Newman and OWASP ZAP

Hi all
I am trying to proxy Newman through Zap so it can pick up my API calls from the postman-collection

I am using an Ubuntu container with Newman installed to do this so I can test up front with curl.

FROM ubuntu:22.04
RUN apt-get update -y &&
apt-get upgrade -y &&
apt-get install -y gnupg &&
bash /opt/ &&
apt-get install -y nodejs &&
npm install -g newman &&
rm /opt/ &&
apt-get purge -y gnupg;
WORKDIR /etc/newman

I am also using a Zap2docker container to reach a publicly accessible API (available on dockerhub as a straight pull)

I start the Zap container and then start the Newman container

I can tell the Zap container is up correctly as I expose the API to localhost for me to use

I have set the HTTP_PROXY and HTTPS_PROXY env vars in Newman to match the IP of the Zap container which I get from the command:

docker exec $(zapContainer) hostname -i
I then append “:8080” (the port of the ZAP proxy)

to get the json for Newman to run, I am using a simple get request (no authentication needed) in postman to the API which I then exported as the latest version of collection to get the .json file. The API request works in postman outside of the container going straight to the public endpoint.

I then export the cacert from Zap API interface and Docker cp it into the Newman container

When I run a curl over the https API endpoint with the cacert option, I get a successful API call - easy.

When I then try to use Newman to do the same using the postman-collection.json file I created and the -ssl-extra-ca-certs option with the same cert, I get “self signed cert in certificate chain at request” error and my API request fails.

I have tried renaming the .cer format cert output by Zap as a .pem (the .cer is readable and properly formatted) but see no change in Newman.

But the curl command works with either the .cer Zap self-signed cert or the cert with the same contents but just a renamed extension to .pem - to my mind this proves the cert is good and the issue is with Newman?

If I try --insecure (or flavours of that) with the Newman command instead of the cert I get “Socket hang up at request…” error message

node -v =v19.9.0
npm -v =9.6.3
ubuntu 22.04

Example commands:
newman run dummy-api.json —ssl-extra-ca-certs ZAPCACert.pem -r cli,json --reporter-json-export output.json

curl --cacert /etc/newman/ZAPCACert.pem

What am I doing wrong please - I can’t help feeling its something really simple…

thanks a lot for the help

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.