insomnia when it does the handshake with the server so I can see the traffic in plain text.
There is no documentation about that, at least I couldn't find it.
What I do for that purpose, for instance, in Firefox is configure the ssl key log file, so when FF connects to an HTTPS site, I can capture the traffic in Wireshark and see the plain HTTP requests/responses (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format).
How can I log the keys used in the SSL/TLS handshake from Insomnia for the same purpose? Thanks.
It appears this has already been implemented in insomnia.
In my case, once I defined a file path using SSLKEYLOGFILE, the file was only populated after opening insomnia in the same terminal, then making a request.
Opening insomnia via the GUI doesn't seem to take into account the SSLKEYLOGFILE.

Java webapp - client certificate authentication URL

The SecureRequestCustomizer allows us to get the certificate(s) in the HTTP request. This setting is active for the whole jetty server (all URLs). So as soon as one requests any page from the server, the browser will ask what certificate to use.
Is it possible to have only a specific URL request the client certificate?
I would like to have a dedicated /webapp/login-cert URL that would trigger the browser popup to pick a certificate.

Using https only when user is logged in not otherwise in web app

I have a web application with servlets and jsps running on tomcat. I have enabled the tomcat to use https for all the users/visitors. I want to know if there is a way I can disable the https for users who are not logged in and are just browsing through the application.
Thank you
If you are searching by a Tomcat setting to do that, the answer is no. If you open a port https/ssl security, you opened it for everyone (the only exception is if you intent to use client authentication using ssl client certificates, that a guess is not the case here).
However, you can check if the user is accessing using https (using HttpSerlvetRequest.isSecure()) and send him back to http with a redirect, or change all page links to starts with 'http', if he is not logged in. That will make sure that any link the user clicks will send him back to http.

How does the communication with an HTTPS Web Proxy Work?

I wish to setup an HTTPS proxy and have HTTP clients send requests securely to the proxy. For example, a browser can initiate a HTTP GET request which should be an encrypted request to the proxy and the proxy then removes the encryption and then passes the request to the end-site. Squid proxy can be set up to work like this (info here).
I have set up such a HTTPS enabled proxy. But I am unable to write my own HTTP clients to work with it. The same link above mentions that chrome is the only browser that supports such a proxy. I tested Chrome and it was able to work with such an HTTPS proxy.
I wish to gain an understanding of how such a proxy works so that I can write my own HTTP clients.
As I understand it, it's a connection to regular HTTP proxy BUT this connection is made over TLS. The client indeed needs to support this scheme explicitly and existing clients as-is can't be tuned up (without extra coding).

How to incercept IP based HTTPS connections using burp proxy?

I have setup burp proxy on the default gateway in a transparent mode. Burp suite is displaying self signed certificate to web based HTTPS clients and intercepting the traffic. However, it is not able to intercept the IP based traffic.
E.g. It can intercept https://abc.xyz.com but not https://192.168.132.129
Is there any way to intercept such traffic? I am open to solution other than Burp as well.
In that case I'll suggest the OWASP Zed Attack Proxy :)
Its free, open source, and easy to use (I'm biased;)
You can create your own root CA cert which you can then import into your browser so that HTTPS traffic can be handled correctly.
You can also tell ZAP which IP addresses it should ignore.
Let me know if you have any questions about it.
Simon (ZAP Project Lead)