OWASP ZAP Connection refused: connect (502 - Bad Gateway)

Morvael picture Morvael · Nov 24, 2016 · Viewed 7.3k times · Source

I'm trying to use OWASP ZAP to proxy a connection to a website that I maintain. However although the proxying is working for other sites (both https and http) connections to the one I actually want to analyse just return a 502 - Bad gateway message with the following text:

ZAP Error [java.net.ConnectException]: Connection refused: connect

Stack Trace:
java.net.ConnectException: Connection refused: connect
    at java.net.DualStackPlainSocketImpl.connect0(Native Method)
    at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
    at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
    at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
    at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
    at java.net.PlainSocketImpl.connect(Unknown Source)
    at java.net.SocksSocketImpl.connect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.<init>(Unknown Source)
    at sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source)
    at org.parosproxy.paros.network.DecoratedSocketsSslSocketFactory.createSocket(Unknown Source)
    at org.parosproxy.paros.network.SSLConnector.createSocket(Unknown Source)
    at org.apache.commons.httpclient.HttpConnection.open(Unknown Source)
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
    at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source)
    at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source)
    at org.parosproxy.paros.network.HttpSender.send(Unknown Source)
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
    at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
    at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

The URL I'm requesting via the browser works fine when not proxied through OWASP ZAP, and the request headers captured by ZAP also work fine when copied and pasted as Raw into a Fiddler Request, these are as below:

GET https://nottellingyou.net/ HTTP/1.1
Host: nottellingyou.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Just for information,

1.) There is no proxy chain set in ZAP, or elsewhere on my PC / Browser / Fiddler settings.

2.) ZAP Proxy is running at the default address localhost:8080

3.) ZAP Dynamic Certificate has been saved and imported into the test browser (Firefox Developer Edition)

Given that ZAP is working for other sites, I'm at a brick wall as to what might be wrong here, can anyone help?

Answer

Simon Bennetts picture Simon Bennetts · Nov 24, 2016

I've seen firewalls that have clearly had specific rules to block ZAP, eg by checking the default ZAP user agent. That particular issue is unlikely to be the case here but you could still be hitting a similar problem. Try resending the request from within ZAP while tweaking the headers.

The other possibility is that its checking something in the ZAP root cert, eg the DN. You can import you own root certs into ZAP - try that using very different settings to the ZAP one. If that doesnt work head over to the ZAP User Group and we'll keep trying different things - there will be a solution to this ;)