OWASP ZAP Connection refused: connect (502 - Bad Gateway)

Question

I'm trying to use OWASP ZAP to proxy a connection to a website that I maintain. However although the proxying is working for other sites (both https and http) connections to the one I actually want to analyse just return a 502 - Bad gateway message with the following text:

ZAP Error [java.net.ConnectException]: Connection refused: connect

Stack Trace:
java.net.ConnectException: Connection refused: connect
    at java.net.DualStackPlainSocketImpl.connect0(Native Method)
    at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
    at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
    at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
    at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
    at java.net.PlainSocketImpl.connect(Unknown Source)
    at java.net.SocksSocketImpl.connect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.<init>(Unknown Source)
    at sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source)
    at org.parosproxy.paros.network.DecoratedSocketsSslSocketFactory.createSocket(Unknown Source)
    at org.parosproxy.paros.network.SSLConnector.createSocket(Unknown Source)
    at org.apache.commons.httpclient.HttpConnection.open(Unknown Source)
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
    at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source)
    at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source)
    at org.parosproxy.paros.network.HttpSender.send(Unknown Source)
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
    at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
    at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

The URL I'm requesting via the browser works fine when not proxied through OWASP ZAP, and the request headers captured by ZAP also work fine when copied and pasted as Raw into a Fiddler Request, these are as below:

GET https://nottellingyou.net/ HTTP/1.1
Host: nottellingyou.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Just for information,

1.) There is no proxy chain set in ZAP, or elsewhere on my PC / Browser / Fiddler settings.

2.) ZAP Proxy is running at the default address localhost:8080

3.) ZAP Dynamic Certificate has been saved and imported into the test browser (Firefox Developer Edition)

Given that ZAP is working for other sites, I'm at a brick wall as to what might be wrong here, can anyone help?

score 1 · Answer 1 · answered Nov 24 '16 at 09:17

I've seen firewalls that have clearly had specific rules to block ZAP, eg by checking the default ZAP user agent. That particular issue is unlikely to be the case here but you could still be hitting a similar problem. Try resending the request from within ZAP while tweaking the headers.

The other possibility is that its checking something in the ZAP root cert, eg the DN. You can import you own root certs into ZAP - try that using very different settings to the ZAP one. If that doesnt work head over to the ZAP User Group and we'll keep trying different things - there will be a solution to this ;)

Seems that network security / firewall was the most likely culprit. Posted solution as an answer: http://stackoverflow.com/a/40784860/1286358 — Morvael, Nov 24 '16 at 11:10

score 1 · Accepted Answer · answered Nov 24 '16 at 11:09

I've found a workable solution by accident.

As I wasn't sure if the Request I was seeing in ZAP was the request it received from the browser or the request it forwarded on (or both). I, therefore, wasn't sure if my checking the Request was working in Fiddler was a valid test.

So I set ZAP to forward all its requests to Fiddler on the same machine so I could be sure of exactly what was being sent out.

As soon as I did this, I was able to access the website, and record the requests / responses in both Fiddler and ZAP.

Based on this I'm going to go with Psiinon's suggestion that somewhere along the chain requests from ZAP are being blocked by some security / Firewall rules. Being as I have no control over these and struggle to get anything other than vague grunts out of the networking guys I'm going to carry on with my workable solution.

Thanks for letting us all know :) – Simon Bennetts Nov 24 '16 at 15:59 — Simon Bennetts, Nov 24 '16 at 15:59

OWASP ZAP Connection refused: connect (502 - Bad Gateway)

2 Answers2