Cloud Security - salesforce.com

ZAP Setting up ZAP for Client Applications

Video walkthrough of setting up ZAP tool for client applications:

  1. Installation
  1. Download ZAP from here.
  2. Install and open ZAP        

  1. Installing certificate

Since all requests and responses are proxied by ZAP, the certificate verification will fail for sites using SSL (HTTPS) and the connection will be terminated. To prevent this from happening, ZAP generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate. This CA certificate is generated the first time ZAP is run, and is stored locally. To use the ZAP Proxy with these websites, you will need to install ZAP’s CA certificate as a trusted root for your device.

  1. Windows Applications
  • Goto Tools>Options>Dynamic SSL Certificate. Click Generate and then click Save.
  • Save the certificate in the desired location. Make sure the file has a .cer extension
  • Follow the below steps to upload the saved certificate:
  1. Open the start menu, type certmgr.msc into the search box (For windows 7 and above) and then press Enter.‌ If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  2. Right click on “Trust Root Certification Authorities” > All tasks> Import

  1. Follow the wizard. When prompted for a file, select the file which was saved earlier. Choose the default options and complete the wizard. If there is security popup, click Yes to trust the certificate.
  2. If done properly, the ZAP certificate will be added to “Trusted Root Certification Authorities”

  1. Mac Applications
  • Goto Tools>Options>Dynamic SSL Certificate. Click Generate and then click Save.
  • Save the certificate in the desired location.
  • Follow steps shown on Apple’s website

  1. Configuring Proxy

  1. In the ZAP UI, go to Tools>Options>Local Proxy
  2. Set Address to localhost
  3. Set port number to a port of your choosing (preferably 8080)

  1. Depending on your operating system, follow the steps below to configure the proxy
  1. Go to Control panel > Network and internet > Internet options
  2. Click the Connections tab, and then click LAN settings.
  3. Select the Use a proxy server for your LAN check box.
  4. In the Address box, type localhost.
  5. In the port box, type the same port selected for ZAP (8080)
  6. Click OK

 

  • Mac
  1. Click on Apple menu > System Preferences, and then click Network.
  2. Choose the network service you use from the list, Ethernet or AirPort for example.
  3. Click Advanced, and then click Proxies.
  4. Select HTTP Proxy
  5. IP address can be localhost (127.0.0.1) and port address as selected before (8080). Password or authentication is not needed.
  6. Click OK.

  1. Try to connect to internet via your app and make sure the site shows up below Sites list in ZAP

Next: Running the Scan



© Copyright 2017 Salesforce.com, inc. All rights reserved.