How to properly run OWASP ZAP 2.4.0 on Mac OS X 10.6.8
Par cubytus le mercredi 29 avril 2015, 03:26 - Lien permanent
ZAP Proxy is a penetration testing tool to test vulnerabilities in Web applications. It is written in Java, but doesn't work right away if you're using Mac OS X Snow Leopard, instead crashing ungracefully upon launch. The culprit? the Java version that comes bundled with it, 1.7.0_75. Here, and helped by ZAP's friendly IRC service, I describe how to properly execute ZAP 2.4.0. Luckily, the code is supposed to be compatible with previous JRE versions.
Difficulty: easy
First step: download compatible Java JRE (Java Runtime Environment) version
As you should already know, Mac OS X 10.6.8 comes bundled with Java JRE 1.6.0_65, commonly called Java 6, but ZAP requires Java 7 at a minimum, and comes bundled with Java 1.7.0_75. However, sub-version 75 doesn't run on Snow Leopard, only sub-version 25 does. Although it officially requires Darwin kernel 11.2 (corresponding to Mac Os X 10.7.2) according to its release file, it will still run on Snow Leopard (Mac OS X version 10.6.8, although it uses Darwin kernel 10.8). So the solution is to download JRE 1.7.0_25 directly from Oracle's website. Prefer the .tar.gz version.
Please note this instruction set is specific to Mac Os X 10.6.8 only! Java JRE 1.7.0_25 has been disabled by Apple on Mac OS X Lion because of security concerns.
Second step: specify to ZAP the Java version to use
Well, technically this command tells Java to run ZAP.
First you have to know where you uncompressed the .tar.gz archive. In this example, I simply left it in the Downloads folder. So the matching command would be:
$ ~/Downloads/jre1.7.0_25.jre/Contents/Home/bin/java -jar /Applications/OWASP\ ZAP.app/Contents/Java/zap-2.4.0.jar -installdir /Applications/OWASP\ ZAP.app/Contents/Java/
And here it runs!
The following steps are optional, but make the experience more streamlined.
Third step: remove bundled version 75
This is done with:
$ rm -r /Applications/OWASP\ ZAP.app/Contents/Plugins/jre1.7.0_75.jre
Fourth step: move version 25
Still assuming that Java JRE has been uncompressed to the default downloads directory, move it to the ZAP Plugins directory.
$ mv ~/Downloads/jre1.7.0_25.jre /Applications/OWASP\ ZAP.app/Contents/Plugins/jre1.7.0_25.jre/
Fifth step: create symbolic link
Easier than to modify any ZAP configuration file is to make it think it is calling sub-version 75, while in fact it is calling version 25. For that, just create a symbolic link redirecting any call to jre1.7.0_75.jre to the jre1.7.0_25.jre instead.
$ ln -s /Applications/OWASP\ ZAP.app/Contents/Plugins/jre1.7.0_25.jre /Applications/OWASP\ ZAP.app/Contents/Plugins/jre1.7.0_75.jre
Done! Now, just launching ZAP from the Applications menu works in Snow Leopard 10.6.8.
Yes, its window is wrongly sized, it mixes up languages, and icons are not properly centered, in three words, a typical Java software.
As you may not want to subscribe to the terrible Oracle's website, here is the Java JRE 1.7.0_25 archive.
ZAP's website: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Java archive: http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jre-7u25-oth-JPR
Local copy: jre-7u25-macosx-x64.tar.gz