New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
invalid utf-8 in payload when connecting using a simple websocket client in firefox + chrome #3324
Comments
What ZAP and WebSockets add-on version are you using? What's the type/opcode of data frame? Text? Could you provide an example payload that causes the issue? |
ZAP: 2.5.0 opcode is text example payload: |
For me the same. Ping and Pong messages displayed correctly but everything else is invalid UTF-8 in websocket tab. I'm just using the latest ZAP 2.6.0 Standard for Win64. Tried with Firefox browser. There is a websocket hackme at this url, a simple chat system: http://82.195.79.113 which triggers this error. Edit: Also tested it in current Kali with OWASP ZAP 2.5.0, also broken. |
I was not able to reproduce the issue with the payload provided. I uploaded a test version of WebSocket add-on [1] that logs the contents of the payload when that happens, it would be great if any of you could check that and provide the log entry. [1] https://github.com/thc202/zap-extensions/releases/tag/websocket-utf8 |
Change Utf8Util to use CharsetDecoder for UTF-8 conversions (removing usage of custom code/class). Change StringWebSocketPanelViewModel and WebSocketProxyV13 to log (debug level) the invalid UTF-8 payloads. Update changes in ZapAddOn.xml file. Related to zaproxy/zaproxy#3324 - invalid utf-8 in payload when connecting using a simple websocket client in firefox + chrome
Change Utf8Util to use CharsetDecoder for UTF-8 conversions (removing usage of custom code/class). Change StringWebSocketPanelViewModel and WebSocketProxyV13 to log (debug level) the invalid UTF-8 payloads. Update changes in ZapAddOn.xml file. Related to zaproxy/zaproxy#3324 - invalid utf-8 in payload when connecting using a simple websocket client in firefox + chrome
I was able to replicate this (i ran into it) with a websocket that sends something that actually seems like invalid UTF-8 as it contains a null byte in the end of a multiline Here's what chrome developer tools picked up on that message, which looks like a string wrapped in JSON:
Here are the stacktraces of the extension when a single message is sent. The traces look similar, but they all do differ, so I suggest to check it out with a diff tool.
|
Something obscure is going on here. That byte array makes no sense, converted with java it makes a mess:
|
The issue might be an issue with compression. It seems the protocol switch tells the client to compress the data. Maybe its a
|
Great, thanks for the information (suspected a WebSocket extension was in use, when playing with the array in different encodings). Correct, the WebSocket add-on does not make use of the extensions. |
I can confirm that my instance of this issue is caused by compression of websocket messages. Removing the compression setting from the initiation request will do the job in my case. A replacer rule can be used to remove the compression header:
Below is the unmodified request that needs to have the header removed for ZAP to show the messages compressed and properly utf8 decoded.
|
Add a new option, enabled by default, that allows to control whether or not the HTTP header Sec-WebSocket-Extensions should be removed from the handshake messages. This disables any extensions that could prevent ZAP from properly process the WebSocket messages sent/received. Fix zaproxy/zaproxy#3324 - invalid utf-8 in payload when connecting using a simple websocket client in firefox + chrome
Add a new option, enabled by default, that allows to control whether or not the HTTP header Sec-WebSocket-Extensions should be removed from the handshake messages. This disables any extensions that could prevent ZAP from properly process the WebSocket messages sent/received. Update changes in ZapAddOn.xml file. Fix zaproxy/zaproxy#3324 - invalid utf-8 in payload when connecting using a simple websocket client in firefox + chrome
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Hello,
I keep getting invalid utf-8 when trying to intercept websocket content im sending via a simple websocket client in firefox or chrome. Proxy is setup properly and i get http content but all of the sent and received payloads ZAP intercepts says invalid utf-8. I'm sending and receiving valid json content on the open websocket connection
The text was updated successfully, but these errors were encountered: