File this under one of those super annoying issues that creap up because I haven’t kept up with things, but in my last training session I ran into an issue with the new virtual machines that I built up and I was having one hell of a time figuring it out. The problem that crept up was that we were trying to use firefox to work through DVWA, the machine that I use is selfcontained to make sure that all of the elements can be worked with without fear of getting banned on a corp network. But this time when we fired up the browser and pointed it to the localhost instance of DVWA we couldn’t get it to show up in ZAP. Perplexed it created more than a couple of issues, with us finally adding a record for it in the /etc/hosts file. But I didn’t like that solution becuase I didn’t know WHY it was happening.
Fast forward a month and I am working throught the process of auditing some of the ZeroNet sites looking for issues and I ran into the same issue all over again. This time I wasn’t in a class so I had time to hunt it down, it appears that the browser companies by default have decided to turn off localhost proxying by default.
To fix this in Firefox:
That will allow you to enable and disable localhost proxying in firefox.
I still can’t get chrome working, as they have chosen to weaken the security of their browser for the sake of advertising, I strongly suggest that you migrate to Firefox or a more security minded browser.