ZAP-HUD doesn't work with WebGoat 8.2.2

[davewichers]

This is related to issue #585 I believe.

When you launch ZAP w/FireFox and HUD you see lots of automatic AJAX requests to:

http://localhost:8080/WebGoat/service/lessoninfo.mvc
http://localhost:8080/WebGoat/service/lessonmenu.mvc.*

So, to make intercepts work properly, you have to exclude these two URLs. When you do, you still seem them all the time, presumably because HUD forces HTTPS (which seems weird to me).

So, to REALLY get ZAP to stop logging these URLs, you have to also add:

https://localhost:8080/WebGoat/service/lessoninfo.mvc
https://localhost:8080/WebGoat/service/lessonmenu.mvc.*

Which is NOT intuitive at all. And after you do this, other things break. Specifically:

When you add: https://localhost:8080/WebGoat/service/lessoninfo.mvc - You stop seeing the lesson stages for each lesson. You either see blank, or only stage 1, even if there are like 5, 6, 10 stages to a lessons.
When you add: https://localhost:8080/WebGoat/service/lessonmenu.mvc - You see a spinner forever where the lesson menu should be.

As ZAP and WebGoat are BOTH from OWASP, seems like we should figure out how to make them work well together well with the HUD.

First off, WHY does it force HTTPS? Doesn't seem like it should need to do that. If we stopped doing that, both these issues might just 'go away'.

[psiinon]

As per https://groups.google.com/g/zaproxy-users/c/QZrQU-KGkWk/m/lThons3LAwAJ (and the later comment) the HUD has to upgrade a site to HTTPS otherwise it cant work. And if the site doesnt handle HTTPS then ZAP handles that on its behalf.

It sounds like ZAP is not upgrading the http AJAX calls. Do you see redirects in the responses?
Is WebGoat not following the redirects?
If you can explain how it works then we can look at fixing it.
Although right now we dont actually have anyone focussing on HUD development :(

[thc202]

The problem is that once the session URLs are excluded they will no longer be downgraded.