Cerebro Seco

Se faciliter la vie informatique sans sacrifier ses principes!

Aller au contenu | Aller au menu | Aller à la recherche

How to properly run OWASP ZAP 2.4.0 on Mac OS X 10.6.8

ZAP Proxy is a penetration testing tool to test vulnerabilities in Web applications. It is written in Java, but doesn't work right away if you're using Mac OS X Snow Leopard, instead crashing ungracefully upon launch. The culprit? the Java version that comes bundled with it, 1.7.0_75. Here, and helped by ZAP's friendly IRC service, I describe how to properly execute ZAP 2.4.0. Luckily, the code is supposed to be compatible with previous JRE versions.

Difficulty: easy

First step: download compatible Java JRE (Java Runtime Environment) version

As you should already know, Mac OS X 10.6.8 comes bundled with Java JRE 1.6.0_65, commonly called Java 6, but ZAP requires Java 7 at a minimum, and comes bundled with Java 1.7.0_75. However, sub-version 75 doesn't run on Snow Leopard, only sub-version 25 does.Captura_de_pantalla_2015-04-28_a_las_19.20.41.png Although it officially requires Darwin kernel 11.2 (corresponding to Mac Os X 10.7.2) according to its release file, it will still run on Snow Leopard (Mac OS X version 10.6.8, although it uses Darwin kernel 10.8). So the solution is to download JRE 1.7.0_25 directly from Oracle's website. Prefer the .tar.gz version.

Please note this instruction set is specific to Mac Os X 10.6.8 only! Java JRE 1.7.0_25 has been disabled by Apple on Mac OS X Lion because of security concerns.

Second step: specify to ZAP the Java version to use

Well, technically this command tells Java to run ZAP.

First you have to know where you uncompressed the .tar.gz archive. In this example, I simply left it in the Downloads folder. So the matching command would be:

$ ~/Downloads/jre1.7.0_25.jre/Contents/Home/bin/java -jar /Applications/OWASP\ ZAP.app/Contents/Java/zap-2.4.0.jar -installdir /Applications/OWASP\ ZAP.app/Contents/Java/

And here it runs!

The following steps are optional, but make the experience more streamlined.

Third step: remove bundled version 75

This is done with:

$ rm -r /Applications/OWASP\ ZAP.app/Contents/Plugins/jre1.7.0_75.jre

Fourth step: move version 25

Still assuming that Java JRE has been uncompressed to the default downloads directory, move it to the ZAP Plugins directory.

$ mv ~/Downloads/jre1.7.0_25.jre /Applications/OWASP\ ZAP.app/Contents/Plugins/jre1.7.0_25.jre/

Fifth step: create symbolic link

Easier than to modify any ZAP configuration file is to make it think it is calling sub-version 75, while in fact it is calling version 25. For that, just create a symbolic link redirecting any call to jre1.7.0_75.jre to the jre1.7.0_25.jre instead.

$ ln -s /Applications/OWASP\ ZAP.app/Contents/Plugins/jre1.7.0_25.jre /Applications/OWASP\ ZAP.app/Contents/Plugins/jre1.7.0_75.jre

Captura_de_pantalla_2015-04-28_a_las_20.21.56.png

Done! Now, just launching ZAP from the Applications menu works in Snow Leopard 10.6.8.

Captura_de_pantalla_2015-04-28_a_las_20.18.21.png

Captura_de_pantalla_2015-04-28_a_las_20.18.30.png

Yes, its window is wrongly sized, it mixes up languages, and icons are not properly centered, in three words, a typical Java software. 

As you may not want to subscribe to the terrible Oracle's website, here is the Java JRE 1.7.0_25 archive.

ZAP's website: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Java archive: http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jre-7u25-oth-JPR

Local copy: jre-7u25-macosx-x64.tar.gz